The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging compromised or phishing-linked domains. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of internal systems and data exfiltration attempts.
IOC Summary
Threat: ClearFake Total URLs: 54 Active URLs: 38
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://pal3t8-loop.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://voicemacro.nova7frame.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | offline | malware_download | 2026-05-09 |
hxxps://voyagefroz.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://03f7.nova7frame.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://fcbxn.nova7frame.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | offline | malware_download | 2026-05-09 |
hxxps://gene-track.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxp://74l3it.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | offline | malware_download | 2026-05-09 |
hxxps://74l3it.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://3e30omav.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxp://98yn.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | offline | malware_download | 2026-05-09 |
hxxps://98yn.messy-zamai.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | offline | malware_download | 2026-05-09 |
hxxps://meta-1nspect.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | offline | malware_download | 2026-05-09 |
hxxps://67b0njwj.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://steri-data.nanovo5kull.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://wildmerg.nanovo5kull.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://iscx3.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://fox-glow.nanovo5kull.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://geo-gu1d3.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://fllegi2j.nanovo5kull.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://mramn.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://9rtfhxav.nanovo5kull.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://mercore7is.velorix.life/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://memory-tone.nanovo5kull.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | online | malware_download | 2026-05-09 |
hxxps://dsff.softwincli.pics/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx | online | malware_download | 2026-05-09 |
hxxps://sshpro.skynodecfg.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock | offline | malware_download | 2026-05-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["74l3it.messy-zamai.pics", "apiops.softnetlink.pics", "gene-track.messy-zamai.pics", "67b0njwj.velorix.life", "ops.softwincli.pics", "877zsa.earoauth.life", "git.softwincli.pics", "tcp.skynodecfg.pics", "3e30omav.velorix.life", "03f7.nova7frame.life", "steri-data.nanovo5kull.pics", "tcp.skyprodoc.pics", "voyagefroz.messy-zamai.pics", "pal3t8-loop.messy-zamai.pics", "9rtfhxav.nanovo5kull.pics", "mramn.velorix.life", "fllegi2j.nanovo5kull.pics", "cli.softwincli.pics", "netman.skynodecfg.pics", "memory-tone.nanovo5kull.pics", "sys.softnetlink.pics", "webdoc.softnetlink.pics", "geo-gu1d3.velorix.life", "mercore7is.velorix.life", "dsff.softwincli.pics", "iscx3.velorix.life", "bin.softwincli.pics", "app.softnetlink.pics", "wildmerg.nanovo5kull.pics", "fox-glow.nanovo5kull.pics"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["74l3it.messy-zamai.pics", "apiops.softnetlink.pics", "gene-track.messy-zamai.pics", "67b0njwj.velorix.life", "ops.softwincli.pics", "877zsa.earoauth.life", "git.softwincli.pics", "tcp.skynodecfg.pics", "3e30omav.velorix.life", "03f7.nova7frame.life", "steri-data.nanovo5kull.pics", "tcp.skyprodoc.pics", "voyagefroz.messy-zamai.pics", "pal3t8-loop.messy-zamai.pics", "9rtfhxav.nanovo5kull.pics", "mramn.velorix.life", "fllegi2j.nanovo5kull.pics", "cli.softwincli.pics", "netman.skynodecfg.pics", "memory-tone.nanovo5kull.pics", "sys.softnetlink.pics", "webdoc.softnetlink.pics", "geo-gu1d3.velorix.life", "mercore7is.velorix.life", "dsff.softwincli.pics", "iscx3.velorix.life", "bin.softwincli.pics", "app.softnetlink.pics", "wildmerg.nanovo5kull.pics", "fox-glow.nanovo5kull.pics"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service usage
Description: Admins or users may use services like Bitly or TinyURL to shorten internal URLs for easier sharing. These shortened URLs may be flagged by the rule if they match patterns in the ClearFake dataset.
Filter/Exclusion: Exclude URLs containing known shortening service domains (e.g., bit.ly, tinyurl.com, short.url) or use a custom filter to exclude URLs from internal shortening services.
Scenario: Scheduled job for malware signature updates
Description: A scheduled job may download malware signature updates from a trusted source (e.g., VirusTotal, CrowdStrike) which may include URLs that resemble malicious patterns.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., virustotal.com, crowdstrike.com, malwarebytes.com) or filter by HTTP status codes (e.g., 200 OK for successful downloads).
Scenario: Internal tool for phishing simulation
Description: Security teams may use tools like PhishMe or KnowBe4 to simulate phishing emails, which may include URLs that are flagged as malicious by the rule.
Filter/Exclusion: Exclude URLs that contain specific internal domains (e.g., phishing.corp.example.com) or use a custom field to identify simulated phishing URLs.
Scenario: Automated system health check
Description: A system health check tool may access external URLs to verify service availability or perform diagnostics, which could trigger the rule if the URLs match ClearFake patterns.
Filter/Exclusion: Exclude URLs that are part of known health check services (e.g., pingdom.com, uptime.com) or filter by the presence of a specific header or query parameter indicating a health check.
Scenario: User-generated content with embedded links
Description: Employees