The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack chain.
IOC Summary
Threat: ClearFake Total URLs: 24 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://efxvu.daneshkhanevade.xyz/62f94114-0896-4385-966c-eb08620af44d | offline | malware_download | 2026-06-13 |
hxxps://ahkyokta.hugugtatbigi.xyz/3b75f7ce-f34c-4188-ab80-d8c3acc89e83 | offline | malware_download | 2026-06-13 |
hxxps://8co4mfeh.qurandownload.xyz/?ublib=761655fd-dbd9-4efc-8033-6a957c790e3e | offline | malware_download | 2026-06-13 |
hxxps://xeviozwk.hugugnasiri.xyz/9f3ee70d-e58a-4a1f-9a92-0287493ed062 | offline | malware_download | 2026-06-13 |
hxxps://uhnuyfcr.hugugmadanikatouzian.xyz/8ae44564-acab-47bf-a54a-0f207913e7ac | offline | malware_download | 2026-06-13 |
hxxps://igrbuyo.pokerkade.online/c898c073-9e03-4ca3-a721-c4083f4a3753 | offline | malware_download | 2026-06-13 |
hxxps://kl23rl6f.nahjolbalage.xyz/?ublib=6d861f61-8ec0-46a4-9305-e7027cc46536 | offline | malware_download | 2026-06-13 |
hxxps://hfolz.bookdrive.xyz/c3e57f49-0f75-4258-a0fd-e232eb134d2e | offline | malware_download | 2026-06-13 |
hxxps://p60hpuvn.shartbandifootballkade.online/?ublib=1766dc2c-1a7c-44a3-9769-9cfbc09b0a1f | offline | malware_download | 2026-06-13 |
hxxps://kzkzbbha.hugugmadani6.xyz/db068de5-b6f6-4178-abdf-bd3d1b9cbfcc | offline | malware_download | 2026-06-13 |
hxxps://wdbcypih.hugugedari.xyz/6d4c6d93-33b7-4a36-b3b9-99eeb9de1e28 | offline | malware_download | 2026-06-13 |
hxxps://osggwts6.fubet24.net/?ublib=d3848191-cced-47d7-a7a8-53228ecbc2bd | offline | malware_download | 2026-06-13 |
hxxps://vhsqohyd.hugugdaryayi.xyz/f69a6d79-790d-4532-903a-12e90829c1c4 | offline | malware_download | 2026-06-13 |
hxxps://yyrup.barnamenevisi.xyz/599f2bdb-0d1c-4eb8-a081-4ee5252e0d54 | offline | malware_download | 2026-06-13 |
hxxps://jrmcsezq.hugugbime.xyz/b01530d0-469d-4dd6-a19b-c91f8ad45997 | offline | malware_download | 2026-06-13 |
hxxps://nqsaymjr.betyek.net/5a45f861-3bfb-455f-9180-2b001d170a89 | offline | malware_download | 2026-06-13 |
hxxps://gbbzykw.melbetkade.com/c5bc15e8-1ed5-44f8-b6dc-4057db224a1d | offline | malware_download | 2026-06-13 |
hxxps://fswqsjdd.betxane.com/cc9c1abd-5cb1-4afe-824a-c64a8192cae6 | offline | malware_download | 2026-06-13 |
hxxps://1mp15ubu.shansline.com/?ublib=fb4849b8-5e48-48a1-a916-7156a36dc374 | offline | malware_download | 2026-06-13 |
hxxps://9q2tk0oi.enfejarkade.online/?ublib=a6eecb05-6704-411c-9206-09fb272bccc2 | offline | malware_download | 2026-06-13 |
hxxps://xetxx.bankefile.com/98c304f8-64e8-433a-89bc-64a4e1056a33 | offline | malware_download | 2026-06-13 |
hxxps://cugeuvle.betwanna.com/0512bed0-756b-4f03-b1a3-2ff544f92964 | offline | malware_download | 2026-06-13 |
hxxps://urelelgc.betforwardkade.com/7eeb5cbd-57d5-40df-812c-b65757c4841f | offline | malware_download | 2026-06-13 |
