The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging known malicious domains to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early, especially given the high severity and prevalence of ClearFake in targeted attacks.
IOC Summary
Threat: ClearFake Total URLs: 17 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://enkkxbi.n1betiran.com/c91f81a6-d9c5-4fc7-a9cd-ff77a0634dec | offline | malware_download | 2026-06-06 |
hxxps://ybyvozc.jamjahani.vip/1f808480-24cd-4263-87c1-d074285a8b9c | offline | malware_download | 2026-06-06 |
hxxps://dbnnsjv.mangobetfarsi.com/ab302412-ae27-45e4-b436-98014d48ce68 | offline | malware_download | 2026-06-06 |
hxxps://npawoli.jamjahani.world/b477ab7d-084d-4ec5-9e37-3c2776fcbd6d | offline | malware_download | 2026-06-06 |
hxxps://hetljl.jamjahani.football/04ae5ae6-5230-45ce-aa7a-33fc9e1f6444 | offline | malware_download | 2026-06-06 |
hxxps://rvlpcvr.jogodobicho.games/36c53e51-0ab6-46ff-bce4-b20db3a6dab6 | offline | malware_download | 2026-06-06 |
hxxps://viopkdh.kbshavanese.com/73d87ffb-2c1b-4ae6-ad04-e4aafec2b1ce | offline | malware_download | 2026-06-06 |
hxxps://xhqkuit.kvbel.com/db364957-eb58-4179-b72b-094d585a0bc7 | offline | malware_download | 2026-06-06 |
hxxps://7tzr8pjb.mattheneus-healthcare.com/?ublib=7070e65a-2f2b-442a-87f0-2735fc6a7ca6 | offline | malware_download | 2026-06-06 |
hxxps://s3unirpm.bet90land.com/?ublib=62caff92-ce75-458f-b1c9-f56b1cf62f56 | offline | malware_download | 2026-06-06 |
hxxps://rxxgnn.jamjahani.cash/cee2e7f4-f165-4dc7-90d7-26dcfac6e73d | offline | malware_download | 2026-06-06 |
hxxps://yghqghh.lolsurpriseball.com/785b4df3-2198-46fb-93c0-b0f63650a59f | offline | malware_download | 2026-06-06 |
hxxps://zqgqzuo.mangobetfarsi.com/be09e16f-39e2-47cd-a910-3682c1995a65 | offline | malware_download | 2026-06-06 |
hxxps://eycgzaa.jamjahani.site/379bd89f-0379-4c99-ac20-f52e355f2c37 | offline | malware_download | 2026-06-06 |
hxxps://is34r2fh.marc90bet.com/?ublib=278be8f4-87b7-4438-be67-2f447ea57a51 | offline | malware_download | 2026-06-06 |
hxxps://fgeszrs.dahdahtoys.com/452841ac-082a-409f-8b22-a924f8c94cde | offline | malware_download | 2026-06-06 |
hxxps://xvbfkf.jamjahani.app/2be3a3ae-4afa-4b5f-aaf4-a010647e6e60 | offline | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["viopkdh.kbshavanese.com", "npawoli.jamjahani.world", "rxxgnn.jamjahani.cash", "7tzr8pjb.mattheneus-healthcare.com", "hetljl.jamjahani.football", "enkkxbi.n1betiran.com", "dbnnsjv.mangobetfarsi.com", "fgeszrs.dahdahtoys.com", "yghqghh.lolsurpriseball.com", "xvbfkf.jamjahani.app", "ybyvozc.jamjahani.vip", "s3unirpm.bet90land.com", "rvlpcvr.jogodobicho.games", "is34r2fh.marc90bet.com", "eycgzaa.jamjahani.site", "xhqkuit.kvbel.com", "zqgqzuo.mangobetfarsi.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["viopkdh.kbshavanese.com", "npawoli.jamjahani.world", "rxxgnn.jamjahani.cash", "7tzr8pjb.mattheneus-healthcare.com", "hetljl.jamjahani.football", "enkkxbi.n1betiran.com", "dbnnsjv.mangobetfarsi.com", "fgeszrs.dahdahtoys.com", "yghqghh.lolsurpriseball.com", "xvbfkf.jamjahani.app", "ybyvozc.jamjahani.vip", "s3unirpm.bet90land.com", "rvlpcvr.jogodobicho.games", "is34r2fh.marc90bet.com", "eycgzaa.jamjahani.site", "xhqkuit.kvbel.com", "zqgqzuo.mangobetfarsi.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify its behavior in a sandbox environment.
Filter/Exclusion: Exclude URLs containing the domain bitly.com or any known URL shortening service domains.
Scenario: A scheduled job runs a script to fetch updates from a trusted internal repository (e.g., GitLab CI/CD pipeline) using a URL that matches the ClearFake pattern.
Filter/Exclusion: Exclude URLs that match the internal repository domain (e.g., *.gitlab.com) or use a custom field like source:internal.
Scenario: A developer is using a tool like curl or wget to download a legitimate software update from a known vendor (e.g., Microsoft, Adobe) during a patching process.
Filter/Exclusion: Exclude URLs that contain vendor-specific domains (e.g., *.microsoft.com, *.adobe.com) or include query parameters like ?download=true.
Scenario: A security team member is using a tool like Wireshark or tcpdump to capture and analyze network traffic, which includes legitimate URLs being accessed by internal applications.
Filter/Exclusion: Exclude traffic originating from known security tools or internal monitoring systems (e.g., source_ip:10.0.0.0/8).
Scenario: A backup process uses a script to transfer data to a cloud storage service (e.g., AWS S3, Azure Blob Storage) using a URL that matches the ClearFake pattern.
Filter/Exclusion: Exclude URLs that include cloud storage service domains (e.g., *.s3.amazonaws.com, *.blob.core.windows.net) or use a custom field like action:backup.