The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns and prevent lateral movement or data exfiltration.
IOC Summary
Threat: ClearFake Total URLs: 15 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://dbvxnw.fullnrg.hu/b9fc31b1-4e34-4141-83f0-d0b44a3d678a | offline | malware_download | 2026-05-24 |
hxxps://mcq9ktcv.telemetry-nexus.digital/?ublib=9e0e3bf9-684e-4e01-a7fd-2515bc86a6cf | offline | malware_download | 2026-05-24 |
hxxps://kgztgu.fortunalamella.hu/7e778cbe-1bd4-47ce-a5a1-749ea5b2d8b2 | offline | malware_download | 2026-05-24 |
hxxps://arrtom.followyourjoy.hu/1bf3899c-8774-4bfd-8c72-3cbf18fa43e0 | offline | malware_download | 2026-05-24 |
hxxps://npukpk.fodraszoktatas.eu/03ace386-a37f-41e7-a367-df0d30df34a5 | offline | malware_download | 2026-05-24 |
hxxps://wwkgzd.flybuiltstudio.com/526ac08f-2188-419f-b2ad-e01b2bdb0df1 | offline | malware_download | 2026-05-24 |
hxxps://qsxrao.flybuilt.hu/39b08f37-efbc-45ce-b98f-6ddaba53f04d | offline | malware_download | 2026-05-24 |
hxxps://nqvfew.flybuilt.eu/977d4603-4081-4280-8ea6-62ecfcc84f05 | offline | malware_download | 2026-05-24 |
hxxps://58knxotz.proxy-compass.digital/?ublib=36534f41-dc9c-4236-b20e-843ee861e728 | offline | malware_download | 2026-05-24 |
hxxps://vuvwlz.fluss.hu/6542db39-5779-4a96-8233-000e048dc99d | offline | malware_download | 2026-05-24 |
hxxps://ieeljt.fittkor.hu/0ea4384d-3295-4e89-829c-803c6e58deff | offline | malware_download | 2026-05-24 |
hxxps://xdfbko.feszt360.hu/436049f6-40c3-4c50-b420-e1a81a1431ec | offline | malware_download | 2026-05-24 |
hxxps://trejzg.femeso.hu/60fd6bbb-3774-46d1-afcc-9d6e31df4890 | offline | malware_download | 2026-05-24 |
hxxps://dxsdji.felhangolo.com/7801266f-7be5-4f9d-9301-2154542f65fa | offline | malware_download | 2026-05-24 |
hxxps://hqcmiiiu.cloud-orbit.digital/?ublib=b38ec3bf-301b-435a-a39c-37314ea5f352 | offline | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["dxsdji.felhangolo.com", "wwkgzd.flybuiltstudio.com", "ieeljt.fittkor.hu", "hqcmiiiu.cloud-orbit.digital", "trejzg.femeso.hu", "nqvfew.flybuilt.eu", "dbvxnw.fullnrg.hu", "xdfbko.feszt360.hu", "arrtom.followyourjoy.hu", "mcq9ktcv.telemetry-nexus.digital", "58knxotz.proxy-compass.digital", "kgztgu.fortunalamella.hu", "vuvwlz.fluss.hu", "qsxrao.flybuilt.hu", "npukpk.fodraszoktatas.eu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["dxsdji.felhangolo.com", "wwkgzd.flybuiltstudio.com", "ieeljt.fittkor.hu", "hqcmiiiu.cloud-orbit.digital", "trejzg.femeso.hu", "nqvfew.flybuilt.eu", "dbvxnw.fullnrg.hu", "xdfbko.feszt360.hu", "arrtom.followyourjoy.hu", "mcq9ktcv.telemetry-nexus.digital", "58knxotz.proxy-compass.digital", "kgztgu.fortunalamella.hu", "vuvwlz.fluss.hu", "qsxrao.flybuilt.hu", "npukpk.fodraszoktatas.eu"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment using ClearFake-signed URLs
Filter/Exclusion: Exclude URLs that match known system update domains (e.g., *.microsoft.com, *.canonical.com) or use a regex to match URLs containing update/ or patch/ in the path.
Scenario: Scheduled backup job using ClearFake-signed URLs for file transfer
Filter/Exclusion: Exclude URLs that include backup/ or restore/ in the path, or filter by IP addresses associated with internal backup servers.
Scenario: Admin task to download third-party software using ClearFake-signed URLs
Filter/Exclusion: Exclude URLs that match known software repositories (e.g., *.sourceforge.net, *.github.com) or include download/ in the URL path.
Scenario: Internal tool for generating temporary URLs for internal testing using ClearFake-signed URLs
Filter/Exclusion: Exclude URLs that originate from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or include test/, dev/, or sandbox/ in the path.
Scenario: Automated CI/CD pipeline using ClearFake-signed URLs to fetch dependencies
Filter/Exclusion: Exclude URLs that match known CI/CD service domains (e.g., *.github.com, *.gitlab.com, *.bitbucket.org) or include ci/, cd/, or pipeline/ in the path.