The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential initial access and lateral movement tactics early in the attack lifecycle.
IOC Summary
Threat: ClearFake Total URLs: 51 Active URLs: 37
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://lanhop.grov6lira.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | offline | malware_download | 2026-05-05 |
hxxps://refid.brix9mira.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxp://autbox.brix9mira.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | offline | malware_download | 2026-05-05 |
hxxps://autbox.brix9mira.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://domreg.telo5reth.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://subcli.grov6lira.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | offline | malware_download | 2026-05-05 |
hxxps://bitkit.grov6lira.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | offline | malware_download | 2026-05-05 |
hxxps://envset.grov6lira.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxps://pwrlog.telo5reth.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://extnet.telo5reth.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://doclab.grov6lira.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxps://pkgrun.telo5reth.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://syncit.pavi1xen.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxps://modbus.telo5reth.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://ioflow.pavi1xen.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxps://taskid.pavi1xen.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | offline | malware_download | 2026-05-05 |
hxxps://srcget.telo5reth.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://uidmap.nira6qen.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://comweb.pavi1xen.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxps://refid.pavi1xen.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxps://ftpsrv.nira6qen.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://autbox.pavi1xen.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | online | malware_download | 2026-05-05 |
hxxp://libsys.nira6qen.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | offline | malware_download | 2026-05-05 |
hxxps://libsys.nira6qen.lat/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-05 |
hxxps://domreg.sali8mor.lat/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter | offline | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["dbinst.pano2vor.lat", "srcget.sali8mor.lat", "comweb.pavi1xen.lat", "syncit.pavi1xen.lat", "apidoc.pano2vor.lat", "pkgrun.sali8mor.lat", "metalt.pano2vor.lat", "modbus.sali8mor.lat", "uidmap.thora5ven.lat", "osbase.pano2vor.lat", "domreg.telo5reth.lat", "libsys.nira6qen.lat", "autbox.pavi1xen.lat", "envset.grov6lira.lat", "ftpsrv.nira6qen.lat", "zipark.nira6qen.lat", "doclab.grov6lira.lat", "extnet.telo5reth.lat", "pwrlog.telo5reth.lat", "srcget.telo5reth.lat", "refid.brix9mira.lat", "ioflow.pavi1xen.lat", "refid.pavi1xen.lat", "uidmap.nira6qen.lat", "jobadm.nira6qen.lat", "pkgrun.telo5reth.lat", "extnet.sali8mor.lat", "pwrlog.sali8mor.lat", "modbus.telo5reth.lat", "autbox.brix9mira.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["dbinst.pano2vor.lat", "srcget.sali8mor.lat", "comweb.pavi1xen.lat", "syncit.pavi1xen.lat", "apidoc.pano2vor.lat", "pkgrun.sali8mor.lat", "metalt.pano2vor.lat", "modbus.sali8mor.lat", "uidmap.thora5ven.lat", "osbase.pano2vor.lat", "domreg.telo5reth.lat", "libsys.nira6qen.lat", "autbox.pavi1xen.lat", "envset.grov6lira.lat", "ftpsrv.nira6qen.lat", "zipark.nira6qen.lat", "doclab.grov6lira.lat", "extnet.telo5reth.lat", "pwrlog.telo5reth.lat", "srcget.telo5reth.lat", "refid.brix9mira.lat", "ioflow.pavi1xen.lat", "refid.pavi1xen.lat", "uidmap.nira6qen.lat", "jobadm.nira6qen.lat", "pkgrun.telo5reth.lat", "extnet.sali8mor.lat", "pwrlog.sali8mor.lat", "modbus.telo5reth.lat", "autbox.brix9mira.lat"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security training exercise.
Filter/Exclusion: Exclude URLs containing the string "training-url" or "security-test" in the URL path or query parameters.
Scenario: A scheduled job runs a script that downloads and processes a list of URLs from a legitimate threat intelligence feed, including ClearFake URLs.
Filter/Exclusion: Exclude URLs that match the domain "threatintel.example.com" or any subdomains thereof.
Scenario: A user is accessing a legitimate internal portal that uses a ClearFake URL for authentication purposes (e.g., https://auth.clearfake.com/login).
Filter/Exclusion: Exclude URLs that match the domain "auth.clearfake.com" or any subdomains.
Scenario: A DevOps team is deploying a CI/CD pipeline that includes a test URL for validating API endpoints, which is tagged as ClearFake.
Filter/Exclusion: Exclude URLs that contain the path /ci-cd-test or have the query parameter ?env=test.
Scenario: A security tool (e.g., CrowdStrike Falcon) is configured to use a ClearFake URL for internal communication with the cloud service.
Filter/Exclusion: Exclude URLs that match the domain "falcon.clearfake.com" or any subdomains.