The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 5 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://gfrewds.bet-303.fun/bd35b151-9cb3-4f1e-bbbb-1a138960122f | offline | malware_download | 2026-06-03 |
hxxps://6aq224cu.luxerabet100.com/?ublib=86870b7b-9ec0-4f7c-8f11-c976253eacae | offline | malware_download | 2026-06-03 |
hxxps://sun8i9tk.luxerabet1000.com/?ublib=a1c06776-93cd-4c78-b58c-106f92ed1e36 | offline | malware_download | 2026-06-03 |
hxxps://yzqawgz5.7lf.net/?ublib=88ae429b-ae05-49e1-be3b-5cb46877860d | offline | malware_download | 2026-06-03 |
hxxps://vrlh0wdy.eutoor.com/?ublib=f4b6ae9a-3188-4f9d-b9c0-dfb6150af676 | offline | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["gfrewds.bet-303.fun", "yzqawgz5.7lf.net", "vrlh0wdy.eutoor.com", "6aq224cu.luxerabet100.com", "sun8i9tk.luxerabet1000.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["gfrewds.bet-303.fun", "yzqawgz5.7lf.net", "vrlh0wdy.eutoor.com", "6aq224cu.luxerabet100.com", "sun8i9tk.luxerabet1000.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., Jira) to test a phishing simulation.
Filter/Exclusion: Exclude URLs containing the string phishing-sim or test-phish in the URL or associated metadata.
Scenario: A scheduled job runs a script that downloads a ClearFake URL as part of a security tool update (e.g., CrowdStrike Falcon or Microsoft Defender ATP).
Filter/Exclusion: Exclude URLs that match known update or patch endpoints (e.g., https://*.microsoft.com/ or https://*.crowdstrike.com/).
Scenario: A user clicks on a ClearFake URL shared in a legitimate internal communication tool (e.g., Microsoft Teams or Slack) during a security awareness training exercise.
Filter/Exclusion: Exclude URLs that originate from internal domains (e.g., *.example.com) or contain training-related keywords like security-training or awareness.
Scenario: A DevOps pipeline deploys a CI/CD tool (e.g., Jenkins, GitLab CI) that temporarily uses a ClearFake URL for a test environment.
Filter/Exclusion: Exclude URLs that are part of CI/CD infrastructure (e.g., *.ci.example.com, *.dev.example.com) or match known CI/CD tool endpoints.
Scenario: A system runs a scheduled PowerShell script (e.g., for log analysis) that uses a ClearFake URL as a test payload for a security tool (e.g., Splunk or ELK).
Filter/Exclusion: Exclude URLs that include the string test-payload or are associated with internal security testing tools (e.g., *.splunk.com, *.elkstack.com).