URLhaus: ClearFake Malicious URLs

Hunt Hypothesis

The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to mitigate the risk of initial compromise and lateral movement.

IOC Summary

Threat: ClearFake Total URLs: 26 Active URLs: 26

URL	Status	Threat	Date Added
`hxxps://ibjxfl.to7vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://plan-couri.to7vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://l0c4l-phase.to7vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://crims0n-path.to7vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://c4rry-index.to7vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://atom0-bridge.to7vamil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://mer-draet.sylo3rex.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://1e4r-span.sylo3rex.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://6a00327.sylo3rex.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://sx9v1.sylo3rex.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://watch-signal.sylo3rex.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://rwwolv22.sylo3rex.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://stab7-sheet.ra5xovel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://veldraex9.ra5xovel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://3wteeo.ra5xovel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://bluhz.ra5xovel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://broker-plate.ra5xovel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://geo-via1.ra5xovel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://2gxb0vyl.8zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://talcoreos.8zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://sri4.8zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://layoutcrawle.8zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://52hb.8zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://sub-the0.8zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18
`hxxps://asdf.qimor6xel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-18

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["1e4r-span.sylo3rex.in.net", "6a00327.sylo3rex.in.net", "2gxb0vyl.8zorelin.in.net", "mer-draet.sylo3rex.in.net", "sri4.8zorelin.in.net", "3wteeo.ra5xovel.in.net", "ibjxfl.to7vamil.in.net", "sub-the0.8zorelin.in.net", "watch-signal.sylo3rex.in.net", "talcoreos.8zorelin.in.net", "veldraex9.ra5xovel.in.net", "bluhz.ra5xovel.in.net", "l0c4l-phase.to7vamil.in.net", "crims0n-path.to7vamil.in.net", "atom0-bridge.to7vamil.in.net", "broker-plate.ra5xovel.in.net", "geo-via1.ra5xovel.in.net", "plan-couri.to7vamil.in.net", "layoutcrawle.8zorelin.in.net", "c4rry-index.to7vamil.in.net", "stab7-sheet.ra5xovel.in.net", "lowa.qimor6xel.in.net", "52hb.8zorelin.in.net", "asdf.qimor6xel.in.net", "rwwolv22.sylo3rex.in.net", "sx9v1.sylo3rex.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["1e4r-span.sylo3rex.in.net", "6a00327.sylo3rex.in.net", "2gxb0vyl.8zorelin.in.net", "mer-draet.sylo3rex.in.net", "sri4.8zorelin.in.net", "3wteeo.ra5xovel.in.net", "ibjxfl.to7vamil.in.net", "sub-the0.8zorelin.in.net", "watch-signal.sylo3rex.in.net", "talcoreos.8zorelin.in.net", "veldraex9.ra5xovel.in.net", "bluhz.ra5xovel.in.net", "l0c4l-phase.to7vamil.in.net", "crims0n-path.to7vamil.in.net", "atom0-bridge.to7vamil.in.net", "broker-plate.ra5xovel.in.net", "geo-via1.ra5xovel.in.net", "plan-couri.to7vamil.in.net", "layoutcrawle.8zorelin.in.net", "c4rry-index.to7vamil.in.net", "stab7-sheet.ra5xovel.in.net", "lowa.qimor6xel.in.net", "52hb.8zorelin.in.net", "asdf.qimor6xel.in.net", "rwwolv22.sylo3rex.in.net", "sx9v1.sylo3rex.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains of it.
Scenario: A scheduled job runs a script that downloads a legitimate software update from a ClearFake-tagged URL as part of an automated patching process.
Filter/Exclusion: Exclude URLs that contain the path /patch/update.exe or match the domain updates.examplecorp.com.
Scenario: A user clicks on a ClearFake URL shared in a legitimate internal communication tool (e.g., Microsoft Teams) during a phishing simulation.
Filter/Exclusion: Exclude URLs that originate from the IP range 10.0.0.0/8 or are associated with the internal domain internal.example.com.
Scenario: A security tool (e.g., CrowdStrike Falcon) generates a report that includes a ClearFake URL as part of its threat intelligence feed.
Filter/Exclusion: Exclude URLs that are part of the CrowdStrike threat intelligence feed and match the domain threatintel.crowdstrike.com.
Scenario: A DevOps pipeline uses a ClearFake URL to fetch a legitimate dependency from a private registry (e.g., Docker Hub) during a CI/CD build.
Filter/Exclusion: Exclude URLs that contain the path /v2/myapp/manifests/latest or match the domain registry.example.com.