The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
IOC Summary
Threat: ClearFake Total URLs: 13 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://ihtfqktk.holiday-matrix.christmas/96b7aba8-3295-4cfa-ba52-95f2dcc75e6a | offline | malware_download | 2026-05-23 |
hxxp://ilhvyrij.ipv4has-lampnew.cyou/786762b0-4825-4286-99b2-577a9bc95013 | offline | malware_download | 2026-05-23 |
hxxp://mkszunli.flopstin-gymcargo.cyou/ab9efe8d-0c62-405b-bb4f-1e0e6c3a048e | offline | malware_download | 2026-05-23 |
hxxp://mfbrkbuv.betnoise-unionour.cyou/49a68922-608d-42f2-aefe-fc929839d14a | offline | malware_download | 2026-05-23 |
hxxps://hoycbijv.holiday-matrix.christmas/bc3341b1-731e-4187-93fc-7f86b7753cf5 | offline | malware_download | 2026-05-23 |
hxxps://mvltyody.frost-engine.christmas/02b9cfc1-2c23-4ca6-b36e-fbec31299c31 | offline | malware_download | 2026-05-23 |
hxxps://ftjilgqw.winter-pulse.christmas/dabbd14d-3c14-425b-85e7-e2550832fc63 | offline | malware_download | 2026-05-23 |
hxxps://mfwhezll.gift-lattice.christmas/8ee92af5-0bfd-4f2d-9008-878f5978ff55 | offline | malware_download | 2026-05-22 |
hxxps://winter-pulse.christmas/chk | offline | malware_download | 2026-05-22 |
hxxps://gift-lattice.christmas/chk | offline | malware_download | 2026-05-22 |
hxxps://snow-harbor.christmas/chk | offline | malware_download | 2026-05-22 |
hxxps://xenomorphhiveintel.christmas/chk | offline | malware_download | 2026-05-22 |
hxxps://sopranos-familytree.christmas/chk | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["sopranos-familytree.christmas", "hoycbijv.holiday-matrix.christmas", "mkszunli.flopstin-gymcargo.cyou", "snow-harbor.christmas", "winter-pulse.christmas", "ilhvyrij.ipv4has-lampnew.cyou", "mvltyody.frost-engine.christmas", "mfwhezll.gift-lattice.christmas", "mfbrkbuv.betnoise-unionour.cyou", "gift-lattice.christmas", "xenomorphhiveintel.christmas", "ftjilgqw.winter-pulse.christmas", "ihtfqktk.holiday-matrix.christmas"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["sopranos-familytree.christmas", "hoycbijv.holiday-matrix.christmas", "mkszunli.flopstin-gymcargo.cyou", "snow-harbor.christmas", "winter-pulse.christmas", "ilhvyrij.ipv4has-lampnew.cyou", "mvltyody.frost-engine.christmas", "mfwhezll.gift-lattice.christmas", "mfbrkbuv.betnoise-unionour.cyou", "gift-lattice.christmas", "xenomorphhiveintel.christmas", "ftjilgqw.winter-pulse.christmas", "ihtfqktk.holiday-matrix.christmas"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service usage
Description: Employees use URL shortening services like Bitly or TinyURL for internal documentation or sharing links.
Filter/Exclusion: Exclude URLs containing known shortening domains (e.g., bit.ly, tinyurl.com, is.gd) or use a regex to identify shortening services.
Scenario: Scheduled system updates via internal repository
Description: Automated systems pull updates from an internal repository using URLs that match the pattern of malicious URLs.
Filter/Exclusion: Exclude URLs that match internal update servers (e.g., internal-repo.example.com, update.example.com) or use a custom list of trusted internal domains.
Scenario: Admin task for malware analysis
Description: Security analysts manually test malware samples using sandboxed environments, which may include URLs pointing to internal analysis tools.
Filter/Exclusion: Exclude URLs that match internal sandboxing tools (e.g., sandbox.example.com, malware-analysis.example.com) or use a whitelist of analyst activity IPs.
Scenario: Legitimate phishing simulation campaigns
Description: HR or IT departments run phishing simulations using URLs that mimic real company domains.
Filter/Exclusion: Exclude URLs that match internal phishing simulation domains (e.g., phish-sim.example.com, test-phishing.example.com) or use a list of known simulation domains.
Scenario: Automated backup job to cloud storage
Description: Backup processes use temporary URLs to store data in cloud services like AWS S3 or Azure Blob Storage.
Filter/Exclusion: Exclude URLs that match known cloud storage endpoints (e.g., s3.amazonaws.com, blob.core.windows.net) or use a regex to identify cloud storage service patterns.