The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user endpoints and data exfiltration.
IOC Summary
Threat: ClearFake Total URLs: 9 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://xzhuzft.asyabet303.bet/e7ef8209-38d5-4fa9-b9e4-df3ed0733ace | offline | malware_download | 2026-06-01 |
hxxps://pzacsqp.ariash.art/78117727-71d5-4e3a-be82-3e3438478e90 | offline | malware_download | 2026-06-01 |
hxxps://jkjcrqj.21pasoor.app/86cd6bb4-03a3-46ed-8019-9f904ffad8bd | offline | malware_download | 2026-06-01 |
hxxps://vzfelbc.1shartbet1.com/ba3bd6aa-fbe6-480e-aa33-8a13e43c19fc | offline | malware_download | 2026-06-01 |
hxxps://p4nkss83.alsulmicpa.com/?ublib=199bce10-7ddf-4388-af4c-7bc72a2984c1 | offline | malware_download | 2026-06-01 |
hxxps://aehcwen.123betyek.com/bfceb72a-5f68-4317-b7a5-6619424887c8 | offline | malware_download | 2026-06-01 |
hxxps://seahohx.saas-systems.hu/08a30c49-a0e8-4490-a983-cf10b66c774c | offline | malware_download | 2026-06-01 |
hxxps://vxpkpgb.khaled-salah.com/d3db2c84-0f86-4b3d-a385-992425d75d5e | offline | malware_download | 2026-06-01 |
hxxps://99ytipqf.mayochem.com/?ublib=684568bb-ac22-403e-93ad-1f68a27ffc45 | offline | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["p4nkss83.alsulmicpa.com", "xzhuzft.asyabet303.bet", "jkjcrqj.21pasoor.app", "vxpkpgb.khaled-salah.com", "99ytipqf.mayochem.com", "seahohx.saas-systems.hu", "vzfelbc.1shartbet1.com", "aehcwen.123betyek.com", "pzacsqp.ariash.art"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["p4nkss83.alsulmicpa.com", "xzhuzft.asyabet303.bet", "jkjcrqj.21pasoor.app", "vxpkpgb.khaled-salah.com", "99ytipqf.mayochem.com", "seahohx.saas-systems.hu", "vzfelbc.1shartbet1.com", "aehcwen.123betyek.com", "pzacsqp.ariash.art"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Scenario: A scheduled job runs a script that downloads a legitimate software update from a ClearFake-signed URL as part of an automated patching process.
Filter/Exclusion: Exclude URLs that contain the path /patch/ or match the domain updates.enterprise.com.
Scenario: A user is accessing a ClearFake URL to view a phishing simulation page hosted by the security team for internal testing.
Filter/Exclusion: Exclude URLs that include the query parameter ?sim=1 or match the domain phishing.simulation.local.
Scenario: A DevOps pipeline uses a ClearFake-signed URL to fetch a dependency from a private registry during a CI/CD build.
Filter/Exclusion: Exclude URLs that contain the path /artifactory/ or match the domain registry.internal.dev.
Scenario: An IT helpdesk technician is using a ClearFake URL to access a remote support tool that requires a one-time token for authentication.
Filter/Exclusion: Exclude URLs that contain the query parameter ?token=valid or match the domain support.tools.corp.