URLhaus: ClearFake Malicious URLs

Hunt Hypothesis

The hypothesis is that the detected URLs are part of a ClearFake campaign designed to deceive users into interacting with malicious content, thereby enabling adversary persistence and data exfiltration. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user endpoints and sensitive data.

IOC Summary

Threat: ClearFake Total URLs: 37 Active URLs: 37

URL	Status	Threat	Date Added
`hxxps://green-yard6.2zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://small-garden5.2zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://warm-house4.2zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://smart-decor3.2zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://living-room2.2zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://home-design1.2zorelin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://old-library6.qi1moxel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://new-author5.qi1moxel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://best-seller4.qi1moxel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://page-number3.qi1moxel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://read-more2.qi1moxel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://open-book1.qi1moxel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://cool-drink6.bovla8ren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://fresh-juice5.bovla8ren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://sweet-cake4.bovla8ren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://tasty-dish3.bovla8ren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://good-meal2.bovla8ren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://fast-food1.bovla8ren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://live-stream6.de5xpiren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://hot-topic5.de5xpiren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://weather-post4.de5xpiren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://sport-match3.de5xpiren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://world-press2.de5xpiren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://daily-news1.de5xpiren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19
`hxxps://white-snow6.wi9msorin.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google`	online	malware_download	2026-04-19

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["read-more2.qi1moxel.in.net", "live-stream6.de5xpiren.in.net", "new-author5.qi1moxel.in.net", "green-grass2.wi9msorin.in.net", "red-apple3.wi9msorin.in.net", "world-press2.de5xpiren.in.net", "fast-food1.bovla8ren.in.net", "fresh-juice5.bovla8ren.in.net", "tasty-dish3.bovla8ren.in.net", "good-meal2.bovla8ren.in.net", "gold-star4.wi9msorin.in.net", "open-book1.qi1moxel.in.net", "green-yard6.2zorelin.in.net", "white-snow6.wi9msorin.in.net", "sweet-cake4.bovla8ren.in.net", "page-number3.qi1moxel.in.net", "hot-topic5.de5xpiren.in.net", "blue-ocean1.wi9msorin.in.net", "weather-post4.de5xpiren.in.net", "cool-drink6.bovla8ren.in.net", "smart-decor3.2zorelin.in.net", "daily-news1.de5xpiren.in.net", "small-garden5.2zorelin.in.net", "old-library6.qi1moxel.in.net", "living-room2.2zorelin.in.net", "silver-coin5.wi9msorin.in.net", "best-seller4.qi1moxel.in.net", "warm-house4.2zorelin.in.net", "home-design1.2zorelin.in.net", "sport-match3.de5xpiren.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["read-more2.qi1moxel.in.net", "live-stream6.de5xpiren.in.net", "new-author5.qi1moxel.in.net", "green-grass2.wi9msorin.in.net", "red-apple3.wi9msorin.in.net", "world-press2.de5xpiren.in.net", "fast-food1.bovla8ren.in.net", "fresh-juice5.bovla8ren.in.net", "tasty-dish3.bovla8ren.in.net", "good-meal2.bovla8ren.in.net", "gold-star4.wi9msorin.in.net", "open-book1.qi1moxel.in.net", "green-yard6.2zorelin.in.net", "white-snow6.wi9msorin.in.net", "sweet-cake4.bovla8ren.in.net", "page-number3.qi1moxel.in.net", "hot-topic5.de5xpiren.in.net", "blue-ocean1.wi9msorin.in.net", "weather-post4.de5xpiren.in.net", "cool-drink6.bovla8ren.in.net", "smart-decor3.2zorelin.in.net", "daily-news1.de5xpiren.in.net", "small-garden5.2zorelin.in.net", "old-library6.qi1moxel.in.net", "living-room2.2zorelin.in.net", "silver-coin5.wi9msorin.in.net", "best-seller4.qi1moxel.in.net", "warm-house4.2zorelin.in.net", "home-design1.2zorelin.in.net", "sport-match3.de5xpiren.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is manually testing a security tool by inputting a known benign URL from the ClearFake list as part of a validation process.
Filter/Exclusion: Exclude URLs that match the ClearFake test list used during tool validation, using a custom field like url.test_case: true.
Scenario: A scheduled job runs to fetch and process updates from a threat intelligence feed that includes URLs tagged as ClearFake, which are later determined to be benign.
Filter/Exclusion: Exclude URLs where the source field matches the known benign threat intelligence feed, e.g., source: "ThreatIntelFeed-Benign".
Scenario: A user is accessing a legitimate internal tool that uses a URL from the ClearFake list for authentication or session management.
Filter/Exclusion: Exclude URLs that originate from internal domains (e.g., domain: internal.corp.example.com) or are part of a known internal service.
Scenario: A security analyst is using a tool like OSSEC or Splunk to simulate a phishing attack for training purposes, and the simulated URL is tagged as ClearFake.
Filter/Exclusion: Exclude URLs where the simulated_attack: true flag is set, or where the tool_used field matches known training tools like OSSEC or Splunk.
Scenario: A system is running a scheduled backup job that temporarily uses a ClearFake URL to store temporary files in a secure location.
Filter/Exclusion: Exclude URLs where the file_type is backup_temp or where the job_name matches a known backup task, such as backup_job_daily.