The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging compromised or impersonated domains to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts early.
IOC Summary
Threat: ClearFake Total URLs: 13 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://pyfptfv.anadoluslot.bet/e3227f95-1876-4ff1-892b-71884192d90d | offline | malware_download | 2026-06-02 |
hxxps://citnflk.arayemek.com/4087b791-8925-40ac-9a33-f3349f4dca27 | offline | malware_download | 2026-06-02 |
hxxps://ff4ekbmd.7lf.net/?ublib=fad58231-1bb1-4ca8-9bc5-7f707c084aad | offline | malware_download | 2026-06-02 |
hxxps://ysqlyfg.betfire90.bet/91b74a32-6db8-429b-a162-3343be333581 | offline | malware_download | 2026-06-02 |
hxxps://ysivuys.betexper.bet/0384a700-baae-4a19-8f9e-4766e32e9733 | offline | malware_download | 2026-06-02 |
hxxps://dhddzix.betbet.city/1fe5ad6b-ce2f-4699-915a-790225cedf70 | offline | malware_download | 2026-06-02 |
hxxps://7d6da0ri.axee.net/?ublib=0cbddda7-4466-4604-827c-2056f2632703 | offline | malware_download | 2026-06-02 |
hxxps://negfuie.bet888starzz.com/fa1fac97-355d-4461-b370-cd9537c10760 | offline | malware_download | 2026-06-02 |
hxxps://esqbzfn.bet365iran.com/45602df4-d39c-4827-8cae-1084f7bd043f | offline | malware_download | 2026-06-02 |
hxxps://pjfaqdf.bet313.app/861d0a90-0c0c-43d4-998d-94229c9ec43a | offline | malware_download | 2026-06-02 |
hxxps://sax166rh.funkboi.com/?ublib=496e7998-017e-4efc-ac22-dca94c48f8fa | offline | malware_download | 2026-06-02 |
hxxps://kfvzenz.bahiscom2023.online/411d60b4-e0db-4935-886c-92a0fcdb7d54 | offline | malware_download | 2026-06-02 |
hxxps://yhyrxap.bahisbey90.com/0cd3c858-7fb5-4826-bc71-39b1a5d7bc29 | offline | malware_download | 2026-06-02 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["esqbzfn.bet365iran.com", "sax166rh.funkboi.com", "dhddzix.betbet.city", "citnflk.arayemek.com", "ysqlyfg.betfire90.bet", "ff4ekbmd.7lf.net", "7d6da0ri.axee.net", "pjfaqdf.bet313.app", "pyfptfv.anadoluslot.bet", "yhyrxap.bahisbey90.com", "kfvzenz.bahiscom2023.online", "negfuie.bet888starzz.com", "ysivuys.betexper.bet"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["esqbzfn.bet365iran.com", "sax166rh.funkboi.com", "dhddzix.betbet.city", "citnflk.arayemek.com", "ysqlyfg.betfire90.bet", "ff4ekbmd.7lf.net", "7d6da0ri.axee.net", "pjfaqdf.bet313.app", "pyfptfv.anadoluslot.bet", "yhyrxap.bahisbey90.com", "kfvzenz.bahiscom2023.online", "negfuie.bet888starzz.com", "ysivuys.betexper.bet"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Example: training.example.com/secure-login.html
Scenario: A scheduled job runs a script that downloads a ClearFake URL to validate its behavior in a sandboxed environment.
Filter/Exclusion: Exclude URLs that contain the query parameter ?sandbox=true or originate from the IP range 192.168.0.0/16.
Example: sandboxed-test.clearfake.com?sandbox=true
Scenario: A legitimate software update process uses a ClearFake URL to host temporary files during a patch deployment.
Filter/Exclusion: Exclude URLs that include the path /temp/patch_*.zip or are hosted on the domain updates.enterprise.com.
Example: updates.enterprise.com/temp/patch_1.2.3.zip
Scenario: A developer is using a ClearFake URL as part of a CI/CD pipeline to test API endpoints.
Filter/Exclusion: Exclude URLs that are part of the ci.example.com domain or include the path /api/test-endpoint.
Example: ci.example.com/api/test-endpoint
Scenario: A system is configured to periodically fetch a ClearFake URL to check for updates from an internal repository.
Filter/Exclusion: Exclude URLs that match the domain repo.internal.company.com or include the path /update-checker.
Example: repo.internal.company.com/update-checker