Adversaries may use ClearFake IOCs to exfiltrate data or establish command and control, leveraging compromised credentials to move laterally within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: ClearFake Total IOCs: 22 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bots-unical-resource-platform.garden | payload_delivery | 2026-05-17 | 100% |
| domain | 4getd0km.script-matrix.digital | payload_delivery | 2026-05-17 | 100% |
| domain | i4sw7fe8.script-matrix.digital | payload_delivery | 2026-05-17 | 100% |
| domain | shells-garden-framework.garden | payload_delivery | 2026-05-17 | 100% |
| domain | wild-flora-processing-go-system.garden | payload_delivery | 2026-05-17 | 100% |
| domain | got-flexl-distrib-engine.garden | payload_delivery | 2026-05-17 | 100% |
| domain | flow-hub-green-house-work.garden | payload_delivery | 2026-05-17 | 100% |
| domain | wildfloraprocessingsystem.garden | payload_delivery | 2026-05-17 | 100% |
| domain | petal-distribution-engine.garden | payload_delivery | 2026-05-17 | 100% |
| domain | 2b7f1jfa.cloud-forge.digital | payload_delivery | 2026-05-17 | 100% |
| domain | u9n82l2u.cloud-forge.digital | payload_delivery | 2026-05-17 | 100% |
| domain | cloud-forge.digital | payload_delivery | 2026-05-17 | 100% |
| domain | irrigation-control-network.garden | payload_delivery | 2026-05-17 | 100% |
| domain | greenhouseworkflowhub.garden | payload_delivery | 2026-05-17 | 100% |
| domain | distributed-garden-framework.garden | payload_delivery | 2026-05-17 | 100% |
| domain | botanicalresourceplatform.garden | payload_delivery | 2026-05-17 | 100% |
| domain | forgotten-civilization-myth.garden | payload_delivery | 2026-05-17 | 100% |
| domain | 5kcblo2z.logic-sphere.digital | payload_delivery | 2026-05-17 | 100% |
| domain | ba5ufc2h.logic-sphere.digital | payload_delivery | 2026-05-17 | 100% |
| domain | logic-sphere.digital | payload_delivery | 2026-05-17 | 100% |
| domain | perfect-lasagna-layer.garden | payload_delivery | 2026-05-17 | 100% |
| domain | glacial-ice-core-sample.garden | payload_delivery | 2026-05-17 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["bots-unical-resource-platform.garden", "4getd0km.script-matrix.digital", "i4sw7fe8.script-matrix.digital", "shells-garden-framework.garden", "wild-flora-processing-go-system.garden", "got-flexl-distrib-engine.garden", "flow-hub-green-house-work.garden", "wildfloraprocessingsystem.garden", "petal-distribution-engine.garden", "2b7f1jfa.cloud-forge.digital", "u9n82l2u.cloud-forge.digital", "cloud-forge.digital", "irrigation-control-network.garden", "greenhouseworkflowhub.garden", "distributed-garden-framework.garden", "botanicalresourceplatform.garden", "forgotten-civilization-myth.garden", "5kcblo2z.logic-sphere.digital", "ba5ufc2h.logic-sphere.digital", "logic-sphere.digital", "perfect-lasagna-layer.garden", "glacial-ice-core-sample.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A scheduled job runs ClearFake as part of a system cleanup or disk defragmentation process.
Filter/Exclusion: Exclude processes with CommandLine containing --system-maintenance or --cleanup.
Scenario: Admin Task Using ClearFake for File Analysis
Description: A system administrator uses ClearFake to analyze files for malware during a security audit.
Filter/Exclusion: Exclude processes initiated by users with User field matching admin or security-team.
Scenario: Legitimate Log Parsing Tool
Description: The tool LogParser (Microsoft) is used to process log files, and its execution is mistakenly flagged by the rule.
Filter/Exclusion: Exclude processes with ProcessName equal to LogParser.exe or logparser.exe.
Scenario: Scheduled Job for Data Archiving
Description: A job runs ClearFake to archive old data, which is part of a regular data lifecycle management process.
Filter/Exclusion: Exclude processes with CommandLine containing --archive or --backup.
Scenario: False Positive from Third-Party Software
Description: A third-party application (e.g., DataCleaner Pro) includes ClearFake as part of its internal tooling.
Filter/Exclusion: Exclude processes where ParentProcessName is DataCleanerPro.exe or similar known legitimate software.