The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 4 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://wc7skdzu.yakhbet.com/?ublib=5f3947b8-7bd0-4a41-b459-639acfd79669 | offline | malware_download | 2026-06-20 |
hxxps://l3q1ng7a.azmoondadrasi.xyz/?ublib=a22b3a25-b16c-41f8-bf5b-1ee31e8dd83b | offline | malware_download | 2026-06-20 |
hxxps://iplzbag0.shartbandi.casino/?ublib=2b5744cb-cb73-4b3b-9c62-c22db6b43ef6 | offline | malware_download | 2026-06-20 |
hxxps://dv4wbkrb.shart.casino/?ublib=43e82bf4-5102-4cb0-a9fa-8d7f8d43b410 | offline | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["dv4wbkrb.shart.casino", "wc7skdzu.yakhbet.com", "l3q1ng7a.azmoondadrasi.xyz", "iplzbag0.shartbandi.casino"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["dv4wbkrb.shart.casino", "wc7skdzu.yakhbet.com", "l3q1ng7a.azmoondadrasi.xyz", "iplzbag0.shartbandi.casino"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job downloading updates from a known ClearFake domain
Description: A system update or patching tool (e.g., Microsoft Update, SCCM, or Ansible) may download files from a domain flagged as ClearFake, but it’s part of a legitimate update process.
Filter/Exclusion: Exclude traffic from known update servers (e.g., update.microsoft.com, download.microsoft.com) or use a filter based on the destination field matching known update domains.
Scenario: Admin task using a ClearFake URL for internal testing or phishing simulation
Description: Security teams may use ClearFake URLs as part of phishing simulations or internal testing (e.g., using tools like Mimecast, Cisco SecureX, or Microsoft Defender for Office 365).
Filter/Exclusion: Exclude URLs that match known internal testing domains or use a filter based on the user field (e.g., user = "security-team") or source_ip from internal IP ranges.
Scenario: Legitimate file hosting service using ClearFake domain
Description: A file-sharing tool like Dropbox, Google Drive, or OneDrive may use a domain that is mistakenly flagged as ClearFake due to a misconfiguration or false positive.
Filter/Exclusion: Exclude traffic to known cloud storage domains or use a filter based on the http_host field matching known legitimate cloud services.
Scenario: False positive from a third-party API or service integration
Description: A service like Twilio, Stripe, or Auth0 may use a domain that is incorrectly flagged as ClearFake during integration testing or due to a misconfigured CDN.
Filter/Exclusion: Exclude traffic from known third-party API domains or use a filter based on the http_host field matching