The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns and protect organizational assets before compromise.
IOC Summary
Threat: ClearFake Total URLs: 16 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://zhrzviveu.downloadquran.xyz/3f399f2f-2a11-45e1-af84-244e7f064d11 | offline | malware_download | 2026-06-11 |
hxxps://ieemaju.akhlageslami.xyz/1657364a-1956-4cd2-ae36-55e64ae844a6 | offline | malware_download | 2026-06-11 |
hxxps://zyuhgbux.hugugtejarat4.xyz/8bb317e6-773c-4c21-a4fa-c6434ad3269a | offline | malware_download | 2026-06-11 |
hxxps://fdmjhbre.jamjahani2026.football/675c6a3b-4eee-41cd-9e69-f3256043f7f2 | offline | malware_download | 2026-06-11 |
hxxps://kv5kk9gr.angizeshfarahani.store/?ublib=9729fc8e-b337-42c7-b425-00acf0827f4d | offline | malware_download | 2026-06-11 |
hxxps://6f4t5lvt.fununetadris.shop/?ublib=548f0853-1276-43aa-a410-7ecb2ee3a629 | offline | malware_download | 2026-06-11 |
hxxps://2chci0sm.andisheeslami2.xyz/?ublib=d5b9d092-02c5-4598-8b1a-8098648447e2 | offline | malware_download | 2026-06-11 |
hxxps://gimomouf.red90.casino/c31a92dd-61d7-4147-9c5d-d9c843c39e7b | offline | malware_download | 2026-06-11 |
hxxps://nnvavkl.bet303.promo/1f6e771b-8281-4eb5-b608-04641391078f | offline | malware_download | 2026-06-11 |
hxxps://p5k42qtw.anodaz.co/?ublib=a0a85d10-ab10-4afc-99ed-21801fc9bc0d | offline | malware_download | 2026-06-11 |
hxxps://gwofphogw.differentialmamuli.store/be9cee05-44b4-4661-8e48-7d5b381d51d7 | offline | malware_download | 2026-06-11 |
hxxps://whjdetcc.wrfc8.com/847b2847-c44b-48ad-ab00-d245f7e7357d | offline | malware_download | 2026-06-11 |
hxxps://qnjutqs.bet303.app/e44b2fd8-e901-4483-80be-6b3e50d6b238 | offline | malware_download | 2026-06-11 |
hxxps://kwoptitn.restaurantguideaarhus.com/552618fb-2f2e-4eb0-98b4-cf081f561638 | offline | malware_download | 2026-06-11 |
hxxps://yvlenqci.rial.bet/ca8afdf5-f7f7-4d3f-a73c-fb6e3841160d | offline | malware_download | 2026-06-11 |
hxxps://s8a20vxh.gavaedfagahe.xyz/?ublib=f23e8ed9-47b8-409c-99c5-2edaa13aaa46 | offline | malware_download | 2026-06-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["6f4t5lvt.fununetadris.shop", "ieemaju.akhlageslami.xyz", "kwoptitn.restaurantguideaarhus.com", "p5k42qtw.anodaz.co", "s8a20vxh.gavaedfagahe.xyz", "zhrzviveu.downloadquran.xyz", "gimomouf.red90.casino", "zyuhgbux.hugugtejarat4.xyz", "nnvavkl.bet303.promo", "fdmjhbre.jamjahani2026.football", "qnjutqs.bet303.app", "gwofphogw.differentialmamuli.store", "2chci0sm.andisheeslami2.xyz", "whjdetcc.wrfc8.com", "kv5kk9gr.angizeshfarahani.store", "yvlenqci.rial.bet"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["6f4t5lvt.fununetadris.shop", "ieemaju.akhlageslami.xyz", "kwoptitn.restaurantguideaarhus.com", "p5k42qtw.anodaz.co", "s8a20vxh.gavaedfagahe.xyz", "zhrzviveu.downloadquran.xyz", "gimomouf.red90.casino", "zyuhgbux.hugugtejarat4.xyz", "nnvavkl.bet303.promo", "fdmjhbre.jamjahani2026.football", "qnjutqs.bet303.app", "gwofphogw.differentialmamuli.store", "2chci0sm.andisheeslami2.xyz", "whjdetcc.wrfc8.com", "kv5kk9gr.angizeshfarahani.store", "yvlenqci.rial.bet"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Note: Use a filter like url contains "training.example.com" to suppress alerts for legitimate training URLs.
Scenario: A scheduled job runs a script that downloads a ClearFake URL to verify its legitimacy as part of a malware analysis process.
Filter/Exclusion: Exclude URLs that are part of the internal analysis environment, such as analysis.lab.example.com.
Note: Use a filter like url contains "analysis.lab.example.com" to suppress alerts for legitimate analysis tasks.
Scenario: A user is accessing a ClearFake URL via a phishing simulation tool like PhishMe or KnowBe4 to test employee response.
Filter/Exclusion: Exclude URLs that match the PhishMe or KnowBe4 sandbox domains (e.g., phishme-sandbox.example.com).
Note: Use a filter like url contains "phishme-sandbox.example.com" to suppress alerts for legitimate phishing simulations.
Scenario: A DevOps team is deploying a CI/CD pipeline that uses a ClearFake URL as part of a dependency resolution process.
Filter/Exclusion: Exclude URLs that are part of the internal artifact repository, such as artifactory.example.com.
Note: Use a filter like url contains "artifactory.example.com" to suppress alerts for legitimate CI/CD operations.
Scenario: An admin is using a tool like curl or wget to fetch a ClearFake URL for internal testing or debugging purposes.
Filter/Exclusion: Exclude URLs that are accessed from known internal tools or scripts, such as those in /opt/scripts/ or `/usr/local/bin