The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or phishing payloads, leveraging compromised or spoofed domains to compromise user credentials or systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise early, especially since ClearFake URLs are often used in targeted attacks and may evade traditional detection methods.
IOC Summary
Threat: ClearFake Total URLs: 8 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://00pq7d1j.1xboropartners.com/?ublib=03a32fba-0101-4277-94ea-928f9dc8aa4c | offline | malware_download | 2026-06-26 |
hxxps://rfhudhbz.313betsingup.casino/?ublib=25c2a4b7-0168-4108-ac3b-71609dc02175 | offline | malware_download | 2026-06-26 |
hxxps://cdn.jsdelivr.net/gh/Roody2643/driver-access-service/access_manager | offline | malware_download | 2026-06-26 |
hxxps://cdn.jsdelivr.net/gh/Roody2643/Roadblock4/dfd745 | offline | malware_download | 2026-06-26 |
hxxps://drf.honareslami.xyz/d2e8d12f-63a2-4e0f-806b-da67aad39488 | offline | malware_download | 2026-06-26 |
hxxps://cdn.jsdelivr.net/gh/belova-bb071/syd1-failover/krt5a | offline | malware_download | 2026-06-26 |
hxxps://xb.bet1bonus.com/e0c4cf0d-a8b3-4e57-82fe-5686322d9bed | offline | malware_download | 2026-06-26 |
hxxps://wlwnophi.313betiran.online/?ublib=29a94676-d1ea-4a6b-9d3a-ed0d793f48a8 | offline | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["cdn.jsdelivr.net", "drf.honareslami.xyz", "wlwnophi.313betiran.online", "00pq7d1j.1xboropartners.com", "rfhudhbz.313betsingup.casino", "xb.bet1bonus.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["cdn.jsdelivr.net", "drf.honareslami.xyz", "wlwnophi.313betiran.online", "00pq7d1j.1xboropartners.com", "rfhudhbz.313betsingup.casino", "xb.bet1bonus.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Scenario: A scheduled job runs a script that fetches and validates URLs from a trusted internal source, including URLs tagged as ClearFake.
Filter/Exclusion: Exclude URLs that originate from the internal URL validation service internal-validation-service.example.com.
Scenario: A security tool like OSSEC or CrowdStrike is configured to periodically check for known malicious URLs, including ClearFake URLs, as part of its threat intelligence integration.
Filter/Exclusion: Exclude URLs that are part of the internal threat intelligence feed hosted at threat-intel.example.com.
Scenario: A user is accessing a ClearFake URL as part of a phishing simulation conducted by the security team using Mimecast or Proofpoint.
Filter/Exclusion: Exclude URLs that contain the query parameter ?sim=phishing or originate from the domain phishing-sim.example.com.
Scenario: A DevOps pipeline includes a step that uses a ClearFake URL to test API endpoints or validate URL formatting, such as in Jenkins or GitHub Actions.
Filter/Exclusion: Exclude URLs that are part of the internal testing infrastructure hosted at dev-test.example.com or match the pattern test-*.example.com.