URLhaus: ClearFake Malicious URLs

Hunt Hypothesis

The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to lure users into downloading malware. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user endpoints and data exfiltration.

IOC Summary

Threat: ClearFake Total URLs: 10 Active URLs: 0

URL	Status	Threat	Date Added
`hxxps://dkrxwehc.testpaye.xyz/4ce0ea39-2bc7-40e9-9840-1e8387d45531`	offline	malware_download	2026-06-15
`hxxps://bxzyp.daneshkhanevade.xyz/b4ca518c-8957-4ffc-91dd-a80e0a865df5`	offline	malware_download	2026-06-15
`hxxps://cucnczaq.testdrivepaye3.com/8fbe1ca0-3a94-4d25-8bed-0a8f0447b8a0`	offline	malware_download	2026-06-15
`hxxps://oxfzzuaq.tasisathosseini.shop/8f14f5a1-25de-4ced-a7b7-30205d9415fa`	offline	malware_download	2026-06-15
`hxxps://vwochim.megaparikade.com/79f1c4da-a639-4799-ae13-de96fa85d349`	offline	malware_download	2026-06-15
`hxxps://qqpidjr.megaparikade.com/18300527-3931-4870-a422-e33acbf09266`	offline	malware_download	2026-06-15
`hxxps://fcxkiekt.tasisathosseini.shop/67df51fe-9a20-4165-bd83-a0cf8387b77f`	offline	malware_download	2026-06-15
`hxxps://mjwougwp.tarikhravannovin.shop/5c1c5e3e-63b1-473a-a600-8f7a1935c2be`	offline	malware_download	2026-06-15
`hxxps://0dt4r35j.gavaedfagahe.xyz/?ublib=917e1e3d-cfad-4500-ae28-b435cbd1a785`	offline	malware_download	2026-06-15
`hxxps://amrwjltv.tarikhcheravanshenasi.xyz/c9304589-54fb-4d24-8a01-a28c1055b068`	offline	malware_download	2026-06-15

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["dkrxwehc.testpaye.xyz", "vwochim.megaparikade.com", "bxzyp.daneshkhanevade.xyz", "mjwougwp.tarikhravannovin.shop", "amrwjltv.tarikhcheravanshenasi.xyz", "cucnczaq.testdrivepaye3.com", "qqpidjr.megaparikade.com", "fcxkiekt.tasisathosseini.shop", "oxfzzuaq.tasisathosseini.shop", "0dt4r35j.gavaedfagahe.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["dkrxwehc.testpaye.xyz", "vwochim.megaparikade.com", "bxzyp.daneshkhanevade.xyz", "mjwougwp.tarikhravannovin.shop", "amrwjltv.tarikhcheravanshenasi.xyz", "cucnczaq.testdrivepaye3.com", "qqpidjr.megaparikade.com", "fcxkiekt.tasisathosseini.shop", "oxfzzuaq.tasisathosseini.shop", "0dt4r35j.gavaedfagahe.xyz"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., ServiceNow) to test a phishing simulation.
Filter/Exclusion: Exclude URLs that match known phishing simulation platforms or domains used by internal security teams (e.g., *.phishsim.local, *.testphishing.com).
Scenario: A scheduled job runs a script that downloads a ClearFake URL as part of a malware analysis workflow (e.g., using Cuckoo Sandbox or VirusTotal API).
Filter/Exclusion: Exclude URLs that originate from known security research or analysis tools (e.g., *.virus.total, *.cuckoo.org, *.malwr.com).
Scenario: A user clicks on a ClearFake URL shared in a legitimate internal communication tool (e.g., Microsoft Teams or Slack) during a security awareness training session.
Filter/Exclusion: Exclude URLs that are associated with internal security training platforms (e.g., training.example.com, securityawareness.example.org).
Scenario: A backup or sync job (e.g., using rsync or Veeam) temporarily stores files in a cloud storage bucket (e.g., AWS S3) that contains a ClearFake URL in its metadata.
Filter/Exclusion: Exclude URLs that appear in metadata of files related to backup or sync operations (e.g., *.backup, *.sync, *.rsync).
Scenario: A DevOps pipeline (e.g., Jenkins, GitLab CI) pushes code to a repository that includes a ClearFake URL in a test script or documentation.
Filter/Exclusion: Exclude URLs that appear in code repositories or CI/CD pipelines (e.g., *.git, *.ci, *.pipeline, *.jenkinsfile), or match known development tooling domains.