The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 6 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://jtnvsfr.notjustsquare.com/0f47e297-e227-475d-a9bb-c9e848cf09fe | offline | malware_download | 2026-05-31 |
hxxps://dlacbhw.nonamejustsoul.com/5032e3d7-eed4-4a97-8ddf-91e1befb53cf | offline | malware_download | 2026-05-31 |
hxxps://rpcmwsz.muveszetiirasok.hu/bbb0fd91-83cd-44ac-8f90-f8a0492e532c | offline | malware_download | 2026-05-31 |
hxxps://czf2txr8.asion.gr/?ublib=9b8a35eb-3fda-4255-9d71-ed44ff8727db | offline | malware_download | 2026-05-31 |
hxxps://saprwbu.lavorcollective.com/d60b06b9-01e2-4001-9053-045433c15d05 | offline | malware_download | 2026-05-31 |
hxxps://batmemo.kreativkiteljesedes.hu/b899fd1e-3b5c-4303-97ed-838740d8bf49 | offline | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["czf2txr8.asion.gr", "rpcmwsz.muveszetiirasok.hu", "jtnvsfr.notjustsquare.com", "dlacbhw.nonamejustsoul.com", "saprwbu.lavorcollective.com", "batmemo.kreativkiteljesedes.hu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["czf2txr8.asion.gr", "rpcmwsz.muveszetiirasok.hu", "jtnvsfr.notjustsquare.com", "dlacbhw.nonamejustsoul.com", "saprwbu.lavorcollective.com", "batmemo.kreativkiteljesedes.hu"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., Jira) to test a phishing simulation.
Filter/Exclusion: Exclude URLs containing the string phishing-sim or test-url in the URL or associated metadata.
Scenario: A scheduled job (e.g., cron job or Windows Task Scheduler) runs a script that downloads a ClearFake URL as part of a software update or patching process.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., updates.examplecorp.com) or contain the substring update in the URL path.
Scenario: A developer uses a ClearFake URL in a local development environment to simulate a malicious attack for security testing (e.g., using Burp Suite or OWASP ZAP).
Filter/Exclusion: Exclude URLs that originate from local IP ranges (e.g., 127.0.0.1, 192.168.x.x) or contain the substring dev or local in the domain.
Scenario: A security team uses a ClearFake URL in a training exercise to demonstrate how attackers might use such URLs (e.g., using Metasploit or a custom phishing tool).
Filter/Exclusion: Exclude URLs that are tagged with training or demo in the source system or that match a predefined list of training URLs.
Scenario: A system runs a legitimate tool (e.g., wget or curl) that is configured to fetch a ClearFake URL as part of a configuration or dependency check.
Filter/Exclusion: Exclude URLs that match known internal tooling URLs (e.g., internal-tools.example.com) or that include the substring config or dependency in the path.