The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging known malicious domains to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early, especially since these URLs are actively used in targeted attacks.
IOC Summary
Threat: ClearFake Total URLs: 13 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://gwu729hw.parspoker.casino/?ublib=c15e84fb-3a94-463e-81db-dc92976775a8 | offline | malware_download | 2026-06-08 |
hxxps://hjwaxur.kvbel.com/ef24e2b2-6a69-4827-a2c8-1ecd9345b556 | offline | malware_download | 2026-06-08 |
hxxps://inmjycz.olabahiskayit.com/df026e27-a7a1-4d3f-b289-e42b25ed4c1c | offline | malware_download | 2026-06-08 |
hxxps://rykwhjt.winsportiran.com/bfc31803-6e1c-4ce6-a99f-44c75d4c0e0c | offline | malware_download | 2026-06-08 |
hxxps://tviyhdt.winstone.casino/b40ac294-23e4-4e6a-a8de-1be679dcd172 | offline | malware_download | 2026-06-08 |
hxxps://mpozwop.winxbet.co/8763c313-35b0-4c78-95e5-df131c5a0d33 | offline | malware_download | 2026-06-08 |
hxxps://xzelng.jamjahani.cash/f160ba90-fb05-4bee-bd55-63470f0efe0d | offline | malware_download | 2026-06-08 |
hxxps://yynpur.perfectgame.casino/b39422c8-1821-4984-b46b-0c9c843a9ddc | offline | malware_download | 2026-06-08 |
hxxps://ebwgtb.vezaratshart.com/fb82f5d8-cce7-40fc-8896-e8b203ed6459 | offline | malware_download | 2026-06-08 |
hxxps://5dwz6wj9.yekbetiran.com/?ublib=d790b449-8936-4e40-ba1c-a74795a3adb5 | offline | malware_download | 2026-06-08 |
hxxps://anpysts.yasbetapp.com/327a6d36-331b-491c-bd15-a5f8dad3c2f0 | offline | malware_download | 2026-06-08 |
hxxps://cqvdiki.xenicalby6.com/f8a0a06c-b359-4a38-a34f-b1a4942dfaed | offline | malware_download | 2026-06-08 |
hxxps://pmhaqci.x50wheel.bet/f8ce4e3e-a8cf-4723-875c-930418324c25 | offline | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["rykwhjt.winsportiran.com", "cqvdiki.xenicalby6.com", "inmjycz.olabahiskayit.com", "pmhaqci.x50wheel.bet", "mpozwop.winxbet.co", "xzelng.jamjahani.cash", "hjwaxur.kvbel.com", "5dwz6wj9.yekbetiran.com", "ebwgtb.vezaratshart.com", "gwu729hw.parspoker.casino", "yynpur.perfectgame.casino", "anpysts.yasbetapp.com", "tviyhdt.winstone.casino"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["rykwhjt.winsportiran.com", "cqvdiki.xenicalby6.com", "inmjycz.olabahiskayit.com", "pmhaqci.x50wheel.bet", "mpozwop.winxbet.co", "xzelng.jamjahani.cash", "hjwaxur.kvbel.com", "5dwz6wj9.yekbetiran.com", "ebwgtb.vezaratshart.com", "gwu729hw.parspoker.casino", "yynpur.perfectgame.casino", "anpysts.yasbetapp.com", "tviyhdt.winstone.casino"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., Jira) to test a phishing simulation.
Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., phishsim.example.com) or filter by source IP of internal admin workstations.
Scenario: A scheduled job runs a script that downloads a ClearFake URL to verify its legitimacy (e.g., a security tool like OSSEC or CrowdStrike Falcon performing a test).
Filter/Exclusion: Exclude URLs that are part of known test environments or use a specific user account (e.g., [email protected]) for automated tasks.
Scenario: A user clicks on a ClearFake URL shared via a legitimate internal communication tool (e.g., Microsoft Teams or Slack) as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that originate from internal communication platforms or are tagged with a training identifier (e.g., training-link in the URL path).
Scenario: A system update or patching tool (e.g., Ansible, Chef, or Puppet) temporarily uses a ClearFake URL as part of a test or staging environment.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines or match known staging environments (e.g., staging.example.com).
Scenario: A security tool (e.g., CrowdStrike, Microsoft Defender, or FireEye) uses a ClearFake URL as part of its sandboxing or threat intelligence validation process.
Filter/Exclusion: Exclude URLs that are associated with known security tooling or are part of a sandboxed environment (e.g., sandboxed-traffic.example.com).