The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns and protect organizational assets before lateral movement or data exfiltration occurs.
IOC Summary
Threat: ClearFake Total URLs: 38 Active URLs: 38
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://rjhmik2i.kymle2rax.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://mossbra.kymle2rax.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://vinecarg.to9varil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://rs9y.to9varil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://qc3zfzu.to9varil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://p4rse-forge.to9varil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://processlis.to9varil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://cl52qlla.to9varil.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://triggerdispatch.sylov4en.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://measu8-drive.sylov4en.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://clucrawl.sylov4en.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://hublistener.sylov4en.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://lgjov.sylov4en.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://adapt1-line.sylov4en.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://5pru4-mark.ra6ximel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://jakej.ra6ximel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://b4nd-signal.ra6ximel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://velcrestar5.ra6ximel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://sunauth.ra6ximel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://ark-forgeon.ra6ximel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://azure-sharp.1zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://c4st-layer.1zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://alt-f1eet.1zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://balcg.1zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
hxxps://p1a5-watch.1zoravel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["wald-baum-6w.inject-mitroph.in.net", "lgjov.sylov4en.in.net", "sunauth.ra6ximel.in.net", "fast-7k.inject-mitroph.in.net", "measu8-drive.sylov4en.in.net", "cl52qlla.to9varil.in.net", "rjhmik2i.kymle2rax.in.net", "ark-forgeon.ra6ximel.in.net", "b4nd-signal.ra6ximel.in.net", "rs9y.to9varil.in.net", "5pru4-mark.ra6ximel.in.net", "adapt1-line.sylov4en.in.net", "velcrestar5.ra6ximel.in.net", "hublistener.sylov4en.in.net", "jakej.ra6ximel.in.net", "p4rse-forge.to9varil.in.net", "soft-1.inject-mitroph.in.net", "vinecarg.to9varil.in.net", "p1a5-watch.1zoravel.in.net", "clucrawl.sylov4en.in.net", "azure-sharp.1zoravel.in.net", "alt-f1eet.1zoravel.in.net", "processlis.to9varil.in.net", "mossbra.kymle2rax.in.net", "noir-land-3.inject-mitroph.in.net", "qc3zfzu.to9varil.in.net", "sku4jn.1zoravel.in.net", "triggerdispatch.sylov4en.in.net", "c4st-layer.1zoravel.in.net", "balcg.1zoravel.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["wald-baum-6w.inject-mitroph.in.net", "lgjov.sylov4en.in.net", "sunauth.ra6ximel.in.net", "fast-7k.inject-mitroph.in.net", "measu8-drive.sylov4en.in.net", "cl52qlla.to9varil.in.net", "rjhmik2i.kymle2rax.in.net", "ark-forgeon.ra6ximel.in.net", "b4nd-signal.ra6ximel.in.net", "rs9y.to9varil.in.net", "5pru4-mark.ra6ximel.in.net", "adapt1-line.sylov4en.in.net", "velcrestar5.ra6ximel.in.net", "hublistener.sylov4en.in.net", "jakej.ra6ximel.in.net", "p4rse-forge.to9varil.in.net", "soft-1.inject-mitroph.in.net", "vinecarg.to9varil.in.net", "p1a5-watch.1zoravel.in.net", "clucrawl.sylov4en.in.net", "azure-sharp.1zoravel.in.net", "alt-f1eet.1zoravel.in.net", "processlis.to9varil.in.net", "mossbra.kymle2rax.in.net", "noir-land-3.inject-mitroph.in.net", "qc3zfzu.to9varil.in.net", "sku4jn.1zoravel.in.net", "triggerdispatch.sylov4en.in.net", "c4st-layer.1zoravel.in.net", "balcg.1zoravel.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system for testing purposes.
Filter/Exclusion: Exclude URLs containing the string test-url or sandbox in the URL path or query parameters.
Scenario: A scheduled job runs a script that generates temporary URLs for internal documentation or API testing.
Filter/Exclusion: Exclude URLs that match the domain internal-docs.example.com or contain the path /temp/.
Scenario: A user clicks on a ClearFake URL shared via a legitimate phishing simulation tool (e.g., KnowBe4) during a security training exercise.
Filter/Exclusion: Exclude URLs that originate from the IP range 192.168.1.0/24 or are tagged with phishing-sim in the event log.
Scenario: A DevOps pipeline deploys a new version of an application and generates a temporary URL for artifact distribution.
Filter/Exclusion: Exclude URLs that contain the substring artifactory.example.com or have a path starting with /deploy/.
Scenario: A system runs a scheduled PowerShell script that uses a ClearFake URL as part of a legitimate API call to a third-party service.
Filter/Exclusion: Exclude URLs that match the domain api.example-thirdparty.com or include the query parameter ?test=true.