The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or spoofed domains to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts.
IOC Summary
Threat: ClearFake Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://white-shirt2.bovla5xel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
hxxps://black-hat1.bovla5xel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
hxxps://purewater6.de1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
hxxps://cool-mi-lk5.de1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
hxxps://fresh-tea4.de1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
hxxps://hot-soup3.de1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
hxxps://sweet-bun2.de1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["black-hat1.bovla5xel.in.net", "white-shirt2.bovla5xel.in.net", "hot-soup3.de1xorin.in.net", "fresh-tea4.de1xorin.in.net", "sweet-bun2.de1xorin.in.net", "cool-mi-lk5.de1xorin.in.net", "purewater6.de1xorin.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["black-hat1.bovla5xel.in.net", "white-shirt2.bovla5xel.in.net", "hot-soup3.de1xorin.in.net", "fresh-tea4.de1xorin.in.net", "sweet-bun2.de1xorin.in.net", "cool-mi-lk5.de1xorin.in.net", "purewater6.de1xorin.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security training exercise.
Filter/Exclusion: Exclude URLs containing the string training-url or security-test in the URL path or query parameters.
Scenario: A scheduled job runs a script that downloads a ClearFake URL to fetch a legitimate software update from a trusted source.
Filter/Exclusion: Exclude URLs that match the domain updates.examplecorp.com or any subdomains thereof.
Scenario: A user clicks on a ClearFake URL shared in an internal communication tool (e.g., Microsoft Teams) as part of a phishing simulation.
Filter/Exclusion: Exclude URLs originating from internal communication platforms like teams.microsoft.com or slack.com with a known phishing simulation tag.
Scenario: A CI/CD pipeline uses a ClearFake URL to fetch a dependency from a public repository (e.g., GitHub) during a build process.
Filter/Exclusion: Exclude URLs that match the GitHub domain github.com or any URLs that include the query parameter ?action=build.
Scenario: An IT support tool periodically checks for system health and uses a ClearFake URL to access a legitimate diagnostic service.
Filter/Exclusion: Exclude URLs that contain the path /diagnostic-service or are associated with the internal support tool support-tool.example.com.