The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
IOC Summary
Malware Family: ClearFake Total IOCs: 64 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | graphnewclass.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | 6jcrkuht.container-beacon.digital | payload_delivery | 2026-05-21 | 100% |
| domain | qre50p47.container-beacon.digital | payload_delivery | 2026-05-21 | 100% |
| domain | fikvjna5.telemetry-orbit.digital | payload_delivery | 2026-05-21 | 100% |
| domain | icu29m01.telemetry-orbit.digital | payload_delivery | 2026-05-21 | 100% |
| domain | tuplediskdkey.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | busbytesadd.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | boblegvlist.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | hasvideoproxy.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | td5323u3.primordialsoupevolution.digital | payload_delivery | 2026-05-21 | 100% |
| domain | 38p59cql.primordialsoupevolution.digital | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://gardeninfrastructurecore.garden/80ad8f13-a651-414f-8be5-0252e6fd5ad0/ggl.bsc | payload_delivery | 2026-05-21 | 85% |
| domain | hasmysql.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | okb0lvez.subdermalbiometricchip.digital | payload_delivery | 2026-05-21 | 100% |
| domain | gfwcy7xf.subdermalbiometricchip.digital | payload_delivery | 2026-05-21 | 100% |
| domain | regexcar.christmas | payload_delivery | 2026-05-21 | 100% |
| domain | telemetry-orbit.buzz | payload_delivery | 2026-05-21 | 100% |
| domain | abyssalkraken.fit | payload_delivery | 2026-05-21 | 100% |
| domain | chickencutlethacks.fit | payload_delivery | 2026-05-21 | 100% |
| domain | ntm4xnw3.renaissancefrescorestoration.digital | payload_delivery | 2026-05-21 | 100% |
| domain | 3ldnpd9m.renaissancefrescorestoration.digital | payload_delivery | 2026-05-21 | 100% |
| domain | cyber-prosthetic.fit | payload_delivery | 2026-05-21 | 100% |
| domain | bakingstonetheory.fit | payload_delivery | 2026-05-21 | 100% |
| domain | orbital-velocity.fit | payload_delivery | 2026-05-21 | 100% |
| domain | u2fl6mod.stratosphericweatherballoon.digital | payload_delivery | 2026-05-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["graphnewclass.christmas", "6jcrkuht.container-beacon.digital", "qre50p47.container-beacon.digital", "fikvjna5.telemetry-orbit.digital", "icu29m01.telemetry-orbit.digital", "tuplediskdkey.christmas", "busbytesadd.christmas", "boblegvlist.christmas", "hasvideoproxy.christmas", "td5323u3.primordialsoupevolution.digital", "38p59cql.primordialsoupevolution.digital", "hasmysql.christmas", "okb0lvez.subdermalbiometricchip.digital", "gfwcy7xf.subdermalbiometricchip.digital", "regexcar.christmas", "telemetry-orbit.buzz", "abyssalkraken.fit", "chickencutlethacks.fit", "ntm4xnw3.renaissancefrescorestoration.digital", "3ldnpd9m.renaissancefrescorestoration.digital", "cyber-prosthetic.fit", "bakingstonetheory.fit", "orbital-velocity.fit", "u2fl6mod.stratosphericweatherballoon.digital", "qu66rw99.stratosphericweatherballoon.digital", "lasagnabakingsecrets.study", "mpvcbz.quantumvelocitylabs.study", "quantumvelocitylabs.study", "sdnzyq.botanical-control-system.garden", "lnkbci.botanical-control-system.garden", "botanical-control-system.garden", "icfzyz.distributedgrowthengine.garden", "uqhayg.distributedgrowthengine.garden", "wknzex.petalresourcehub.garden", "isyxgq.petalresourcehub.garden", "petalresourcehub.garden", "azktfv.wildflora-processing-network.garden", "fkqnwe.wildflora-processing-network.garden", "jalfms.gardenworkflowplatform.garden", "vsqeta.gardenworkflowplatform.garden", "microflora-management-hub.garden", "37lzounh.holographicprojectiongrid.digital", "xlua5r97.holographicprojectiongrid.digital", "holographicprojectiongrid.digital", "bloomdistributioncenter.garden", "gardeninfrastructurecore.garden", "ybhyrjaj.asynchronouswateringmesh.garden", "cqimainp.asynchronouswateringmesh.garden", "bedzvnbo.ecosystemresourceplatform.garden", "qztiboya.ecosystemresourceplatform.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://gardeninfrastructurecore.garden/80ad8f13-a651-414f-8be5-0252e6fd5ad0/ggl.bsc"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled system scan using Windows Defender or Microsoft Endpoint Detection and Response (EDR), which may trigger the detection of benign IOCs associated with ClearFake.
Filter/Exclusion: Exclude processes related to Windows Defender or Microsoft Endpoint Protection using the process.name field.
Scenario: A PowerShell script is being run as part of a routine system maintenance task, such as disk cleanup or log rotation, and it includes legitimate IOCs that match the ClearFake IOC list.
Filter/Exclusion: Exclude processes with script in the process.name field or filter by process.parent.name to identify scheduled tasks or service-related processes.
Scenario: A Windows Task Scheduler job is executing a legitimate backup tool like Veeam or Acronis, which may have network activity that coincides with the ClearFake IOC list.
Filter/Exclusion: Exclude tasks associated with Task Scheduler or filter by process.parent.name containing TaskScheduler.
Scenario: A system update or patching tool like Windows Update or Chocolatey is running, and its network traffic includes IOCs that match the ClearFake list.
Filter/Exclusion: Exclude processes related to Windows Update or Chocolatey using the process.name field.
Scenario: An IT security tool such as CrowdStrike or SentinelOne is performing a threat intelligence lookup, which may result in matching ClearFake IOCs during a legitimate security investigation.
Filter/Exclusion: Exclude processes related to security tools like CrowdStrike or SentinelOne using the process.name or process.parent.name field.