The hypothesis is that the detected URLs are part of a ClearFake campaign designed to deceive users into visiting malicious sites, thereby enabling credential theft or malware delivery. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user accounts and systems before lateral movement or data exfiltration occurs.
IOC Summary
Threat: ClearFake Total URLs: 7 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://tooca.sm188daftar.skin/97018d57-874a-4e5a-a011-894d422e3a6f | offline | malware_download | 2026-05-29 |
hxxps://qbtnd.sm188dvlv.cfd/b85b1637-1849-4b75-bdbe-a7c462b5a26e | offline | malware_download | 2026-05-29 |
hxxps://nblvwres.stgsolar.hu/?ublib=044148fa-e522-4250-85a3-8806814165d4 | offline | malware_download | 2026-05-29 |
hxxps://pixey.lampaoszlopbolt.hu/b9f5fb58-c055-435a-a1ca-5d1f6e5df1d0 | offline | malware_download | 2026-05-29 |
hxxps://dvzzer4n.parossag.hu/?ublib=63e88b25-86dc-4131-a28f-69a71dca394e | offline | malware_download | 2026-05-29 |
hxxps://fjtdm.sm188wing.cyou/a479652d-1bb1-45d0-a83a-94e4b238fe0d | offline | malware_download | 2026-05-29 |
hxxps://gzhcn.sm188login.sbs/20dcb803-2bfa-44e4-8390-def8fb97d642 | offline | malware_download | 2026-05-29 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["pixey.lampaoszlopbolt.hu", "dvzzer4n.parossag.hu", "tooca.sm188daftar.skin", "fjtdm.sm188wing.cyou", "nblvwres.stgsolar.hu", "gzhcn.sm188login.sbs", "qbtnd.sm188dvlv.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["pixey.lampaoszlopbolt.hu", "dvzzer4n.parossag.hu", "tooca.sm188daftar.skin", "fjtdm.sm188wing.cyou", "nblvwres.stgsolar.hu", "gzhcn.sm188login.sbs", "qbtnd.sm188dvlv.cfd"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., Jira) to test a phishing detection tool.
Filter/Exclusion: Exclude URLs containing the domain jira.example.com or any URL that includes the string test-phishing.
Scenario: A scheduled job runs a script that generates temporary URLs for internal testing (e.g., using curl or wget with a temporary URL generator like tempurl.org).
Filter/Exclusion: Exclude URLs with the domain tempurl.org or any URL that contains the substring temp-.
Scenario: A DevOps team uses a CI/CD pipeline (e.g., Jenkins) to deploy code, and the pipeline includes a step that generates a temporary URL for artifact download (e.g., using AWS S3 pre-signed URLs).
Filter/Exclusion: Exclude URLs containing the substring s3.amazonaws.com or any URL that includes the string pre-signed.
Scenario: An IT helpdesk employee uses a tool like PowerShell or Python to send a test email with a ClearFake URL to verify email security tools (e.g., using Send-MailMessage).
Filter/Exclusion: Exclude URLs that include the domain helpdesk.example.com or any URL that contains the string test-email.
Scenario: A security team uses a sandboxing tool like Cuckoo Sandbox or Joe Sandbox to analyze a suspicious file, and the analysis generates a temporary ClearFake URL for internal use.
Filter/Exclusion: Exclude URLs containing the substring sandbox or any URL that includes the domain cuckoo.example.com.