hxxps://dyqanvdt.betfidokade.com/44cd360e-aa92-4828-975f-c4ff2f54b527 | offline | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["efxvu.daneshkhanevade.xyz", "uhnuyfcr.hugugmadanikatouzian.xyz", "yyrup.barnamenevisi.xyz", "jrmcsezq.hugugbime.xyz", "wdbcypih.hugugedari.xyz", "xeviozwk.hugugnasiri.xyz", "p60hpuvn.shartbandifootballkade.online", "urelelgc.betforwardkade.com", "dyqanvdt.betfidokade.com", "vhsqohyd.hugugdaryayi.xyz", "igrbuyo.pokerkade.online", "8co4mfeh.qurandownload.xyz", "ahkyokta.hugugtatbigi.xyz", "cugeuvle.betwanna.com", "nqsaymjr.betyek.net", "gbbzykw.melbetkade.com", "fswqsjdd.betxane.com", "kzkzbbha.hugugmadani6.xyz", "hfolz.bookdrive.xyz", "kl23rl6f.nahjolbalage.xyz", "1mp15ubu.shansline.com", "xetxx.bankefile.com", "osggwts6.fubet24.net", "9q2tk0oi.enfejarkade.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["efxvu.daneshkhanevade.xyz", "uhnuyfcr.hugugmadanikatouzian.xyz", "yyrup.barnamenevisi.xyz", "jrmcsezq.hugugbime.xyz", "wdbcypih.hugugedari.xyz", "xeviozwk.hugugnasiri.xyz", "p60hpuvn.shartbandifootballkade.online", "urelelgc.betforwardkade.com", "dyqanvdt.betfidokade.com", "vhsqohyd.hugugdaryayi.xyz", "igrbuyo.pokerkade.online", "8co4mfeh.qurandownload.xyz", "ahkyokta.hugugtatbigi.xyz", "cugeuvle.betwanna.com", "nqsaymjr.betyek.net", "gbbzykw.melbetkade.com", "fswqsjdd.betxane.com", "kzkzbbha.hugugmadani6.xyz", "hfolz.bookdrive.xyz", "kl23rl6f.nahjolbalage.xyz", "1mp15ubu.shansline.com", "xetxx.bankefile.com", "osggwts6.fubet24.net", "9q2tk0oi.enfejarkade.online"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL Shortening Service Usage
Description: Employees use a URL shortening service like Bitly or TinyURL for internal documentation or sharing links. These shortened URLs may be flagged as malicious due to their format.
Filter/Exclusion: Exclude URLs containing known shortening domains (e.g., bit.ly, tinyurl.com, is.gd) or use a custom list of approved shortening services.
Scenario: Scheduled Job for Software Updates
Description: A scheduled job runs via crontab or Task Scheduler to download updates from a known internal repository, which may include URLs that match the ClearFake pattern.
Filter/Exclusion: Exclude URLs matching internal update servers (e.g., internal-repo.example.com, update.example.com) or use a custom field like src_ip to filter by internal IP ranges.
Scenario: Admin Task for System Monitoring
Description: An admin uses a tool like PowerShell or Python to monitor system logs and sends alerts via email or a dashboard, which may include URLs formatted similarly to malicious ones.
Filter/Exclusion: Exclude URLs containing specific admin tool identifiers (e.g., powershell.exe, python.exe) or use a process_name field to filter out known admin scripts.
Scenario: Internal Threat Intelligence Feed
Description: The enterprise uses a threat intelligence platform like CrowdStrike Falcon or Microsoft Defender for Endpoint, which may include URLs that are flagged as malicious by URLhaus but are actually legitimate indicators.
Filter/Exclusion: Exclude URLs from known threat intelligence feeds (e.g., crowdstrike.com, microsoft.com) or use a source field to differentiate between internal and external feeds.
Scenario: Phishing Simulation Exercise
Description: The security team runs a phishing