Adversaries using ClearFake may leverage these IOCs to exfiltrate data or establish command and control, indicating potential compromise. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats early.
IOC Summary
Malware Family: ClearFake Total IOCs: 61 IOC Types: sha256_hash, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | botanicalautomationframework.garden | payload_delivery | 2026-05-19 | 100% |
| domain | 3zqfx034.subfossiloakchronology.digital | payload_delivery | 2026-05-19 | 100% |
| domain | 1ml4kzh4.subfossiloakchronology.digital | payload_delivery | 2026-05-19 | 100% |
| domain | subfossiloakchronology.digital | payload_delivery | 2026-05-19 | 100% |
| domain | distributedgardenanalytics.garden | payload_delivery | 2026-05-19 | 100% |
| domain | wildfloramanagementplatform.garden | payload_delivery | 2026-05-19 | 100% |
| domain | petalresourceengine.garden | payload_delivery | 2026-05-19 | 100% |
| domain | greenhouseworkflowcenter.garden | payload_delivery | 2026-05-19 | 100% |
| domain | carbon-fiber-monocoque.garden | payload_delivery | 2026-05-19 | 100% |
| domain | 46fmfamd.crispychickencutlets.digital | payload_delivery | 2026-05-19 | 100% |
| domain | qvf16jfy.crispychickencutlets.digital | payload_delivery | 2026-05-19 | 100% |
| domain | bioluminescent-fungi-spore.garden | payload_delivery | 2026-05-19 | 100% |
| domain | interstellar-dust-nebula.garden | payload_delivery | 2026-05-19 | 100% |
| domain | ancient-colosseum-engineering.garden | payload_delivery | 2026-05-19 | 100% |
| domain | stealth-bomber-radar-cross.garden | payload_delivery | 2026-05-19 | 100% |
| domain | stratographic-core-drill.garden | payload_delivery | 2026-05-19 | 100% |
| domain | rgx5w3o2.orbitaldockingmodule.digital | payload_delivery | 2026-05-19 | 100% |
| domain | 6rto54ve.orbitaldockingmodule.digital | payload_delivery | 2026-05-19 | 100% |
| domain | modular-analog-synthesizer.garden | payload_delivery | 2026-05-19 | 100% |
| domain | tectonic-fault-seismograph.garden | payload_delivery | 2026-05-19 | 100% |
| domain | subterranean-bunker-outpost.garden | payload_delivery | 2026-05-19 | 100% |
| sha256_hash | e18e9309db33273762be1d78f5bdd78fa6ea41dadf5f6eef8ece4c841ea76110 | payload | 2026-05-19 | 80% |
| domain | q956x3rl.badabingsopranoslounge.digital | payload_delivery | 2026-05-19 | 100% |
| domain | 0g6xawfs.badabingsopranoslounge.digital | payload_delivery | 2026-05-19 | 100% |
| domain | badabingsopranoslounge.digital | payload_delivery | 2026-05-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["botanicalautomationframework.garden", "3zqfx034.subfossiloakchronology.digital", "1ml4kzh4.subfossiloakchronology.digital", "subfossiloakchronology.digital", "distributedgardenanalytics.garden", "wildfloramanagementplatform.garden", "petalresourceengine.garden", "greenhouseworkflowcenter.garden", "carbon-fiber-monocoque.garden", "46fmfamd.crispychickencutlets.digital", "qvf16jfy.crispychickencutlets.digital", "bioluminescent-fungi-spore.garden", "interstellar-dust-nebula.garden", "ancient-colosseum-engineering.garden", "stealth-bomber-radar-cross.garden", "stratographic-core-drill.garden", "rgx5w3o2.orbitaldockingmodule.digital", "6rto54ve.orbitaldockingmodule.digital", "modular-analog-synthesizer.garden", "tectonic-fault-seismograph.garden", "subterranean-bunker-outpost.garden", "q956x3rl.badabingsopranoslounge.digital", "0g6xawfs.badabingsopranoslounge.digital", "badabingsopranoslounge.digital", "the-sopranos-family-tree.garden", "quantum-entanglement-crypt.garden", "amber-fossil-mosquito.garden", "phase-shift-bridge-driver.garden", "xenomorph-hive-intelligence.garden", "x8drf7ed.audioattenuatorschematic.digital", "nw3tvo7k.audioattenuatorschematic.digital", "holistic-detective-agency.garden", "containerizedplantengine.garden", "stbe26oz.meadowworkflowframework.garden", "floraobservabilitycenter.garden", "meadowworkflowframework.garden", "federatedgardenplatform.garden", "8duc5067.siciliandefensetheory.digital", "rjcuszqj.siciliandefensetheory.digital", "irrigationanalyticssystem.garden", "botanicalresourcecontroller.garden", "distributedbloomnetwork.garden", "wildflorainfrastructurehub.garden", "petalautomationplatform.garden", "greenhousemanagementengine.garden", "v9rvls59.stack-matrix.digital", "2tfq28mb.stack-matrix.digital", "gardenresourcecontroller.garden", "distributedbotanicalnetwork.garden", "wildfloraintegrationplatform.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - ClearFake
let malicious_hashes = dynamic(["e18e9309db33273762be1d78f5bdd78fa6ea41dadf5f6eef8ece4c841ea76110"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system update or patching process may include tools or scripts that match the ClearFake IOCs due to shared code or naming conventions.
Filter/Exclusion: Exclude processes related to known update mechanisms (e.g., Windows Update, WSUS, Chocolatey, Scoop) or use a filter like process.name != "chocolatey.exe" AND process.name != "wsusutil.exe".
Scenario: Scheduled job for log cleanup or monitoring
Description: A scheduled task may use a script or tool that matches the ClearFake IOCs, such as a log rotation or monitoring script that uses similar command-line arguments or file paths.
Filter/Exclusion: Exclude tasks associated with log management tools (e.g., logrotate, syslog-ng, Splunk, ELK stack) or use a filter like process.name != "logrotate" AND process.name != "splunkd".
Scenario: Admin task involving file integrity monitoring
Description: An administrator may use a tool like Tripwire or OSSEC that includes scripts or binaries with similar names or paths to ClearFake IOCs.
Filter/Exclusion: Exclude processes associated with file integrity monitoring tools (e.g., tripwire, ossec), or use a filter like process.name != "tripwire" AND process.name != "ossec" AND process.name != "ossecd".
Scenario: Development or testing environment with mock payloads
Description: In a development or testing environment, developers may use mock payloads or test scripts that resemble ClearFake IOCs for simulation or training purposes.
Filter/Exclusion: Exclude processes running in a test or dev environment (e.g., dev, test, qa) or use a