The hunt hypothesis detects potential ClearFake malware activity where adversaries use malicious URLs to exfiltrate data and establish C2 communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before significant data loss or network compromise occurs.
IOC Summary
Threat: ClearFake Total URLs: 19 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://iddmpon.football2026.world/0eaba1ad-aecd-4d8d-b3e9-53cc8cca6b9b | offline | malware_download | 2026-06-04 |
hxxps://hityspe.footbalbet.com/5569ff72-a1fa-4618-9292-b4f8e18d13a0 | offline | malware_download | 2026-06-04 |
hxxps://ne6nzi7r.1shart.bet/?ublib=ab0b8ce8-9e1f-44ae-99ff-a8717c3b1b9b | offline | malware_download | 2026-06-04 |
hxxps://thnivbk.footbal90bet.app/9dc9cad0-9346-4e81-8f81-be96d7e64b48 | offline | malware_download | 2026-06-04 |
hxxps://mhepihh.footbal90bet.app/80efc71d-72cd-44a7-a1d8-acc40663f4f0 | offline | malware_download | 2026-06-04 |
hxxps://7aaxg4kb.betbatis.com/?ublib=7ce4b7ee-3b86-4990-9527-dadeed8e276d | offline | malware_download | 2026-06-04 |
hxxps://syjgiug.fibi-ireland.com/dda41b26-d1c9-4b49-be09-fe63e1e21bc2 | offline | malware_download | 2026-06-04 |
hxxps://gbueeqa.eurothrombosis2018.com/79fbc845-b116-4d29-89b6-b758a6b7e38e | offline | malware_download | 2026-06-04 |
hxxps://bfdibp.dahdahtoys.com/a4d13b32-41cb-4dac-9f71-9662bb1a7626 | offline | malware_download | 2026-06-04 |
hxxps://5ay2qa01.electriccrash.bet/?ublib=ade8d41e-e143-4b16-b708-c8d8badea2c4 | offline | malware_download | 2026-06-04 |
hxxps://kihjmjx.enobahis.co/ca36e73d-15c5-4683-a676-327642efb378 | offline | malware_download | 2026-06-04 |
hxxps://6vk8lpd5.betball90.casino/?ublib=2b3bc6aa-f509-4b4e-853a-ebca1ab50d40 | offline | malware_download | 2026-06-04 |
hxxps://wvvbpwt.enfejar.game/79b5e3c6-e8f5-4efe-9c09-71e232e8baeb | offline | malware_download | 2026-06-04 |
hxxps://jswnqpn.enfejarbazii.bet/edcfc2a2-82bd-490a-97d8-f35c94a4a599 | offline | malware_download | 2026-06-04 |
hxxp://viceete.lol/o | offline | malware_download | 2026-06-04 |
hxxps://ldkrhyp.emshab.bet/f6e8b42a-a64d-4966-a515-fea433a72b8f | offline | malware_download | 2026-06-04 |
hxxps://ex7gv4y7.bet90land.com/?ublib=b0788a7a-40cd-49d0-80e5-f65772ad49e2 | offline | malware_download | 2026-06-04 |
hxxps://atnvjyj.emroze.bet/af0df9e4-a648-4f16-9435-8e337d042bb2 | offline | malware_download | 2026-06-04 |
hxxps://tpvggeb.bordino.bet/1df8503c-b180-4603-ba92-7d6c3ac6c7a9 | offline | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["6vk8lpd5.betball90.casino", "syjgiug.fibi-ireland.com", "gbueeqa.eurothrombosis2018.com", "7aaxg4kb.betbatis.com", "ne6nzi7r.1shart.bet", "tpvggeb.bordino.bet", "iddmpon.football2026.world", "wvvbpwt.enfejar.game", "kihjmjx.enobahis.co", "ex7gv4y7.bet90land.com", "bfdibp.dahdahtoys.com", "hityspe.footbalbet.com", "atnvjyj.emroze.bet", "ldkrhyp.emshab.bet", "jswnqpn.enfejarbazii.bet", "5ay2qa01.electriccrash.bet", "thnivbk.footbal90bet.app", "mhepihh.footbal90bet.app", "viceete.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["6vk8lpd5.betball90.casino", "syjgiug.fibi-ireland.com", "gbueeqa.eurothrombosis2018.com", "7aaxg4kb.betbatis.com", "ne6nzi7r.1shart.bet", "tpvggeb.bordino.bet", "iddmpon.football2026.world", "wvvbpwt.enfejar.game", "kihjmjx.enobahis.co", "ex7gv4y7.bet90land.com", "bfdibp.dahdahtoys.com", "hityspe.footbalbet.com", "atnvjyj.emroze.bet", "ldkrhyp.emshab.bet", "jswnqpn.enfejarbazii.bet", "5ay2qa01.electriccrash.bet", "thnivbk.footbal90bet.app", "mhepihh.footbal90bet.app", "viceete.lol"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: process.name != "wuauclt.exe" OR process.parent.name != "services.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name != "veeam.exe" OR process.parent.name != "services.exe"
Scenario: Admin task using PowerShell for log management via Splunk
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "splunkd.exe"
Scenario: Internal URL shortening service using Bitly for internal documentation
Filter/Exclusion: url.domain != "bit.ly" OR url.path contains "internal/docs"
Scenario: Legitimate software deployment using Ansible for configuration management
Filter/Exclusion: process.name != "ansible.exe" OR process.parent.name != "task scheduler"