The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 26 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://q5r1s83i.shartmag.bet/?ublib=d418f9b5-5c26-4072-a439-6ecec91483ff | offline | malware_download | 2026-06-14 |
hxxps://iyejvhz.shansbartar.bet/1a3afd54-ee9b-4230-a75f-68e6ed180c56 | offline | malware_download | 2026-06-14 |
hxxps://rfvxpytm.psgnewsiran.com/1c9c47bd-f7bc-44e4-908c-82b6a1f5e7c7 | offline | malware_download | 2026-06-14 |
hxxps://zywnzrqf.prozhedownload.com/3e25423e-77ac-4d3c-a31a-c69495774c23 | offline | malware_download | 2026-06-14 |
hxxps://ipiyt.moshavereravan.shop/b37bcd63-5dae-437f-a89f-bbb72d9841f1 | offline | malware_download | 2026-06-14 |
hxxps://rduzbygb.mustatabashpazi.shop/?ublib=5c80212b-1dd2-4b26-a687-6666f7c4ae74 | offline | malware_download | 2026-06-14 |
hxxps://igcokmdd.prozhecart.com/f31599b5-46f7-4078-aad4-d560453d5e16 | offline | malware_download | 2026-06-14 |
hxxps://aasdaonz.mechanickhodakarami.shop/b657f4ef-fa14-46a2-95a9-be50525e3be0 | offline | malware_download | 2026-06-14 |
hxxps://qj2ddn7c.zabanmemari.shop/?ublib=45fe5de3-775f-49d9-8223-b09e26135777 | offline | malware_download | 2026-06-14 |
hxxps://irtefuln.masirpayambari.xyz/87e94c82-8c29-4b7f-aee1-9b0ad41c70e8 | offline | malware_download | 2026-06-14 |
hxxps://zxokl.mabaninazaridelavar.xyz/33c08169-d87c-4280-8d6e-2b67130f6a57 | offline | malware_download | 2026-06-14 |
hxxps://dtgncsqn.masirpayambari.xyz/79a5b0ac-cdb7-4023-a710-7280374751e1 | offline | malware_download | 2026-06-14 |
hxxps://xtyqemyq.masaelmohandesi.xyz/c6283d6e-0b96-40ae-bfe6-4dfba30cf762 | offline | malware_download | 2026-06-14 |
hxxps://qchwdca.rocketbet.pro/1476d4eb-7aa8-4ded-ba64-1db4dd15fca4 | offline | malware_download | 2026-06-14 |
hxxps://rne9p9if.shartbandikade.online/?ublib=d24d4db3-f3e0-4245-8943-d508b5b1d46a | offline | malware_download | 2026-06-14 |
hxxps://fsphwjzi.maharatmodiran.xyz/69062b94-c1b7-4be1-88cd-17679755d67e | offline | malware_download | 2026-06-14 |
hxxps://g7of4qhx.zabanhaggani.shop/?ublib=9dc854ba-db5a-41a0-b72e-619b9f927b92 | offline | malware_download | 2026-06-14 |
hxxps://kagug.mabaninazari.shop/2ab9216d-5c2b-4296-a7bb-01c13617b79d | offline | malware_download | 2026-06-14 |
hxxps://emqtqmnj.mabanishimi.xyz/3d2de796-fef6-4027-b67d-009f9e15b964 | offline | malware_download | 2026-06-14 |
hxxps://cfwrfrqx.leaguejazire.com/72c4bc63-821e-4c58-990c-7a4cfdb8e58d | offline | malware_download | 2026-06-14 |
hxxps://ockpahmv.karbordriyaziyat.xyz/d54e501c-b565-4f5e-814a-4f1b29588ae5 | offline | malware_download | 2026-06-14 |
hxxps://shrqj.mabanimashin.site/29eb7140-b04b-4014-9332-bbacd90534f5 | offline | malware_download | 2026-06-14 |
hxxps://of8p7ob4.mururhesabdari.xyz/?ublib=a7796ba1-14ae-42ec-9ae9-c96db1cdb3c4 | offline | malware_download | 2026-06-14 |
hxxps://fcsulewd.karafarini.shop/fa283f87-fd18-405a-add5-7bdac374ab40 | offline | malware_download | 2026-06-14 |
