The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns and prevent lateral movement or data exfiltration.
IOC Summary
Threat: ClearFake Total URLs: 24 Active URLs: 24
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://pds6zjwn.rentcad.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://peak-lab.rentcad.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://majorbright.rentcad.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://voicebund.rentcad.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://hyp3-plate.rentcad.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://arkdraa6.rentcad.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://gdvdjt.sadfont.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://gran-sync.sadfont.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://north9-line.sadfont.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://277lk6.sadfont.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://notifieropti.sadfont.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://4sset3-node.qazsadf.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://qu1ck-flow.qazsadf.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://zkmoskj.qazsadf.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://753s.qazsadf.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://v3lve4-core.qazsadf.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://gr0vvt1-port.qazsadf.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://tal-valeor.wertbash.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://bui73.wertbash.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://so1id-sheet.wertbash.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://storsens.wertbash.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://ljzoiu.wertbash.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://zencrest9um.wertbash.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
hxxps://ejm0c.sasdherk.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | online | malware_download | 2026-04-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["zencrest9um.wertbash.in.net", "4sset3-node.qazsadf.in.net", "ejm0c.sasdherk.in.net", "qu1ck-flow.qazsadf.in.net", "bui73.wertbash.in.net", "zkmoskj.qazsadf.in.net", "v3lve4-core.qazsadf.in.net", "north9-line.sadfont.in.net", "hyp3-plate.rentcad.in.net", "voicebund.rentcad.in.net", "notifieropti.sadfont.in.net", "gran-sync.sadfont.in.net", "pds6zjwn.rentcad.in.net", "gdvdjt.sadfont.in.net", "majorbright.rentcad.in.net", "277lk6.sadfont.in.net", "tal-valeor.wertbash.in.net", "peak-lab.rentcad.in.net", "753s.qazsadf.in.net", "so1id-sheet.wertbash.in.net", "ljzoiu.wertbash.in.net", "storsens.wertbash.in.net", "arkdraa6.rentcad.in.net", "gr0vvt1-port.qazsadf.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["zencrest9um.wertbash.in.net", "4sset3-node.qazsadf.in.net", "ejm0c.sasdherk.in.net", "qu1ck-flow.qazsadf.in.net", "bui73.wertbash.in.net", "zkmoskj.qazsadf.in.net", "v3lve4-core.qazsadf.in.net", "north9-line.sadfont.in.net", "hyp3-plate.rentcad.in.net", "voicebund.rentcad.in.net", "notifieropti.sadfont.in.net", "gran-sync.sadfont.in.net", "pds6zjwn.rentcad.in.net", "gdvdjt.sadfont.in.net", "majorbright.rentcad.in.net", "277lk6.sadfont.in.net", "tal-valeor.wertbash.in.net", "peak-lab.rentcad.in.net", "753s.qazsadf.in.net", "so1id-sheet.wertbash.in.net", "ljzoiu.wertbash.in.net", "storsens.wertbash.in.net", "arkdraa6.rentcad.in.net", "gr0vvt1-port.qazsadf.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service usage
Description: Employees use URL shortening services like Bitly or TinyURL for internal documentation or sharing links. These URLs may be flagged as malicious if they match patterns in the ClearFake list.
Filter/Exclusion: Exclude URLs that resolve to known shortening services (e.g., bit.ly, tinyurl.com) or use a custom domain registered by the organization.
Scenario: Scheduled system updates via internal repository
Description: The enterprise runs scheduled system updates using a private repository (e.g., yum update or apt update), which may include URLs that resemble malicious domains.
Filter/Exclusion: Exclude URLs that match internal update servers (e.g., internal-repo.example.com, repo.example.com) or are part of known update mechanisms.
Scenario: Admin task for malware analysis
Description: Security analysts manually download malware samples from internal sandboxes (e.g., Cuckoo Sandbox) or threat intelligence platforms (e.g., VirusTotal), which may trigger the rule due to similar domain structures.
Filter/Exclusion: Exclude URLs that contain known sandbox or analysis platforms (e.g., sandbox.example.com, virus.total) or are associated with internal threat intel tools.
Scenario: Legitimate cloud storage link sharing
Description: Users share files via cloud storage services like Google Drive or Dropbox using direct links, which may be flagged due to URL structure similarities with malicious domains.
Filter/Exclusion: Exclude URLs that contain known cloud storage domains (e.g., drive.google.com, dropbox.com) or are part of internal file-sharing policies.
Scenario: Automated log collection from third-party services
Description: Log aggregation tools like Splunk or ELK stack may collect logs from third-party services (e.g., Cloud