The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise vectors before they lead to data exfiltration or lateral movement.
IOC Summary
Threat: ClearFake Total URLs: 11 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://kferlw.itsmarthungary.hu/71c43e3d-f08f-45d2-9fde-8275b46fb111 | offline | malware_download | 2026-05-25 |
hxxps://3k3qw9fd.system-forge.digital/?ublib=df9d8407-fcac-4730-b0d5-e6030d7d4754 | offline | malware_download | 2026-05-25 |
hxxps://vdbkti.ispilates.hu/aaef0ccd-c3f4-4a61-a622-5e9b25eddf07 | offline | malware_download | 2026-05-25 |
hxxps://fgyfhb.iparivillanyszerelo.hu/c0142e9b-2623-479c-8847-cca4924bef51 | offline | malware_download | 2026-05-25 |
hxxps://gqsgdt.interimpro.hu/3d1e4324-b6ee-4535-a6c0-4ba8aaa4d38b | offline | malware_download | 2026-05-25 |
hxxps://rosrcf.inoxsystem.hu/606ef002-8429-44a6-8aee-f478ba1027b4 | offline | malware_download | 2026-05-25 |
hxxps://vzjahpug.telemetry-sphere.digital/?ublib=213bbe95-e609-4ec2-9534-c8fb76842fad | offline | malware_download | 2026-05-25 |
hxxps://blaold.indebud.hu/62dae79e-0693-4df3-9fec-ff4c8aefef69 | offline | malware_download | 2026-05-25 |
hxxps://kzaftq.hyflowtp.com/15b5f96b-6db2-415e-825a-f98dd945a571 | offline | malware_download | 2026-05-25 |
hxxps://xredgj.holisztikuscsontkovacs.hu/9c1efa92-bd04-4855-929f-e3065e0763f0 | offline | malware_download | 2026-05-25 |
hxxps://torrrj.highlife-global.com/0853bebb-e0f8-49fe-b456-4a5c7c27ff47 | offline | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["vdbkti.ispilates.hu", "gqsgdt.interimpro.hu", "blaold.indebud.hu", "vzjahpug.telemetry-sphere.digital", "fgyfhb.iparivillanyszerelo.hu", "kzaftq.hyflowtp.com", "torrrj.highlife-global.com", "kferlw.itsmarthungary.hu", "rosrcf.inoxsystem.hu", "xredgj.holisztikuscsontkovacs.hu", "3k3qw9fd.system-forge.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vdbkti.ispilates.hu", "gqsgdt.interimpro.hu", "blaold.indebud.hu", "vzjahpug.telemetry-sphere.digital", "fgyfhb.iparivillanyszerelo.hu", "kzaftq.hyflowtp.com", "torrrj.highlife-global.com", "kferlw.itsmarthungary.hu", "rosrcf.inoxsystem.hu", "xredgj.holisztikuscsontkovacs.hu", "3k3qw9fd.system-forge.digital"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Scenario: A scheduled job runs a script that fetches and processes URLs from a known safe source (e.g., api.clearfake.com) for internal validation.
Filter/Exclusion: Exclude URLs containing the exact domain api.clearfake.com or any subdomains.
Scenario: A user clicks on a legitimate URL from a trusted internal tool (e.g., internal.tools.example.com) that is mistakenly flagged by the rule.
Filter/Exclusion: Exclude URLs that match the domain internal.tools.example.com or any subdomains.
Scenario: A security analyst is using a tool like OSSEC to monitor and alert on suspicious URLs, and the tool is configured to use ClearFake URLs as part of its testing suite.
Filter/Exclusion: Exclude URLs that match the domain ossec.test.example.com or any subdomains.
Scenario: A backup or migration tool (e.g., Veeam) generates temporary URLs during a job execution that are flagged by the rule.
Filter/Exclusion: Exclude URLs that contain the substring veeam-temp-url or match the domain backup.example.com.