The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns and protect organizational assets before significant damage occurs.
IOC Summary
Threat: ClearFake Total URLs: 62 Active URLs: 46
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://agmdojf.7zorelax.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://apiopss.openlinksys.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxps://logbins.openlinksys.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxps://4rray-dock.7zorelax.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://pipelin-reach.7zorelax.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | offline | malware_download | 2026-05-07 |
hxxps://appsrch.openlinksys.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxps://jwosviuw.7zorelax.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | offline | malware_download | 2026-05-07 |
hxxp://webdocs.openlinksys.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | offline | malware_download | 2026-05-07 |
hxxps://webdocs.openlinksys.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | offline | malware_download | 2026-05-07 |
hxxps://filte-path.7zorelax.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://syskeys.openlinksys.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxps://wornod.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://netmans.datarunkey.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | offline | malware_download | 2026-05-07 |
hxxps://steadymeasure.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://tcpcons.datarunkey.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxp://sandman.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | offline | malware_download | 2026-05-07 |
hxxps://sandman.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://sshpros.datarunkey.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxps://oixkxhga.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://vmlists.datarunkey.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | offline | malware_download | 2026-05-07 |
hxxp://75aohwq.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | offline | malware_download | 2026-05-07 |
hxxps://75aohwq.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://usrgrps.datarunkey.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
hxxps://3ohr8brt.qen2virex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-07 |
hxxps://optwebs.datarunkey.lat/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["subclis.linkdevbase.lat", "bitkits.linkdevbase.lat", "usrgrps.datarunkey.lat", "syskeys.openlinksys.lat", "m0del9-spool.mav8loren.lat", "4rray-dock.7zorelax.lat", "syncits.softworkapi.lat", "appsrch.openlinksys.lat", "roughvocal.mav8loren.lat", "wornod.qen2virex.lat", "3ohr8brt.qen2virex.lat", "proxyss.linkdevbase.lat", "go1d8-core.mav8loren.lat", "ioflows.softworkapi.lat", "sandman.qen2virex.lat", "75aohwq.qen2virex.lat", "tcpcons.datarunkey.lat", "filte-path.7zorelax.lat", "lanhops.linkdevbase.lat", "apiopss.openlinksys.lat", "logbins.openlinksys.lat", "arkdraor.mav8loren.lat", "optwebs.datarunkey.lat", "30vw.mav8loren.lat", "steadymeasure.qen2virex.lat", "sshpros.datarunkey.lat", "agmdojf.7zorelax.lat", "oixkxhga.qen2virex.lat", "doclabs.linkdevbase.lat", "ciabjdb.mav8loren.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["subclis.linkdevbase.lat", "bitkits.linkdevbase.lat", "usrgrps.datarunkey.lat", "syskeys.openlinksys.lat", "m0del9-spool.mav8loren.lat", "4rray-dock.7zorelax.lat", "syncits.softworkapi.lat", "appsrch.openlinksys.lat", "roughvocal.mav8loren.lat", "wornod.qen2virex.lat", "3ohr8brt.qen2virex.lat", "proxyss.linkdevbase.lat", "go1d8-core.mav8loren.lat", "ioflows.softworkapi.lat", "sandman.qen2virex.lat", "75aohwq.qen2virex.lat", "tcpcons.datarunkey.lat", "filte-path.7zorelax.lat", "lanhops.linkdevbase.lat", "apiopss.openlinksys.lat", "logbins.openlinksys.lat", "arkdraor.mav8loren.lat", "optwebs.datarunkey.lat", "30vw.mav8loren.lat", "steadymeasure.qen2virex.lat", "sshpros.datarunkey.lat", "agmdojf.7zorelax.lat", "oixkxhga.qen2virex.lat", "doclabs.linkdevbase.lat", "ciabjdb.mav8loren.lat"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., ServiceNow) to test a phishing simulation.
Filter/Exclusion: Exclude URLs containing the domain phishing-sim.example.com or any URL with the substring test-phishing.
Scenario: A scheduled job runs a script that fetches and processes ClearFake URLs from a public source (e.g., a security research feed) for analysis.
Filter/Exclusion: Exclude URLs that match the pattern https://urlhaus.org/ or any URL containing the keyword research.
Scenario: A DevOps team uses a CI/CD pipeline tool (e.g., Jenkins) to deploy a test environment, and a ClearFake URL is temporarily used in a configuration file for validation.
Filter/Exclusion: Exclude URLs that appear in files with the path /opt/jenkins/config/ or any URL containing the substring test-deploy.
Scenario: An enterprise uses a third-party threat intelligence tool (e.g., CrowdStrike Falcon) that occasionally reports ClearFake URLs as part of its threat intelligence updates.
Filter/Exclusion: Exclude URLs that originate from the IP range 192.0.2.0/24 (a reserved range for documentation) or any URL with the domain threatintel.example.com.
Scenario: A security analyst uses a sandboxing tool (e.g., Cuckoo Sandbox) to analyze a benign file that contains a ClearFake URL as part of its internal testing.
Filter/Exclusion: Exclude URLs that are part of files located in the directory /var/sandbox/ or any URL containing the substring sandbox-test.