The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage attacks before they cause significant damage.
IOC Summary
Threat: ClearFake Total URLs: 14 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://igyom.technologiaiviz.hu/f99ab23b-06a2-4854-a391-7671809bbcc1 | offline | malware_download | 2026-05-28 |
hxxps://uswai.vikstore.hu/ab22851d-fd74-470b-aaa7-d979e9ccb886 | offline | malware_download | 2026-05-28 |
hxxps://mrlls.aileadfactory.com/3489fa83-0770-4118-a33c-310fcc21d1fa | offline | malware_download | 2026-05-28 |
hxxps://cajya.addmagad.com/4c7dcdde-ee62-448f-95c6-d297b8b850e3 | offline | malware_download | 2026-05-28 |
hxxps://snonc.accredit.hu/3a9cdd3b-9bb1-45f2-8fad-80c77805dadb | offline | malware_download | 2026-05-28 |
hxxps://dkhgk.zaszlorudbolt.hu/6458715c-380a-49d1-b680-4621ee8bc4b0 | offline | malware_download | 2026-05-28 |
hxxps://vggil.yanis.hu/35167c62-3437-46f7-808b-bacd88cd8306 | offline | malware_download | 2026-05-28 |
hxxps://xawur.workoutwithdorci.com/7118a056-2ee6-4bd6-a0b6-6a5ce2a68090 | offline | malware_download | 2026-05-28 |
hxxps://2vmkhs7s.riherino.com/?ublib=021cb5cc-7d5e-4dce-bd9a-e29f73661662 | offline | malware_download | 2026-05-28 |
hxxps://afnsw.wlwyb.com/f60efd87-ce39-4480-8b2c-64d3f1a81a37 | offline | malware_download | 2026-05-28 |
hxxps://g6zaqd6k.schleer.hu/?ublib=71d3fa29-5500-4960-9af8-03a286b27f0d | offline | malware_download | 2026-05-28 |
hxxps://miixn.wilhelmglobal.com/2351f3ab-b686-481a-8851-3581f1c0e4ae | offline | malware_download | 2026-05-28 |
hxxps://yjkjr.westinvesteuropa.hu/9264b5e0-3b45-4b1c-90e2-88163780329b | offline | malware_download | 2026-05-28 |
hxxps://hwujn.welovevent.com/cf023057-c5f4-40c4-ad45-80df6993e956 | offline | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["xawur.workoutwithdorci.com", "g6zaqd6k.schleer.hu", "afnsw.wlwyb.com", "igyom.technologiaiviz.hu", "hwujn.welovevent.com", "dkhgk.zaszlorudbolt.hu", "snonc.accredit.hu", "cajya.addmagad.com", "uswai.vikstore.hu", "mrlls.aileadfactory.com", "vggil.yanis.hu", "miixn.wilhelmglobal.com", "2vmkhs7s.riherino.com", "yjkjr.westinvesteuropa.hu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["xawur.workoutwithdorci.com", "g6zaqd6k.schleer.hu", "afnsw.wlwyb.com", "igyom.technologiaiviz.hu", "hwujn.welovevent.com", "dkhgk.zaszlorudbolt.hu", "snonc.accredit.hu", "cajya.addmagad.com", "uswai.vikstore.hu", "mrlls.aileadfactory.com", "vggil.yanis.hu", "miixn.wilhelmglobal.com", "2vmkhs7s.riherino.com", "yjkjr.westinvesteuropa.hu"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., ServiceNow) to test a phishing simulation.
Filter/Exclusion: Exclude URLs that match known phishing simulation platforms or domains used by security teams (e.g., phishsim.example.com, testphishinglab.com).
Scenario: A scheduled job runs a script that fetches and processes URLs from a legitimate threat intelligence feed (e.g., URLhaus) for analysis.
Filter/Exclusion: Exclude URLs that originate from known threat intelligence sources or are part of automated analysis workflows (e.g., urlhaus-api.org, threatintel.example.com).
Scenario: A user clicks on a ClearFake URL shared in an internal Slack channel as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that are associated with internal security training platforms (e.g., training.example.com, securityawareness.example.org).
Scenario: A DevOps pipeline includes a step that validates URLs against a list of known malicious domains for testing purposes.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipeline testing or validation tools (e.g., test-url-validator.example.com, devsecops-test.example.net).
Scenario: An admin task runs a script to generate and test benign URLs for a web application security test (e.g., using OWASP ZAP or Burp Suite).
Filter/Exclusion: Exclude URLs that are generated or used during security testing tools (e.g., zap.example.com, burp-test.example.org or any IP ranges used in internal testing).