The detection identifies potential ClearFake malicious URLs that may be used to deliver malware or phishing content, leveraging known malicious domains from URLhaus. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity before it leads to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 4 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://7plygnzn.megaparibet.win/?ublib=0364a39e-c80f-45ee-a729-972320e682a7 | offline | malware_download | 2026-06-22 |
hxxps://x0t2a0jb.raftarsazmani.xyz/?ublib=e2f94762-ecd2-44d2-bd85-e40627bde980 | offline | malware_download | 2026-06-22 |
hxxps://ujlo7o5o.readthisintro.xyz/?ublib=3614a9c5-ca8a-4a5d-9950-a48239e3639e | offline | malware_download | 2026-06-22 |
hxxps://195q2fia.readthisintro.xyz/?ublib=172ec75e-a191-4e5d-a1e3-c5117af58cb5 | offline | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["ujlo7o5o.readthisintro.xyz", "7plygnzn.megaparibet.win", "x0t2a0jb.raftarsazmani.xyz", "195q2fia.readthisintro.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["ujlo7o5o.readthisintro.xyz", "7plygnzn.megaparibet.win", "x0t2a0jb.raftarsazmani.xyz", "195q2fia.readthisintro.xyz"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a ClearFake URL as part of a trusted update process.
Filter/Exclusion: Exclude URLs matching known update servers (e.g., *.update.microsoft.com, *.download.windows10.com).
Scenario: Admin Task for Patch Management
Description: An admin manually initiates a patch management task that uses a ClearFake URL to fetch a trusted patch file.
Filter/Exclusion: Exclude URLs containing patch, update, or security in the path, or from known patch management tools (e.g., Microsoft SCCM, WSUS).
Scenario: Internal Monitoring Tool Data Ingestion
Description: A monitoring tool (e.g., Splunk, ELK) ingests logs from a ClearFake URL as part of its data collection process.
Filter/Exclusion: Exclude URLs that match internal monitoring tool endpoints (e.g., *.splunk.com, *.elkstack.org).
Scenario: Development Environment Artifact Download
Description: A developer downloads a ClearFake URL to fetch a trusted artifact (e.g., Docker image, npm package) from a private registry.
Filter/Exclusion: Exclude URLs that match internal artifact repositories (e.g., *.docker-registry.internal, *.npm.pkg).
Scenario: Cloud Provider Configuration Sync
Description: A cloud provider (e.g., AWS, Azure) syncs configuration files using a ClearFake URL as part of its infrastructure management.
Filter/Exclusion: Exclude URLs that match cloud provider endpoints (e.g., *.aws.amazon.com, *.azure.com, *.googleapis.com).