The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, leveraging known malicious indicators to identify compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be using these IOCs to exfiltrate data or establish command and control.
IOC Summary
Malware Family: ClearFake Total IOCs: 46 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | obese-uzousweb-play.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | lyapissvebechkopassword.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | handout-voivodeshiplink.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | 5zcnyldj.unp2idvalk.digital | payload_delivery | 2026-05-13 | 100% |
| domain | accoun-table-unleash-soft.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | sub-substituteunfeignedflash.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | cherish-cultscreencard.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | eaglefungustourismscreen.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | cafe-club-oracle-card.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | containerfabric.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | prime-object-container-task-archive.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | secure-remote-access-method-file.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | virtual-compute-engine-template-doc.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | backup-terminal-gateway-handle-list.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | active-instance-registry-support-index.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | distributed-source-element-package-site.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | enterprise-solution-buffer-utility-log.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | root-directory-repository-process-vault.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | cluster-module-deployment-standard-map.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | pro-architecture-engineering-vault-info.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | contactdisrupwhite.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | quart-rantman.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | snooze-wontdrama.wiki | payload_delivery | 2026-05-13 | 100% |
| domain | miststarvationsify.wiki | payload_delivery | 2026-05-12 | 100% |
| domain | long-pescar.wiki | payload_delivery | 2026-05-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["obese-uzousweb-play.wiki", "lyapissvebechkopassword.wiki", "handout-voivodeshiplink.wiki", "5zcnyldj.unp2idvalk.digital", "accoun-table-unleash-soft.wiki", "sub-substituteunfeignedflash.wiki", "cherish-cultscreencard.wiki", "eaglefungustourismscreen.wiki", "cafe-club-oracle-card.wiki", "containerfabric.wiki", "prime-object-container-task-archive.wiki", "secure-remote-access-method-file.wiki", "virtual-compute-engine-template-doc.wiki", "backup-terminal-gateway-handle-list.wiki", "active-instance-registry-support-index.wiki", "distributed-source-element-package-site.wiki", "enterprise-solution-buffer-utility-log.wiki", "root-directory-repository-process-vault.wiki", "cluster-module-deployment-standard-map.wiki", "pro-architecture-engineering-vault-info.wiki", "contactdisrupwhite.wiki", "quart-rantman.wiki", "snooze-wontdrama.wiki", "miststarvationsify.wiki", "long-pescar.wiki", "glarsitttrain.wiki", "angelpatter.wiki", "girlytrans-fusion.wiki", "passoverphysiqclass.wiki", "ordersub-versive.wiki", "passwordweb.wiki", "laptoplink.wiki", "unitmemory.wiki", "softwarefile.wiki", "supplyflash.wiki", "screencard.wiki", "devmatrix.wiki", "qaff1aeg.chronicle5-diachiha.digital", "9nogvuq1.chronicle5-diachiha.digital", "cryptogrid.wiki", "byteforge.surf", "scriptmesh.surf", "codeframe.wiki", "stackforge.wiki", "7lqe804i.greyhounds1uidor.digital", "elbowfrisk.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that coincidentally matches one of the ClearFake IOCs.
Filter/Exclusion: process.name != "choco.exe" or process.args !~ "install"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a script that uses a tool (e.g., logrotate) which has a file path or command line argument matching a ClearFake IOC.
Filter/Exclusion: process.name != "logrotate" or file.path != "/usr/sbin/logrotate"
Scenario: Admin Task for Software Deployment
Description: An admin uses a tool like PDQ Deploy or Microsoft Endpoint Manager to deploy software, and the deployment script or package name matches a ClearFake IOC.
Filter/Exclusion: process.name != "PDQDeploy.exe" or process.name != "msiexec.exe"
Scenario: Legitimate Use of PowerShell for Configuration Management
Description: A PowerShell script (e.g., using PSConfig or DSC) is executed that contains a command or file path matching a ClearFake IOC.
Filter/Exclusion: process.name != "powershell.exe" or script.name != "PSConfig.ps1"
Scenario: Network Monitoring Tool Generating Alerts
Description: A network monitoring tool like Wireshark or tcpdump is used to capture traffic, and the captured data includes an IOC from the ClearFake list.
Filter/Exclusion: process.name != "tcpdump" or process.name != "wireshark"