← Back to SOC feed Coverage →

URLhaus: ClearFake Malicious URLs

ioc-hunt HIGH URLhaus
CommonSecurityLogDnsEvents
iocurlhaus
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at URLhaus →
Retrieved: 2026-06-12T23:00:00Z · Confidence: medium

Hunt Hypothesis

The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns and protect organizational assets before compromise occurs.

IOC Summary

Threat: ClearFake Total URLs: 32 Active URLs: 0

URLStatusThreatDate Added
hxxps://sjgnfsm.megaparikade.com/17e58e67-f61d-446c-ac65-355bdf440116offlinemalware_download2026-06-12
hxxps://hkhyaprc.betyek.net/a274e982-7057-438c-8c3a-c0984f407f4cofflinemalware_download2026-06-12
hxxps://rpndf.mustatabashpazi.shop/901081a1-f2d6-4ae8-9cb8-58f09a215ad8offlinemalware_download2026-06-12
hxxps://geirvzju.betxane.com/2a529807-a2af-4d7f-8cfd-201bb73ee73dofflinemalware_download2026-06-12
hxxps://u4b0eg10.akhlagkarbordi.xyz/?ublib=97ee8911-4035-4d21-b429-d051f400c6fdofflinemalware_download2026-06-12
hxxps://xipuryqj.betwanna.com/de4fcd83-c1fd-463c-ada8-43d690e95047offlinemalware_download2026-06-12
hxxps://ukpoojmk.shansbartar.bet/?ublib=81193bbf-17a7-4199-bdfd-7d66a9ca105bofflinemalware_download2026-06-12
hxxps://wumyhfj.livebetkade.com/f2c030ca-a427-46e1-aff4-47cf37c27df9offlinemalware_download2026-06-12
hxxps://9w0va69z.shansbartar.bet/?ublib=afe56ead-49bb-4363-bf54-a24800be8320offlinemalware_download2026-06-12
hxxps://1fqobn4w.hattrickbetkade.com/?ublib=67e1e0e1-f66f-444a-a206-21f0d13d6906offlinemalware_download2026-06-12
hxxps://raqmk.mururhesabdari.xyz/c6bac874-d125-4803-8d94-4ff40719661fofflinemalware_download2026-06-12
hxxps://hqqacfwe.betforwardkade.com/7a31854b-2960-46cd-a8ff-3d9c4e9c3922offlinemalware_download2026-06-12
hxxps://k96h8q0b.fubet24.net/?ublib=baf5d98c-f8d0-4fb7-b350-b32330c3af71offlinemalware_download2026-06-12
hxxps://yzqzbtkr.betfidokade.com/f6ad6156-9e6b-4107-875a-d77ae80b13bfofflinemalware_download2026-06-12
hxxps://hopmx6jx.enfejarkade.online/?ublib=4e744f4c-cf9f-4294-a519-bcfde531e11aofflinemalware_download2026-06-12
hxxps://dxxxyoqr.bet313.org/a043036d-90bc-4ad7-85ed-b9e416eb0c34offlinemalware_download2026-06-12
hxxps://ukfxv.motuntakhasosi.store/1098e15d-3b67-4383-a488-091e1bf8ab38offlinemalware_download2026-06-12
hxxps://llfarlit.bet120x.net/bd90f46b-8f17-474d-af62-e35cc1570076offlinemalware_download2026-06-12
hxxps://vidsloii.bcgamekade.online/0298dea3-f658-4b0b-94af-882ca799cd26offlinemalware_download2026-06-12
hxxps://g1zevlqh.casinokade.online/?ublib=c780b678-4742-4be3-8c2e-221f98945a0aofflinemalware_download2026-06-12
hxxps://whitfkos.ace9bet.net/7b67ccc7-c03e-4ada-bf00-56c60f3f46e3offlinemalware_download2026-06-12
hxxps://oywlk.motorbook.xyz/29c283b3-28d8-4406-a383-8e0ad5565830offlinemalware_download2026-06-12
hxxps://b383rztk.bordestan.com/?ublib=18951263-3db3-4678-8840-193281461614offlinemalware_download2026-06-12
hxxps://dtphi824.akhbarsport.info/?ublib=1b1dd147-3e23-4049-b3f2-8e651760df72offlinemalware_download2026-06-12
hxxps://rngvl.bilyardkade.online/efb36945-6042-4c41-89b3-024021ac017aofflinemalware_download2026-06-12

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["vidsloii.bcgamekade.online", "rngvl.bilyardkade.online", "dtphi824.akhbarsport.info", "whitfkos.ace9bet.net", "b383rztk.bordestan.com", "hkhyaprc.betyek.net", "sjgnfsm.megaparikade.com", "wnwrwqfz.4030bet.app", "dxxxyoqr.bet313.org", "xipuryqj.betwanna.com", "kfwne.moshavereravan.shop", "wumyhfj.livebetkade.com", "g1zevlqh.casinokade.online", "raqmk.mururhesabdari.xyz", "hqqacfwe.betforwardkade.com", "nylmc.hotbetkade.com", "u4b0eg10.akhlagkarbordi.xyz", "euerx2bw.linebetkade.com", "llfarlit.bet120x.net", "geirvzju.betxane.com", "9w0va69z.shansbartar.bet", "oywlk.motorbook.xyz", "burreepr.ace90betkade.com", "ukfxv.motuntakhasosi.store", "rpndf.mustatabashpazi.shop", "hopmx6jx.enfejarkade.online", "yzqzbtkr.betfidokade.com", "ukpoojmk.shansbartar.bet", "k96h8q0b.fubet24.net", "1fqobn4w.hattrickbetkade.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vidsloii.bcgamekade.online", "rngvl.bilyardkade.online", "dtphi824.akhbarsport.info", "whitfkos.ace9bet.net", "b383rztk.bordestan.com", "hkhyaprc.betyek.net", "sjgnfsm.megaparikade.com", "wnwrwqfz.4030bet.app", "dxxxyoqr.bet313.org", "xipuryqj.betwanna.com", "kfwne.moshavereravan.shop", "wumyhfj.livebetkade.com", "g1zevlqh.casinokade.online", "raqmk.mururhesabdari.xyz", "hqqacfwe.betforwardkade.com", "nylmc.hotbetkade.com", "u4b0eg10.akhlagkarbordi.xyz", "euerx2bw.linebetkade.com", "llfarlit.bet120x.net", "geirvzju.betxane.com", "9w0va69z.shansbartar.bet", "oywlk.motorbook.xyz", "burreepr.ace90betkade.com", "ukfxv.motuntakhasosi.store", "rpndf.mustatabashpazi.shop", "hopmx6jx.enfejarkade.online", "yzqzbtkr.betfidokade.com", "ukpoojmk.shansbartar.bet", "k96h8q0b.fubet24.net", "1fqobn4w.hattrickbetkade.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DnsEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://urlhaus.abuse.ch/