The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversary campaigns and protect user endpoints before significant damage occurs.
IOC Summary
Threat: ClearFake Total URLs: 12 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://w18yfaze.yekbetiran.com/?ublib=d8bb903c-9c39-49f5-8442-c3bfb19425dd | offline | malware_download | 2026-06-09 |
hxxps://zlbcjre.wrfc8.com/39c740be-8d6a-424b-8dc0-f7e2101520ec | offline | malware_download | 2026-06-09 |
hxxps://gfmuomz.pinbahiis.com/f8ddbcd6-75e1-4339-b3c3-e8cddeef7ed0 | offline | malware_download | 2026-06-09 |
hxxps://jbwjdp.rial.bet/2624e321-771c-4fb3-bcc8-cfcd27b89afc | offline | malware_download | 2026-06-09 |
hxxps://salppir.red90.casino/47c8a229-b46a-43b7-8ac4-9173a4ac9d5d | offline | malware_download | 2026-06-09 |
hxxps://whyldsf.rc395.com/83c2ad72-0a43-40fd-a729-6c9afe24cf65 | offline | malware_download | 2026-06-09 |
hxxps://e3giv37r.pokerpars.poker/?ublib=4df9d346-ce49-486b-8b7a-4c2087cd8f89 | offline | malware_download | 2026-06-09 |
hxxps://xwwitjs.rayonbet.com/5e565f30-6b82-4f4b-94d0-1d30c4d9b952 | offline | malware_download | 2026-06-09 |
hxxps://demfmb.restaurantguideaarhus.com/0de789be-5fb4-489b-8d8c-ed7d86ef8f64 | offline | malware_download | 2026-06-09 |
hxxps://gwjjko.onlineshart.com/651872e1-b1e3-40fe-b5c5-c7ebf5606378 | offline | malware_download | 2026-06-09 |
hxxps://gyayod.pishbinisite.com/cd0aa4a3-065d-484a-98b3-9b525437ebed | offline | malware_download | 2026-06-09 |
hxxps://gdenwcw.rabonaabet.com/9eb34cf2-5092-4f61-ab95-79609a94c94e | offline | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["gdenwcw.rabonaabet.com", "demfmb.restaurantguideaarhus.com", "jbwjdp.rial.bet", "e3giv37r.pokerpars.poker", "gwjjko.onlineshart.com", "salppir.red90.casino", "xwwitjs.rayonbet.com", "gyayod.pishbinisite.com", "w18yfaze.yekbetiran.com", "zlbcjre.wrfc8.com", "whyldsf.rc395.com", "gfmuomz.pinbahiis.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["gdenwcw.rabonaabet.com", "demfmb.restaurantguideaarhus.com", "jbwjdp.rial.bet", "e3giv37r.pokerpars.poker", "gwjjko.onlineshart.com", "salppir.red90.casino", "xwwitjs.rayonbet.com", "gyayod.pishbinisite.com", "w18yfaze.yekbetiran.com", "zlbcjre.wrfc8.com", "whyldsf.rc395.com", "gfmuomz.pinbahiis.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., ServiceNow) to test a phishing response drill.
Filter/Exclusion: Exclude URLs that match known internal ticketing system domains or use a field like url.contains("service-now.com") or url.contains("test-phishing").
Scenario: A scheduled job runs a script that downloads a ClearFake URL as part of a malware analysis setup (e.g., using Cuckoo Sandbox or VirusTotal API).
Filter/Exclusion: Exclude URLs that are part of known sandboxing or analysis platforms (e.g., url.contains("cuckoo"), url.contains("virustotal"), or url.contains("sandbox")).
Scenario: A developer uses a ClearFake URL in a test environment to simulate a phishing attack for security training purposes (e.g., using Metasploit or a custom training tool).
Filter/Exclusion: Exclude URLs that include specific test environment domains (e.g., url.contains("training.example.com"), url.contains("phishing-test"), or url.contains("metasploit")).
Scenario: A backup or sync job (e.g., using rsync or Rclone) temporarily stores a ClearFake URL in a log file or configuration as part of a script execution.
Filter/Exclusion: Exclude URLs that appear in backup or sync job logs (e.g., url.contains("rsync"), url.contains("rclone"), or url.contains("backup")).
Scenario: A user clicks on a ClearFake URL in an internal email that was sent as part of a legitimate security awareness campaign (e.g., using Microsoft 365’s phishing simulation tool).
Filter/Exclusion: Exclude URLs that match internal security awareness domains (e.g., `url.contains