ClearFake malware is likely being used to exfiltrate data by leveraging known malicious IOCs, indicating potential compromise of sensitive systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: ClearFake Total IOCs: 90 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | webcdnx.tonmixin.surf | payload_delivery | 2026-05-06 | 100% |
| domain | tridraor.mav2lirex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | netapis.tonmixin.surf | payload_delivery | 2026-05-06 | 100% |
| domain | imagedraw.mav2lirex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | srvlogs.tonmixin.surf | payload_delivery | 2026-05-06 | 100% |
| domain | neotcdk[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | devbits.tonmixin.surf | payload_delivery | 2026-05-06 | 100% |
| domain | sp4rk-plate[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | appboxs.tonmixin.surf | payload_delivery | 2026-05-06 | 100% |
| domain | ieke13[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | dnswebs.sixunzip.surf | payload_delivery | 2026-05-06 | 100% |
| domain | vpsruns.sixunzip.surf | payload_delivery | 2026-05-06 | 100% |
| domain | thread-mark[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | hgt3[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | cpupros.sixunzip.surf | payload_delivery | 2026-05-06 | 100% |
| domain | splitfleet[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | opsmgrs.sixunzip.surf | payload_delivery | 2026-05-06 | 100% |
| domain | vel-nexon[.]7toralex.lat | payload_delivery | 2026-05-06 | 100% |
| domain | topsvcs.sixunzip.surf | payload_delivery | 2026-05-06 | 100% |
| domain | gitlabh.ultrashiftnet.surf | payload_delivery | 2026-05-06 | 100% |
| domain | bitfoxs.sixunzip.surf | payload_delivery | 2026-05-06 | 100% |
| domain | apiopss.ultrashiftnet.surf | payload_delivery | 2026-05-06 | 100% |
| domain | hotfixs.cargowhy.surf | payload_delivery | 2026-05-06 | 100% |
| domain | logbins.ultrashiftnet.surf | payload_delivery | 2026-05-06 | 100% |
| domain | ipnodes.cargowhy.surf | payload_delivery | 2026-05-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["webcdnx.tonmixin.surf", "tridraor.mav2lirex.lat", "netapis.tonmixin.surf", "imagedraw.mav2lirex.lat", "srvlogs.tonmixin.surf", "neotcdk.7toralex.lat", "devbits.tonmixin.surf", "sp4rk-plate.7toralex.lat", "appboxs.tonmixin.surf", "ieke13.7toralex.lat", "dnswebs.sixunzip.surf", "vpsruns.sixunzip.surf", "thread-mark.7toralex.lat", "hgt3.7toralex.lat", "cpupros.sixunzip.surf", "splitfleet.7toralex.lat", "opsmgrs.sixunzip.surf", "vel-nexon.7toralex.lat", "topsvcs.sixunzip.surf", "gitlabh.ultrashiftnet.surf", "bitfoxs.sixunzip.surf", "apiopss.ultrashiftnet.surf", "hotfixs.cargowhy.surf", "logbins.ultrashiftnet.surf", "ipnodes.cargowhy.surf", "appsrch.ultrashiftnet.surf", "getcfgs.cargowhy.surf", "webdocs.ultrashiftnet.surf", "sslkeys.cargowhy.surf", "syskeys.ultrashiftnet.surf", "sshbins.cargowhy.surf", "netmans.cybermetagrid.surf", "tmpdirs.cargowhy.surf", "tcpcons.cybermetagrid.surf", "cmdsets.nodespit.surf", "sshpros.cybermetagrid.surf", "skyvpns.nodespit.surf", "vmlists.cybermetagrid.surf", "dbinsts.nodespit.surf", "usrgrps.cybermetagrid.surf", "apidocs.nodespit.surf", "optwebs.cybermetagrid.surf", "metalts.nodespit.surf", "proxyss.quantumtechbox.surf", "osbases.nodespit.surf", "lanhops.quantumtechbox.surf", "apiopss.zooblob.surf", "subclis.quantumtechbox.surf", "logbins.zooblob.surf", "bitkits.quantumtechbox.surf"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using ClearFake domain
Description: A scheduled job runs a script that uses a domain associated with ClearFake as part of a legitimate testing or development environment.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or process.args NOT LIKE '%ClearFake%'
Scenario: Admin using ClearFake domain for internal tool testing
Description: An administrator is testing a new internal tool that uses a domain from the ClearFake list for internal purposes.
Filter/Exclusion: user.name != "admin" OR process.name != "powershell.exe" OR process.args NOT LIKE '%test%'
Scenario: Legitimate software update using ClearFake IP
Description: A legitimate software update process is using an IP address from the ClearFake list as part of a secure update mechanism.
Filter/Exclusion: process.name != "msiexec.exe" OR process.name != "setup.exe" OR process.args NOT LIKE '%update%'
Scenario: ClearFake domain used in a legitimate phishing training exercise
Description: A security team is conducting a phishing training exercise that uses a ClearFake domain to simulate malicious activity.
Filter/Exclusion: process.name != "outlook.exe" OR process.name != "chrome.exe" OR process.args NOT LIKE '%training%'
Scenario: ClearFake IP used by a legitimate cloud service provider
Description: A cloud service provider’s IP address is mistakenly listed in ClearFox, and the service is being used for legitimate workloads.
Filter/Exclusion: `process.name != “azure-cli.exe” OR process.name != “aws-cli.exe” OR ip.src NOT IN (‘10.0.0.0/8’, ‘172.16.0.