The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to deliver malware and steal credentials. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts by adversaries.
IOC Summary
Threat: ClearFake Total URLs: 7 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://umusdqbj.hesabdarieskandari.xyz/?ublib=c61cdf62-4dba-4044-b272-c9c935e2a19d | offline | malware_download | 2026-06-19 |
hxxps://sjn9cbzs.betvarzeshkade.online/?ublib=ff151024-5d4e-49df-9a1b-a2592cd87a77 | offline | malware_download | 2026-06-19 |
hxxps://7ooj1o3v.tarbiyateslami.xyz/?ublib=aa879d2a-0555-45e3-8f82-e884a5c1d702 | offline | malware_download | 2026-06-19 |
hxxps://owxoxg4v.jetbetkade.com/?ublib=86afe00d-8653-407b-a4e2-3d60388a4e30 | offline | malware_download | 2026-06-19 |
hxxps://4nd2h8ef.bio90.football/?ublib=68e63799-94d1-4249-8e3e-b745c613f3e3 | offline | malware_download | 2026-06-19 |
hxxps://jqqh90zb.usoleamoozesh.xyz/?ublib=5928c2ac-7174-4927-afc5-2cb0973c7ff0 | offline | malware_download | 2026-06-19 |
hxxps://s18b1z48.tarahisystem.xyz/?ublib=e5eaaa54-1db9-4048-880c-0cb05262ad15 | offline | malware_download | 2026-06-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["4nd2h8ef.bio90.football", "owxoxg4v.jetbetkade.com", "sjn9cbzs.betvarzeshkade.online", "jqqh90zb.usoleamoozesh.xyz", "7ooj1o3v.tarbiyateslami.xyz", "umusdqbj.hesabdarieskandari.xyz", "s18b1z48.tarahisystem.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["4nd2h8ef.bio90.football", "owxoxg4v.jetbetkade.com", "sjn9cbzs.betvarzeshkade.online", "jqqh90zb.usoleamoozesh.xyz", "7ooj1o3v.tarbiyateslami.xyz", "umusdqbj.hesabdarieskandari.xyz", "s18b1z48.tarahisystem.xyz"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job downloading updates from a known ClearFake domain
Description: A system update or patching tool (e.g., Microsoft Update, SCCM, or Ansible) is configured to download updates from a domain that is falsely flagged as ClearFake.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.update.microsoft.com, *.microsoft.com, *.ansible.com) or use a custom field like url_classification to mark legitimate update sources.
Scenario: Admin task using ClearFake URLs for internal testing or phishing simulations
Description: Security teams may use ClearFake URLs as part of a phishing simulation or red team exercise (e.g., using tools like Metasploit, Cobalt Strike, or Attack Simulator).
Filter/Exclusion: Exclude URLs that match internal testing domains (e.g., *.test.phishing.corp, *.simulator.security.team) or use a tag like is_phishing_simulation in the event data.
Scenario: Legitimate software distribution via a ClearFake domain
Description: A third-party software vendor or internal tool (e.g., Jenkins, Docker, or a custom CI/CD pipeline) may use a domain flagged as ClearFake for legitimate software distribution.
Filter/Exclusion: Exclude URLs that match known software distribution domains (e.g., *.docker.io, *.jenkins.io, *.artifactory.com) or use a field like software_distribution to mark legitimate sources.
Scenario: False positive from a misconfigured URL filtering tool
Description: A URL filtering tool (e.g., Cisco Talos, OpenDNS, or Microsoft Defender for Endpoint) may incorrectly flag a legitimate URL as malicious due to a misconfiguration or outdated list.
Filter/Exclusion: Exclude URLs that are known to be part