The hypothesis is that the detected URLs are part of a ClearFake campaign designed to deceive users into visiting malicious sites, thereby enabling phishing or malware delivery. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user credentials or systems before lateral movement or data exfiltration occurs.
IOC Summary
Threat: ClearFake Total URLs: 30 Active URLs: 30
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://cityli-fe2.kymle2rix.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://home-base1.kymle2rix.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://gold-fi-sh6.to6vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://warm-sun5.to6vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://darkwood4.to6vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://high-hi-ll3.to6vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://blue-sky2.to6vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://deepsea1.to6vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://soft-ba-g6.sylom5er.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://hardbox5.sylom5er.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://redma-rk4.sylom5er.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://thin-pen3.sylom5er.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://lastpa-ge2.sylom5er.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://openbook1.sylom5er.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://old-town6.ra1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://newtrip5.ra1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://longro-ad4.ra1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://bigjump3.ra1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://slowwa-lk2.ra1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://fast-run1.ra1xorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://highstep6.9zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://coldwind5.9zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://white-wa-ll4.9zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://small-cup3.9zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
hxxps://greenlamp2.9zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["old-town6.ra1xorin.in.net", "gold-fi-sh6.to6vamil.in.net", "main-po-int6.tarny-tsedilka.in.net", "white-wa-ll4.9zoravel.in.net", "greenlamp2.9zoravel.in.net", "hardbox5.sylom5er.in.net", "thin-pen3.sylom5er.in.net", "home-base1.kymle2rix.in.net", "lastpa-ge2.sylom5er.in.net", "empty-s-pac4.tarny-tsedilka.in.net", "high-hi-ll3.to6vamil.in.net", "cityli-fe2.kymle2rix.in.net", "warm-sun5.to6vamil.in.net", "deepsea1.to6vamil.in.net", "soft-ba-g6.sylom5er.in.net", "quickmo-ve5.tarny-tsedilka.in.net", "blue-sky2.to6vamil.in.net", "longro-ad4.ra1xorin.in.net", "blu-etable1.9zoravel.in.net", "redma-rk4.sylom5er.in.net", "full-b-ox3.tarny-tsedilka.in.net", "highstep6.9zoravel.in.net", "fast-run1.ra1xorin.in.net", "darkwood4.to6vamil.in.net", "slowwa-lk2.ra1xorin.in.net", "openbook1.sylom5er.in.net", "coldwind5.9zoravel.in.net", "small-cup3.9zoravel.in.net", "newtrip5.ra1xorin.in.net", "bigjump3.ra1xorin.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["old-town6.ra1xorin.in.net", "gold-fi-sh6.to6vamil.in.net", "main-po-int6.tarny-tsedilka.in.net", "white-wa-ll4.9zoravel.in.net", "greenlamp2.9zoravel.in.net", "hardbox5.sylom5er.in.net", "thin-pen3.sylom5er.in.net", "home-base1.kymle2rix.in.net", "lastpa-ge2.sylom5er.in.net", "empty-s-pac4.tarny-tsedilka.in.net", "high-hi-ll3.to6vamil.in.net", "cityli-fe2.kymle2rix.in.net", "warm-sun5.to6vamil.in.net", "deepsea1.to6vamil.in.net", "soft-ba-g6.sylom5er.in.net", "quickmo-ve5.tarny-tsedilka.in.net", "blue-sky2.to6vamil.in.net", "longro-ad4.ra1xorin.in.net", "blu-etable1.9zoravel.in.net", "redma-rk4.sylom5er.in.net", "full-b-ox3.tarny-tsedilka.in.net", "highstep6.9zoravel.in.net", "fast-run1.ra1xorin.in.net", "darkwood4.to6vamil.in.net", "slowwa-lk2.ra1xorin.in.net", "openbook1.sylom5er.in.net", "coldwind5.9zoravel.in.net", "small-cup3.9zoravel.in.net", "newtrip5.ra1xorin.in.net", "bigjump3.ra1xorin.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service usage
Description: Employees use services like Bitly or TinyURL to shorten internal links for sharing in emails or documents.
Filter/Exclusion: Exclude URLs containing known shortening domains (e.g., bit.ly, tinyurl.com, is.gd) or use a custom list of approved shorteners.
Scenario: Scheduled system updates via internal repository
Description: Automated jobs download updates from an internal package repository (e.g., Nexus, Artifactory) using URLs that resemble malicious patterns.
Filter/Exclusion: Exclude URLs matching internal repository domains (e.g., nexus.internal.com, artifactory.prod.example.com) or use a whitelisted domain list.
Scenario: Admin task for malware analysis
Description: Security analysts manually download malware samples from a sandboxing tool (e.g., Cuckoo Sandbox, Joe Sandbox) for analysis.
Filter/Exclusion: Exclude URLs containing sandboxing tool domains (e.g., cuckoo.sh, joesandbox.com) or use a regex to identify sandboxing-related traffic.
Scenario: Internal phishing simulation tool
Description: The security team uses a tool like PhishLabs or KnowBe4 to simulate phishing emails, which may include URLs that look malicious.
Filter/Exclusion: Exclude URLs containing known phishing simulation domains (e.g., phishlab.example.com, knowbe4.com) or use a custom list of internal simulation URLs.
Scenario: Cloud backup job with temporary URLs
Description: A backup job (e.g., using AWS S3, Azure Blob Storage) generates temporary URLs (e.g., via AWS S3 pre-signed URLs) that may be flagged as malicious.
Filter/Exclusion: Exclude URLs containing AWS or Azure service identifiers