The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging known malicious domains to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early, especially since these URLs are actively used in targeted attacks.
IOC Summary
Threat: ClearFake Total URLs: 40 Active URLs: 29
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://high-hill3.wi5sarpo1v.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://blue-sky2.wi5sarpo1v.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://deep-sea1.wi5sarpo1v.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://soft-bag6.ra2telsylo.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://hard-box5.ra2telsylo.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://red-mark4.ra2telsylo.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://thin-pen3.ra2telsylo.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://last-page2.ra2telsylo.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://open-book1.ra2telsylo.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://old-town6.kymlo7zore.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://new-trip5.kymlo7zore.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://long-road4.kymlo7zore.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://big-jump3.kymlo7zore.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://slow-walk2.kymlo7zore.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://fast-run1.kymlo7zore.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://high-step6.corex4varm.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://cold-wind5.corex4varm.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://white-wall4.corex4varm.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://small-cup3.corex4varm.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://green-lamp2.corex4varm.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://blue-table1.corex4varm.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://pure-color6.pulp-turquoise.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://soft-touch5.pulp-turquoise.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://cool-tone4.pulp-turquoise.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
hxxps://best-view3.pulp-turquoise.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["cold-wind5.corex4varm.in.net", "best-view3.pulp-turquoise.in.net", "last-page2.ra2telsylo.in.net", "high-hill3.wi5sarpo1v.in.net", "hard-box5.ra2telsylo.in.net", "slow-walk2.kymlo7zore.in.net", "cool-tone4.pulp-turquoise.in.net", "open-book1.ra2telsylo.in.net", "thin-pen3.ra2telsylo.in.net", "red-mark4.ra2telsylo.in.net", "long-road4.kymlo7zore.in.net", "green-lamp2.corex4varm.in.net", "pure-color6.pulp-turquoise.in.net", "soft-touch5.pulp-turquoise.in.net", "old-town6.kymlo7zore.in.net", "high-step6.corex4varm.in.net", "soft-bag6.ra2telsylo.in.net", "blue-sky2.wi5sarpo1v.in.net", "high-roof5.hai1owhiten.in.net", "color-set1.pulp-turquoise.in.net", "small-cup3.corex4varm.in.net", "deep-sea1.wi5sarpo1v.in.net", "blue-table1.corex4varm.in.net", "solid-base64.hai1owhiten.in.net", "new-mix2.pulp-turquoise.in.net", "new-trip5.kymlo7zore.in.net", "fast-run1.kymlo7zore.in.net", "white-wall4.corex4varm.in.net", "big-jump3.kymlo7zore.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["cold-wind5.corex4varm.in.net", "best-view3.pulp-turquoise.in.net", "last-page2.ra2telsylo.in.net", "high-hill3.wi5sarpo1v.in.net", "hard-box5.ra2telsylo.in.net", "slow-walk2.kymlo7zore.in.net", "cool-tone4.pulp-turquoise.in.net", "open-book1.ra2telsylo.in.net", "thin-pen3.ra2telsylo.in.net", "red-mark4.ra2telsylo.in.net", "long-road4.kymlo7zore.in.net", "green-lamp2.corex4varm.in.net", "pure-color6.pulp-turquoise.in.net", "soft-touch5.pulp-turquoise.in.net", "old-town6.kymlo7zore.in.net", "high-step6.corex4varm.in.net", "soft-bag6.ra2telsylo.in.net", "blue-sky2.wi5sarpo1v.in.net", "high-roof5.hai1owhiten.in.net", "color-set1.pulp-turquoise.in.net", "small-cup3.corex4varm.in.net", "deep-sea1.wi5sarpo1v.in.net", "blue-table1.corex4varm.in.net", "solid-base64.hai1owhiten.in.net", "new-mix2.pulp-turquoise.in.net", "new-trip5.kymlo7zore.in.net", "fast-run1.kymlo7zore.in.net", "white-wall4.corex4varm.in.net", "big-jump3.kymlo7zore.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by inputting known benign URLs from the ClearFake dataset for validation purposes.
Filter/Exclusion: Exclude URLs that match the internal testing list or are tagged with a test or validation label in the URL categorization system.
Scenario: A scheduled job runs to update the enterprise’s threat intelligence feed, which includes URLs from URLhaus. This job pulls in URLs tagged as ClearFake as part of routine updates.
Filter/Exclusion: Exclude URLs that are part of the threat intelligence feed update process by checking the source or timestamp against the update schedule.
Scenario: A security analyst is using the ClearFake tool to generate synthetic malicious URLs for a red team exercise, and these URLs are being logged by the SIEM system.
Filter/Exclusion: Exclude URLs that originate from the ClearFake tool or are associated with red team activity by checking the source IP, user agent, or process name.
Scenario: A user is accessing a legitimate service that uses a URL from the ClearFake list as part of a legitimate API endpoint, such as a third-party SaaS tool.
Filter/Exclusion: Exclude URLs that match known legitimate services by checking against the enterprise’s internal service inventory or whitelisted domains.
Scenario: An automated script or tool (e.g., PowerShell, Python, or Ansible) is generating temporary URLs for internal use (e.g., for test environments or internal documentation), and these URLs are being flagged by the detection rule.
Filter/Exclusion: Exclude URLs that are generated by known internal tools or scripts by checking the process name, user, or command line arguments.