The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversary campaigns and protect organizational assets before compromise.
IOC Summary
Threat: ClearFake Total URLs: 15 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://azj9wm5k.fununetadris.shop/?ublib=602784c0-dcaa-49fd-8922-d54858c7ea10 | offline | malware_download | 2026-06-10 |
hxxps://llonnk.bankefile.com/b0d8fe01-aef2-4f6d-b392-852ed6d3eb68 | offline | malware_download | 2026-06-10 |
hxxps://gng97m36.angizeshfarahani.store/?ublib=1ffca209-7e8d-42dc-ad26-034e720d2cc4 | offline | malware_download | 2026-06-10 |
hxxps://lzkgofe.akhlagvaahkam.xyz/eab7ce51-a214-4476-a255-93d714b542a9 | offline | malware_download | 2026-06-10 |
hxxps://xqbzvgfy.red90.casino/49adf6ae-a534-4549-bde2-926adadbe2e2 | offline | malware_download | 2026-06-10 |
hxxps://yovejfu.amlakshahri.xyz/059aa6ee-63dc-4255-a31f-2411cf06e87d | offline | malware_download | 2026-06-10 |
hxxps://krezxpiv.jamjahani2026.football/94bcbf70-07df-476e-b9a9-519732a2b8b4 | offline | malware_download | 2026-06-10 |
hxxps://tdfzyex.amoozeshagazade.shop/8140b622-c1c2-4fe9-8bb8-6be031e0c442 | offline | malware_download | 2026-06-10 |
hxxps://pfyfyt.bankefiile.com/aa879b30-c23c-44d3-b492-947d4f5a5740 | offline | malware_download | 2026-06-10 |
hxxps://nljdiefg.jamjahani.football/e0583d6f-51c2-4100-97a8-7bd9a9dfb3f2 | offline | malware_download | 2026-06-10 |
hxxps://lq8j82kc.shirbetfarsi.com/?ublib=b467e003-6aee-4a73-ae1c-4f448c5aa68a | offline | malware_download | 2026-06-10 |
hxxps://3yl7mt55.andisheeslami2.xyz/?ublib=6a25707c-7070-4d6a-8fa6-454cf440bbb3 | offline | malware_download | 2026-06-10 |
hxxps://xtktlprb.rial.bet/a4c37e8b-56df-4af3-b72e-ed3d06ed1eb5 | offline | malware_download | 2026-06-10 |
hxxps://1yusfrvk.pishbinibet.bet/?ublib=5d59516b-dece-4d3f-b936-36271d5ef5d9 | offline | malware_download | 2026-06-10 |
hxxps://ithfkpx.amoozeshtagipour.shop/f7517b32-8001-43d1-8bdc-97e1ab0b288b | offline | malware_download | 2026-06-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["xtktlprb.rial.bet", "tdfzyex.amoozeshagazade.shop", "nljdiefg.jamjahani.football", "lq8j82kc.shirbetfarsi.com", "llonnk.bankefile.com", "ithfkpx.amoozeshtagipour.shop", "azj9wm5k.fununetadris.shop", "krezxpiv.jamjahani2026.football", "3yl7mt55.andisheeslami2.xyz", "pfyfyt.bankefiile.com", "1yusfrvk.pishbinibet.bet", "gng97m36.angizeshfarahani.store", "xqbzvgfy.red90.casino", "yovejfu.amlakshahri.xyz", "lzkgofe.akhlagvaahkam.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["xtktlprb.rial.bet", "tdfzyex.amoozeshagazade.shop", "nljdiefg.jamjahani.football", "lq8j82kc.shirbetfarsi.com", "llonnk.bankefile.com", "ithfkpx.amoozeshtagipour.shop", "azj9wm5k.fununetadris.shop", "krezxpiv.jamjahani2026.football", "3yl7mt55.andisheeslami2.xyz", "pfyfyt.bankefiile.com", "1yusfrvk.pishbinibet.bet", "gng97m36.angizeshfarahani.store", "xqbzvgfy.red90.casino", "yovejfu.amlakshahri.xyz", "lzkgofe.akhlagvaahkam.xyz"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Scenario: A scheduled job runs a script to fetch and validate URLs from a trusted internal source, which includes URLs tagged as ClearFake.
Filter/Exclusion: Exclude URLs that originate from the internal domain internal-api.corp.example.com or match the IP range 10.0.0.0/8.
Scenario: A security tool like OSSEC or Splunk is configured to send test alerts to the SOC team, including URLs tagged as ClearFake as part of its alerting mechanism.
Filter/Exclusion: Exclude URLs that contain the string test-alert or are sourced from the internal tool security-alerts.example.com.
Scenario: A user is accessing a legitimate URL from a third-party service (e.g., Google Drive or Dropbox) that is mistakenly flagged as ClearFake due to a misconfigured URLhaus entry.
Filter/Exclusion: Exclude URLs that match the domains drive.google.com, dropbox.com, or any other known legitimate cloud storage services.
Scenario: A system is running a PowerShell script or Python script that generates temporary URLs for internal testing, which are later tagged as ClearFake.
Filter/Exclusion: Exclude URLs that contain the substring temp-url or are generated by the script internal-test-url-generator.py.