hxxps://npmc4uw2.zabanenglishanari.xyz/?ublib=9d946edb-9321-4e91-b022-26d6fd36d963 | offline | malware_download | 2026-06-14 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["igcokmdd.prozhecart.com", "emqtqmnj.mabanishimi.xyz", "q5r1s83i.shartmag.bet", "fcsulewd.karafarini.shop", "kagug.mabaninazari.shop", "shrqj.mabanimashin.site", "fsphwjzi.maharatmodiran.xyz", "npmc4uw2.zabanenglishanari.xyz", "ockpahmv.karbordriyaziyat.xyz", "iyejvhz.shansbartar.bet", "qj2ddn7c.zabanmemari.shop", "irtefuln.masirpayambari.xyz", "aasdaonz.mechanickhodakarami.shop", "xtyqemyq.masaelmohandesi.xyz", "ipiyt.moshavereravan.shop", "zywnzrqf.prozhedownload.com", "cfwrfrqx.leaguejazire.com", "rduzbygb.mustatabashpazi.shop", "of8p7ob4.mururhesabdari.xyz", "sw9k00e8.shartbandifootballkade.online", "qchwdca.rocketbet.pro", "rne9p9if.shartbandikade.online", "dtgncsqn.masirpayambari.xyz", "rfvxpytm.psgnewsiran.com", "zxokl.mabaninazaridelavar.xyz", "g7of4qhx.zabanhaggani.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["igcokmdd.prozhecart.com", "emqtqmnj.mabanishimi.xyz", "q5r1s83i.shartmag.bet", "fcsulewd.karafarini.shop", "kagug.mabaninazari.shop", "shrqj.mabanimashin.site", "fsphwjzi.maharatmodiran.xyz", "npmc4uw2.zabanenglishanari.xyz", "ockpahmv.karbordriyaziyat.xyz", "iyejvhz.shansbartar.bet", "qj2ddn7c.zabanmemari.shop", "irtefuln.masirpayambari.xyz", "aasdaonz.mechanickhodakarami.shop", "xtyqemyq.masaelmohandesi.xyz", "ipiyt.moshavereravan.shop", "zywnzrqf.prozhedownload.com", "cfwrfrqx.leaguejazire.com", "rduzbygb.mustatabashpazi.shop", "of8p7ob4.mururhesabdari.xyz", "sw9k00e8.shartbandifootballkade.online", "qchwdca.rocketbet.pro", "rne9p9if.shartbandikade.online", "dtgncsqn.masirpayambari.xyz", "rfvxpytm.psgnewsiran.com", "zxokl.mabaninazaridelavar.xyz", "g7of4qhx.zabanhaggani.shop"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., Jira) to test a phishing detection tool.
Filter/Exclusion: Exclude URLs that match the domain of the ticketing system (e.g., jira.example.com) or use a field like url.contains("jira") to filter out internal testing URLs.
Scenario: A scheduled job runs a script that generates temporary URLs for internal testing (e.g., using curl or wget with a placeholder URL from a local file).
Filter/Exclusion: Exclude URLs that originate from local file paths or match a known internal testing domain (e.g., internal-test.example.com).
Scenario: A security tool like OSQuery or Microsoft Defender ATP generates a temporary URL for internal diagnostics or reporting purposes.
Filter/Exclusion: Exclude URLs that match the internal diagnostic domain (e.g., diag.example.com) or use a field like process.name to filter out known security tool processes.
Scenario: A developer uses a mock URL (e.g., http://mock.clearfake.com) during a penetration test or security training exercise.
Filter/Exclusion: Exclude URLs that match the mock domain (mock.clearfake.com) or use a field like event_id to filter out known training or test events.
Scenario: A backup or sync job (e.g., rsync, Veeam, or AWS S3 sync) includes a URL that appears malicious but is part of a legitimate cloud storage endpoint.
Filter/Exclusion: Exclude URLs that match known cloud storage endpoints (e.g., s3.amazonaws.com, storage.example.com) or use a field like process.name to filter out backup-related processes.