The ThreatFox: IClickFix IOCs rule detects potential adversary activity linked to the IClickFix threat group, which is associated with malware distribution and credential theft. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging these IOCs to compromise their environment.
IOC Summary
Malware Family: IClickFix Total IOCs: 44 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | allcountiesroofingltd.co.uk | payload_delivery | 2026-06-08 | 100% |
| domain | altecva.com | payload_delivery | 2026-06-08 | 100% |
| domain | amici-di-pogrande.it | payload_delivery | 2026-06-08 | 100% |
| domain | andreawirsum.com | payload_delivery | 2026-06-08 | 100% |
| domain | argirisangelopoulos.gr | payload_delivery | 2026-06-08 | 100% |
| domain | balkanrefugeenetwork.org | payload_delivery | 2026-06-08 | 100% |
| domain | bbchurch.net | payload_delivery | 2026-06-08 | 100% |
| domain | berlin21.info | payload_delivery | 2026-06-08 | 100% |
| domain | buktijpmaluku.info | payload_delivery | 2026-06-08 | 100% |
| domain | camtechpotiskum.edu.ng | payload_delivery | 2026-06-08 | 100% |
| domain | casobrar.com.br | payload_delivery | 2026-06-08 | 100% |
| domain | ciberci.com | payload_delivery | 2026-06-08 | 100% |
| domain | danielediana.it | payload_delivery | 2026-06-08 | 100% |
| domain | developmental-twins.com | payload_delivery | 2026-06-08 | 100% |
| domain | djlandscapingltd.co.uk | payload_delivery | 2026-06-08 | 100% |
| domain | dropstars.ai | payload_delivery | 2026-06-08 | 100% |
| domain | dustyductsbegone.com | payload_delivery | 2026-06-08 | 100% |
| domain | erossiconsultoria.com.br | payload_delivery | 2026-06-08 | 100% |
| domain | evolutionairfilter.com | payload_delivery | 2026-06-08 | 100% |
| domain | faculdadedamoda.com | payload_delivery | 2026-06-08 | 100% |
| domain | gomberg.net | payload_delivery | 2026-06-08 | 100% |
| domain | generativesolutionsus.com | payload_delivery | 2026-06-08 | 100% |
| domain | iconlng.com | payload_delivery | 2026-06-08 | 100% |
| domain | infocus.tn | payload_delivery | 2026-06-08 | 100% |
| domain | ireflect.net | payload_delivery | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - IClickFix
let malicious_domains = dynamic(["allcountiesroofingltd.co.uk", "altecva.com", "amici-di-pogrande.it", "andreawirsum.com", "argirisangelopoulos.gr", "balkanrefugeenetwork.org", "bbchurch.net", "berlin21.info", "buktijpmaluku.info", "camtechpotiskum.edu.ng", "casobrar.com.br", "ciberci.com", "danielediana.it", "developmental-twins.com", "djlandscapingltd.co.uk", "dropstars.ai", "dustyductsbegone.com", "erossiconsultoria.com.br", "evolutionairfilter.com", "faculdadedamoda.com", "gomberg.net", "generativesolutionsus.com", "iconlng.com", "infocus.tn", "ireflect.net", "jkbuildersg.com", "joannedeitsch.com", "kidsandtas.edu.do", "kevinfreels.com", "legalmarketing.shop", "mediweightloss.com.au", "oficialwebsitepromotion.com", "ruetraverse.com", "southasianher.com", "stampcollectshop.com", "stroycenter.net", "thepesthunter.com", "tknmetal.net", "trustroofingltd.co.uk", "vernerestaurant.com", "viagmmy.com", "victormeloadvogado.com", "visualimpressao.com.br", "vitb.ac.in"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled job to update or patch the IClickFix application as part of routine maintenance.
Filter/Exclusion: Exclude processes related to iclickfix-updater or iclickfix-maintenance using the process.name field.
Example Filter: process.name != "iclickfix-updater"
Scenario: Scheduled Backup of IClickFix Configuration
Description: A backup job is configured to archive IClickFix configuration files to a secure location, which may trigger IOC detection due to file paths or names.
Filter/Exclusion: Exclude file paths containing iclickfix_backup or iclickfix_config using the file.path field.
Example Filter: file.path not contains "iclickfix_backup"
Scenario: Admin Access to IClickFix via Remote Desktop
Description: An administrator is accessing the IClickFix application remotely using tools like mstsc (Remote Desktop) or rdp for troubleshooting.
Filter/Exclusion: Exclude processes initiated via remote desktop using the process.parent.name or process.parent.pid fields.
Example Filter: process.parent.name != "mstsc.exe"
Scenario: Integration with SIEM Tools for Log Collection
Description: The IClickFix application is integrated with a SIEM tool like Splunk or ELK to collect logs, which may involve known IP addresses or endpoints.
Filter/Exclusion: Exclude connections to known SIEM tools or internal log collection services using the destination.ip or destination.port fields.
Example Filter: destination.ip in ("10.0.0.100", "10.0.0.101")
**