The hypothesis is that the detected URLs are part of a ClearFake campaign designed to deceive users into visiting malicious sites, thereby enabling credential theft or malware delivery. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user accounts and systems before lateral movement or data exfiltration occurs.
IOC Summary
Threat: ClearFake Total URLs: 15 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://bcfaxrtc.logic-compass.digital/?ublib=fc4c2afc-d641-4677-b313-959281dd5b4e | offline | malware_download | 2026-05-26 |
hxxps://julya.bmz.hu/aa3f1358-3a51-49aa-ab70-758334c8e739 | offline | malware_download | 2026-05-26 |
hxxps://vmpyw.almasiklima.hu/79c886ef-67c8-41dc-95da-43d74d0dcdbe | offline | malware_download | 2026-05-26 |
hxxps://fuluz.akonyvelod.hu/405282cb-7ac0-4cae-987f-bd54fdb1d270 | offline | malware_download | 2026-05-26 |
hxxps://ilgte.aivallalkozok.hu/83fd96f1-a2b9-4c28-ad6f-1fe1db5eb03e | offline | malware_download | 2026-05-26 |
hxxps://eqgwn.aivallalkozo.hu/7544dfc7-91c6-48e8-b6b6-b7644403e300 | offline | malware_download | 2026-05-26 |
hxxps://abmjl.bertifolia.hu/75a2f137-c7aa-4acf-b992-99237cdbd12c | offline | malware_download | 2026-05-26 |
hxxps://ptnza.bni-ai.com/fee93181-065c-4499-af45-199a9a79a097 | offline | malware_download | 2026-05-26 |
hxxps://neypx.bmz.hu/321ddd16-64a3-43d6-aeb1-c613db8ff8b2 | offline | malware_download | 2026-05-26 |
hxxps://miqhc.bmiroda.hu/09016948-1d50-4614-a072-c44cd5771ae4 | offline | malware_download | 2026-05-26 |
hxxps://bczth.bertifolia.hu/b49ef12c-321d-4fba-a93b-9683282fe140 | offline | malware_download | 2026-05-26 |
hxxps://zcrop.bernoe.hu/dde58c5d-ea59-4538-9490-4133a9503bd8 | offline | malware_download | 2026-05-26 |
hxxps://vrifp.bergertetokft.hu/589b9ff0-510f-4248-9b02-d1bf6cf6813e | offline | malware_download | 2026-05-26 |
hxxps://aklze.bercibutor.hu/5c2f6759-671b-46e8-872e-0671fd1a0488 | offline | malware_download | 2026-05-26 |
hxxps://odqtx.bbglobalbau.hu/b085475f-3e07-4592-b0d9-308c24016584 | offline | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["vrifp.bergertetokft.hu", "neypx.bmz.hu", "miqhc.bmiroda.hu", "julya.bmz.hu", "bczth.bertifolia.hu", "ptnza.bni-ai.com", "zcrop.bernoe.hu", "aklze.bercibutor.hu", "fuluz.akonyvelod.hu", "bcfaxrtc.logic-compass.digital", "abmjl.bertifolia.hu", "eqgwn.aivallalkozo.hu", "ilgte.aivallalkozok.hu", "vmpyw.almasiklima.hu", "odqtx.bbglobalbau.hu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vrifp.bergertetokft.hu", "neypx.bmz.hu", "miqhc.bmiroda.hu", "julya.bmz.hu", "bczth.bertifolia.hu", "ptnza.bni-ai.com", "zcrop.bernoe.hu", "aklze.bercibutor.hu", "fuluz.akonyvelod.hu", "bcfaxrtc.logic-compass.digital", "abmjl.bertifolia.hu", "eqgwn.aivallalkozo.hu", "ilgte.aivallalkozok.hu", "vmpyw.almasiklima.hu", "odqtx.bbglobalbau.hu"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment using ClearFake-signed URLs
Filter/Exclusion: Exclude URLs containing update.microsoft.com, patch.microsoft.com, or support.microsoft.com
Rationale: Microsoft and other vendors may use ClearFake-signed URLs for legitimate software updates and patches.
Scenario: Scheduled backup job using a ClearFake-signed URL for cloud storage
Filter/Exclusion: Exclude URLs containing backup.amazonaws.com, s3.amazonaws.com, or backup.google.com
Rationale: Cloud backup services may use ClearFake-signed URLs to authenticate storage endpoints.
Scenario: Admin task using ClearFake-signed URL for internal tool download
Filter/Exclusion: Exclude URLs containing internal.tools, internal.repo, or internal.download
Rationale: Internal repositories or tools may use ClearFake-signed URLs for secure internal software distribution.
Scenario: User-initiated file download from a trusted source using ClearFake-signed URL
Filter/Exclusion: Exclude URLs containing trusted.download, trusted.source, or trusted.file
Rationale: Users may download files from trusted sources that use ClearFake-signed URLs for authentication.
Scenario: Integration with third-party API using ClearFake-signed URL for authentication
Filter/Exclusion: Exclude URLs containing api.thirdparty.com, api.integrate.com, or api.auth.com
Rationale: Third-party APIs may use ClearFake-signed URLs for secure API calls and authentication.