The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
IOC Summary
Threat: ClearFake Total URLs: 12 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://et5qogz2.one1xbet.promo/?ublib=279ee61f-f981-456d-a096-5acafd8dcaac | offline | malware_download | 2026-06-07 |
hxxps://nqbecrh.one1x.bet/b6181c88-838a-4f09-93e1-0b270cb3f5d8 | offline | malware_download | 2026-06-07 |
hxxps://g2z2cnlz.pascal.casino/?ublib=c599276e-21f7-45c6-beb6-e969c5387732 | offline | malware_download | 2026-06-07 |
hxxps://5bksyseg.betistmobil.com/?ublib=131dc023-5f0f-4c63-8146-9b44c78f4ffe | offline | malware_download | 2026-06-07 |
hxxps://zfrfayl.one1xbet.app/c644dd00-5ae8-4919-b959-edcf4004bc46 | offline | malware_download | 2026-06-07 |
hxxps://l9tynneu.mybookieiran.com/?ublib=260f10d6-cd0c-4b13-a830-7a9263a7a91d | offline | malware_download | 2026-06-07 |
hxxps://a96ampff.mrgreenbetiran.com/?ublib=a20825e3-3765-4452-8dab-4dc098daa8e9 | offline | malware_download | 2026-06-07 |
hxxps://avygupe.one1xbet.casino/c5b264cf-f72f-4b43-b207-3e9e1c995b46 | offline | malware_download | 2026-06-07 |
hxxps://mqbjnx.jamjahani.app/cdd4ea04-c59b-4888-bcbf-97e0e4948680 | offline | malware_download | 2026-06-07 |
hxxps://ilmlvxt.lolsurpriseball.com/3a6f23ae-7a6e-48d6-95ed-b07ca0c9f4f6 | offline | malware_download | 2026-06-07 |
hxxps://bvnvrjx.kvbel.com/de8a8b05-2f16-4759-a366-dc4494022705 | offline | malware_download | 2026-06-07 |
hxxps://hdkkxsm.kbshavanese.com/2d3e461b-ad09-4bda-bb6b-1fc1787b5f36 | offline | malware_download | 2026-06-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["ilmlvxt.lolsurpriseball.com", "5bksyseg.betistmobil.com", "mqbjnx.jamjahani.app", "nqbecrh.one1x.bet", "l9tynneu.mybookieiran.com", "bvnvrjx.kvbel.com", "zfrfayl.one1xbet.app", "g2z2cnlz.pascal.casino", "hdkkxsm.kbshavanese.com", "et5qogz2.one1xbet.promo", "a96ampff.mrgreenbetiran.com", "avygupe.one1xbet.casino"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["ilmlvxt.lolsurpriseball.com", "5bksyseg.betistmobil.com", "mqbjnx.jamjahani.app", "nqbecrh.one1x.bet", "l9tynneu.mybookieiran.com", "bvnvrjx.kvbel.com", "zfrfayl.one1xbet.app", "g2z2cnlz.pascal.casino", "hdkkxsm.kbshavanese.com", "et5qogz2.one1xbet.promo", "a96ampff.mrgreenbetiran.com", "avygupe.one1xbet.casino"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Example Filter: url contains "training.example.com"
Scenario: A scheduled job runs a script that downloads a ClearFake URL to verify its legitimacy as part of a security tool validation process.
Filter/Exclusion: Exclude URLs that match the domain validation.example.com or any subdomains under it.
Example Filter: url contains "validation.example.com"
Scenario: A developer is using a tool like curl or wget to fetch a ClearFake URL for testing a web application’s input validation logic.
Filter/Exclusion: Exclude URLs that match the domain dev-test.example.com or any subdomains under it.
Example Filter: url contains "dev-test.example.com"
Scenario: An enterprise uses a tool like PowerShell to automate the retrieval of ClearFake URLs for internal testing or integration with a sandboxing environment.
Filter/Exclusion: Exclude URLs that match the domain sandbox.example.com or any subdomains under it.
Example Filter: url contains "sandbox.example.com"
Scenario: A system is configured to periodically fetch ClearFake URLs as part of a security tool’s update or configuration process.
Filter/Exclusion: Exclude URLs that match the domain update.example.com or any subdomains under it.
Example Filter: url contains "update.example.com"