The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise before lateral movement or data exfiltration occurs.
IOC Summary
Threat: ClearFake Total URLs: 12 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://mzwum.wilhelmglobal.com/50cd1484-b174-4953-85c0-d7cbdbf72a27 | offline | malware_download | 2026-05-27 |
hxxps://cwzbp.wlwyb.com/c5c29ee6-a48f-42ec-a6cd-aa86153ae5be | offline | malware_download | 2026-05-27 |
hxxps://gplca9pf.script-bridge.digital/?ublib=45e067f8-5d8a-47c8-af64-1a38eae03e0f | offline | malware_download | 2026-05-27 |
hxxps://dxblg.workoutwithdorci.com/3cdeb7eb-1fdf-4afd-a9bc-0c8c1b50a871 | offline | malware_download | 2026-05-27 |
hxxps://kbjqa.wpsmart.app/e533891c-5614-4757-9573-2afacc45f625 | offline | malware_download | 2026-05-27 |
hxxps://xjmes.yanis.hu/6f8853b0-fa0d-4d60-83a6-1d8709d8f8ec | offline | malware_download | 2026-05-27 |
hxxps://qxyvx.yanisrea.hu/b477b678-d90a-4ddd-852f-0240dfa3dafb | offline | malware_download | 2026-05-27 |
hxxps://3822lbt1.stack-sphere.digital/?ublib=7a109b51-cc53-4f31-9c7a-5e75671b9285 | offline | malware_download | 2026-05-27 |
hxxps://cadcr.zaszlorudbolt.hu/0ec95e1b-636b-44aa-b2fe-01976395f3e6 | offline | malware_download | 2026-05-27 |
hxxps://vkoqp.accredit.hu/85cd0e80-9b17-4fb2-a3dc-062184a66c41 | offline | malware_download | 2026-05-27 |
hxxps://ekyso.addmagad.com/b058129c-e3ac-4fa4-bbb2-6df8c449d9da | offline | malware_download | 2026-05-27 |
hxxps://djwof.ady26.hu/a4da285d-eafb-4441-9958-c922ec4d899e | offline | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["vkoqp.accredit.hu", "dxblg.workoutwithdorci.com", "cadcr.zaszlorudbolt.hu", "xjmes.yanis.hu", "ekyso.addmagad.com", "djwof.ady26.hu", "qxyvx.yanisrea.hu", "kbjqa.wpsmart.app", "gplca9pf.script-bridge.digital", "3822lbt1.stack-sphere.digital", "cwzbp.wlwyb.com", "mzwum.wilhelmglobal.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vkoqp.accredit.hu", "dxblg.workoutwithdorci.com", "cadcr.zaszlorudbolt.hu", "xjmes.yanis.hu", "ekyso.addmagad.com", "djwof.ady26.hu", "qxyvx.yanisrea.hu", "kbjqa.wpsmart.app", "gplca9pf.script-bridge.digital", "3822lbt1.stack-sphere.digital", "cwzbp.wlwyb.com", "mzwum.wilhelmglobal.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., Jira) to test a phishing simulation.
Filter/Exclusion: Exclude URLs that match the domain of the organization’s internal phishing testing platform (e.g., phishing-test.example.com).
Scenario: A scheduled job runs a script that downloads a ClearFake URL as part of a malware analysis process (e.g., using Cuckoo Sandbox or VirusTotal API).
Filter/Exclusion: Exclude URLs that contain the substring malwareanalysis or match the IP address of the internal analysis server.
Scenario: A user clicks on a ClearFake URL shared via a legitimate internal communication tool (e.g., Microsoft Teams or Slack) during a security awareness training session.
Filter/Exclusion: Exclude URLs that originate from the internal security training domain (e.g., training.example.com).
Scenario: A DevOps pipeline deploys a CI/CD tool (e.g., Jenkins) that temporarily uses a ClearFake URL for a test artifact download.
Filter/Exclusion: Exclude URLs that match the artifact download domain used by the CI/CD system (e.g., artifacts.ci.example.com).
Scenario: An IT helpdesk employee uses a ClearFake URL to generate a test report for a security tool (e.g., Splunk or SIEM) during a system test.
Filter/Exclusion: Exclude URLs that contain the string test-report or match the internal test environment domain (e.g., test-siem.example.com).