The ClearFake malware uses malicious URLs from URLhaus to establish command-and-control communication for data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches early.
IOC Summary
Threat: ClearFake Total URLs: 33 Active URLs: 33
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://serven5um.nov3liren.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://vor-spireos.nov3liren.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://atom1-span.nov3liren.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://emidb.kymle1rax.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://geo-1c3.kymle1rax.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://veltide4a.kymle1rax.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://thick8-signal.kymle1rax.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://tercheck.kymle1rax.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://inkraven.kymle1rax.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://ash-leaf.to9varon.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://neo-cornput.to9varon.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://bytefore.to9varon.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://rntfvps.to9varon.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://atomicextract.to9varon.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://server-scar.to9varon.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://hdf358xa.sylo6mer.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://amber-mon.sylo6mer.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://gentl-snow.sylo6mer.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://25eap9f.sylo6mer.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://argrs.sylo6mer.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://vorlithen4.sylo6mer.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://sernexor8.rax4pavel.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://falforma.rax4pavel.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://forrn7-panel.rax4pavel.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
hxxps://jkdraj.rax4pavel.in.net/cdk-msdn-3457325-null/load-file0dsdf567.chk | online | malware_download | 2026-04-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["veltide4a.kymle1rax.in.net", "tercheck.kymle1rax.in.net", "argrs.sylo6mer.in.net", "forrn7-panel.rax4pavel.in.net", "serven5um.nov3liren.in.net", "sernexor8.rax4pavel.in.net", "starwinter.rax4pavel.in.net", "falforma.rax4pavel.in.net", "sub-n3uron.zex8liron.in.net", "rntfvps.to9varon.in.net", "neo-cornput.to9varon.in.net", "jkdraj.rax4pavel.in.net", "thick8-signal.kymle1rax.in.net", "server-scar.to9varon.in.net", "inkraven.kymle1rax.in.net", "geo-1c3.kymle1rax.in.net", "hdf358xa.sylo6mer.in.net", "atom1-span.nov3liren.in.net", "dyn-tideis.zex8liron.in.net", "ultra-f1rmvva.zex8liron.in.net", "atomicextract.to9varon.in.net", "vellithal3.rax4pavel.in.net", "vor-spireos.nov3liren.in.net", "bytefore.to9varon.in.net", "gentl-snow.sylo6mer.in.net", "emidb.kymle1rax.in.net", "25eap9f.sylo6mer.in.net", "vorlithen4.sylo6mer.in.net", "amber-mon.sylo6mer.in.net", "ash-leaf.to9varon.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["veltide4a.kymle1rax.in.net", "tercheck.kymle1rax.in.net", "argrs.sylo6mer.in.net", "forrn7-panel.rax4pavel.in.net", "serven5um.nov3liren.in.net", "sernexor8.rax4pavel.in.net", "starwinter.rax4pavel.in.net", "falforma.rax4pavel.in.net", "sub-n3uron.zex8liron.in.net", "rntfvps.to9varon.in.net", "neo-cornput.to9varon.in.net", "jkdraj.rax4pavel.in.net", "thick8-signal.kymle1rax.in.net", "server-scar.to9varon.in.net", "inkraven.kymle1rax.in.net", "geo-1c3.kymle1rax.in.net", "hdf358xa.sylo6mer.in.net", "atom1-span.nov3liren.in.net", "dyn-tideis.zex8liron.in.net", "ultra-f1rmvva.zex8liron.in.net", "atomicextract.to9varon.in.net", "vellithal3.rax4pavel.in.net", "vor-spireos.nov3liren.in.net", "bytefore.to9varon.in.net", "gentl-snow.sylo6mer.in.net", "emidb.kymle1rax.in.net", "25eap9f.sylo6mer.in.net", "vorlithen4.sylo6mer.in.net", "amber-mon.sylo6mer.in.net", "ash-leaf.to9varon.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via URLhaus List
Description: A system administrator manually updates a legitimate software tool (e.g., Microsoft Windows Update or Adobe Flash Player) using a URL from the URLhaus list, which is known to host both malicious and benign URLs.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., update.microsoft.com, adobe.com, mozilla.org) or use a regex to match known update patterns.
Scenario: Scheduled Job Using Malicious-Linked URL
Description: A scheduled job (e.g., schtasks.exe or cron job) is configured to download a legitimate configuration file from a URL that appears in the URLhaus list due to historical association with malicious activity.
Filter/Exclusion: Exclude URLs that match known configuration file domains (e.g., config.example.com, internal-registry.example.org) or use a filter based on the HTTP method (e.g., GET for configuration files).
Scenario: Admin Task Using ClearFake-Related URL for Testing
Description: A security administrator is testing a new detection rule and uses a ClearFake-related URL from URLhaus as part of a controlled test environment.
Filter/Exclusion: Exclude URLs that contain specific test identifiers (e.g., test-clearfake-12345) or use a filter based on the source IP address of the internal testing environment.
Scenario: Legitimate Email Campaign with Phishing URL
Description: A legitimate email campaign (e.g., from a marketing tool like HubSpot or Salesforce) includes a URL that is mistakenly listed in URLhaus due to a past phishing incident.
Filter/Exclusion: Exclude URLs that match known email marketing domains (e.g., marketing.example.com, campaigns.example.org) or use a filter based