The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 16 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://ffrpwns.vbetirani.com/edfb54aa-d429-454e-b5be-0d6ac675f87d | offline | malware_download | 2026-06-05 |
hxxps://ukmcha.yasbet90.com/1f8565b3-e7f7-4d0c-a14c-755db680c2ba | offline | malware_download | 2026-06-05 |
hxxps://nekdncv.usa2026.bet/1f167c13-e345-4be0-917f-e6ab2e011b28 | offline | malware_download | 2026-06-05 |
hxxps://edfwndp0.chloroquineser.com/?ublib=0f9964f0-6866-45fb-abd1-3f855955f13b | offline | malware_download | 2026-06-05 |
hxxps://dnmjqvy.trmegapari.com/5fee984e-a5a5-4153-b9c5-0c434d92d224 | offline | malware_download | 2026-06-05 |
hxxps://bagkqzj.zeppelin.bet/04e8ad7c-0a7c-46ff-a488-1c880eb0131c | offline | malware_download | 2026-06-05 |
hxxps://kgebll.xenicalby6.com/59ef435c-fc65-4a8d-b686-84252cd4309a | offline | malware_download | 2026-06-05 |
hxxps://tjvdbbc.yektbet.bet/bdca0698-2006-4001-88ff-16389c533193 | offline | malware_download | 2026-06-05 |
hxxps://cpteijd.yekbetiran.com/fa7ee749-23f8-4679-8332-f2cce7b74e3e | offline | malware_download | 2026-06-05 |
hxxps://kazwbt9n.2026.futbol/?ublib=ca942a90-68b5-4f2e-bc48-a0b451072474 | offline | malware_download | 2026-06-05 |
hxxps://lgwzmtt.yek1bet.bet/372a3933-716e-489a-ac9f-b72662c39d71 | offline | malware_download | 2026-06-05 |
hxxps://afdaqyu.yasbet.casino/3dddd506-1f0d-43b9-83a9-0fdeb20be67e | offline | malware_download | 2026-06-05 |
hxxps://xcpvjq6r.cerocarey.com/?ublib=100582df-2acc-4be2-a34c-ef20bc4a569d | offline | malware_download | 2026-06-05 |
hxxps://tqdtntx.hotbet90.casino/252500e7-98e9-48d9-9c16-53a0d896024c | offline | malware_download | 2026-06-05 |
hxxps://xeanui.x50wheel.bet/8e1583cb-5e86-4b46-8aa0-cc6151ddd088 | offline | malware_download | 2026-06-05 |
hxxps://dlkcsdq.hotbet90app.com/82728660-32b7-415c-a77f-fc0e14afa762 | offline | malware_download | 2026-06-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["kazwbt9n.2026.futbol", "xcpvjq6r.cerocarey.com", "tjvdbbc.yektbet.bet", "cpteijd.yekbetiran.com", "tqdtntx.hotbet90.casino", "afdaqyu.yasbet.casino", "dlkcsdq.hotbet90app.com", "ukmcha.yasbet90.com", "ffrpwns.vbetirani.com", "lgwzmtt.yek1bet.bet", "bagkqzj.zeppelin.bet", "xeanui.x50wheel.bet", "nekdncv.usa2026.bet", "dnmjqvy.trmegapari.com", "kgebll.xenicalby6.com", "edfwndp0.chloroquineser.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["kazwbt9n.2026.futbol", "xcpvjq6r.cerocarey.com", "tjvdbbc.yektbet.bet", "cpteijd.yekbetiran.com", "tqdtntx.hotbet90.casino", "afdaqyu.yasbet.casino", "dlkcsdq.hotbet90app.com", "ukmcha.yasbet90.com", "ffrpwns.vbetirani.com", "lgwzmtt.yek1bet.bet", "bagkqzj.zeppelin.bet", "xeanui.x50wheel.bet", "nekdncv.usa2026.bet", "dnmjqvy.trmegapari.com", "kgebll.xenicalby6.com", "edfwndp0.chloroquineser.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by visiting a few legitimate URLs from the tool’s dashboard.
Filter/Exclusion: Exclude URLs that match the domain of the URL shortener tool (e.g., short.url or linkvertise.com) using a domain-based filter.
Scenario: A scheduled job runs a script that downloads and processes a CSV file containing legitimate URLs from a third-party API for data analysis.
Filter/Exclusion: Exclude URLs that originate from known data processing APIs (e.g., api.dataanalysis.com) using a source IP or domain filter.
Scenario: An IT team member is performing a security audit and is testing the behavior of a legitimate security tool by visiting its documentation page.
Filter/Exclusion: Exclude URLs that contain /docs/ or /support/ paths from trusted security vendors (e.g., docs.microsoft.com, support.symantec.com).
Scenario: A developer is using a CI/CD pipeline to fetch dependencies from a private artifact repository, which includes URLs that match the ClearFake pattern.
Filter/Exclusion: Exclude URLs that match the private repository domain (e.g., artifactory.internal.company.com) using a domain-based exclusion rule.
Scenario: A user is accessing a legitimate phishing simulation tool that generates fake URLs for training purposes, which are tagged as ClearFake.
Filter/Exclusion: Exclude URLs that contain the string phishing-sim or are from the training platform’s domain (e.g., train.phishing-sim.com).