The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential breaches early, especially since ClearFake URLs are often used in phishing campaigns targeting internal networks.
IOC Summary
Threat: ClearFake Total URLs: 31 Active URLs: 22
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://r0ad-hold.di7ectkoshevoy.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | offline | malware_download | 2026-05-08 |
hxxps://serforge8en.xamir4al.lat/kl0n-green-excel-yy3775-get65/gett3.verification | online | malware_download | 2026-05-08 |
hxxps://aligncolu.xamir4al.lat/kl0n-green-excel-yy3775-get65/gett3.verification | offline | malware_download | 2026-05-08 |
hxxps://cove-sdk.di7ectkoshevoy.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://yz8pj.di7ectkoshevoy.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://tridraar.xamir4al.lat/kl0n-green-excel-yy3775-get65/gett3.verification | online | malware_download | 2026-05-08 |
hxxps://cgkeayqe.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://velvetcalm.5toravex.lat//kl0n-green-excel-yy3775-get65/gett3.verification | online | malware_download | 2026-05-08 |
hxxps://lumspireen1.5toravex.lat//kl0n-green-excel-yy3775-get65/gett3.verification | online | malware_download | 2026-05-08 |
hxxps://sort4-mesh.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://svcd.tavro6xen.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://neuraldepot.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | offline | malware_download | 2026-05-08 |
hxxps://5bzb.tavro6xen.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://ultra-d0ck.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://kdffa87z.1zarelin.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://5ound-span.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://st0n-beam.1zarelin.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | offline | malware_download | 2026-05-08 |
hxxp://4vxdasln.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | offline | malware_download | 2026-05-08 |
hxxp://st0n-beam.1zarelin.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | offline | malware_download | 2026-05-08 |
hxxps://4vxdasln.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://hs01.1zarelin.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://apiass.brand5calpel.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxp://wz08rx0.1zarelin.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | offline | malware_download | 2026-05-08 |
hxxps://wz08rx0.1zarelin.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
hxxps://dfsdf.sixbaud.lat/sh1ne-logs-neppy-upd8335-www3/get123c.camp | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["tridraar.xamir4al.lat", "5bzb.tavro6xen.lat", "vpsk.qen8vorel.lat", "sort4-mesh.brand5calpel.lat", "4vxdasln.brand5calpel.lat", "lumspireen1.5toravex.lat", "yz8pj.di7ectkoshevoy.lat", "5ound-span.brand5calpel.lat", "dfsdf.sixbaud.lat", "aobgz.1zarelin.lat", "apiass.brand5calpel.lat", "hs01.1zarelin.lat", "serforge8en.xamir4al.lat", "svcd.tavro6xen.lat", "lum-fluxen.1zarelin.lat", "velvetcalm.5toravex.lat", "wz08rx0.1zarelin.lat", "kdffa87z.1zarelin.lat", "cove-sdk.di7ectkoshevoy.lat", "68uvag.qen8vorel.lat", "cgkeayqe.brand5calpel.lat", "ultra-d0ck.brand5calpel.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["tridraar.xamir4al.lat", "5bzb.tavro6xen.lat", "vpsk.qen8vorel.lat", "sort4-mesh.brand5calpel.lat", "4vxdasln.brand5calpel.lat", "lumspireen1.5toravex.lat", "yz8pj.di7ectkoshevoy.lat", "5ound-span.brand5calpel.lat", "dfsdf.sixbaud.lat", "aobgz.1zarelin.lat", "apiass.brand5calpel.lat", "hs01.1zarelin.lat", "serforge8en.xamir4al.lat", "svcd.tavro6xen.lat", "lum-fluxen.1zarelin.lat", "velvetcalm.5toravex.lat", "wz08rx0.1zarelin.lat", "kdffa87z.1zarelin.lat", "cove-sdk.di7ectkoshevoy.lat", "68uvag.qen8vorel.lat", "cgkeayqe.brand5calpel.lat", "ultra-d0ck.brand5calpel.lat"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job downloading updates from a known ClearFake domain
Example: A scheduled job runs yum update on a Red Hat system, which temporarily connects to a ClearFake domain for package metadata.
Filter/Exclusion: Exclude connections to *.rpmfusion.org or domains associated with package managers like yum, apt, or dnf.
Scenario: Admin manually testing a ClearFake URL for security validation
Example: A security analyst uses curl or wget to test a URL from the URLhaus list to verify its behavior in a sandboxed environment.
Filter/Exclusion: Exclude traffic originating from user accounts with sudo privileges or from specific IP ranges used by internal security teams.
Scenario: Internal tool for generating fake URLs for testing purposes
Example: A tool like fakemsg or a custom script used by developers to generate mock URLs for API testing or penetration testing.
Filter/Exclusion: Exclude traffic from internal development IPs or from processes associated with testing frameworks like Postman, curl, or pytest.
Scenario: Legitimate use of ClearFake domains by third-party services
Example: A service like ClearFake is used by a third-party vendor to host temporary test files for integration testing.
Filter/Exclusion: Exclude traffic to domains listed in the ClearFake whitelist or from known third-party service IPs.
Scenario: False positive from a misconfigured DNS resolver or CDN
Example: A DNS resolver or CDN service (like Cloudflare or AWS Route 53) incorrectly resolves a legitimate domain to a ClearFake IP.
Filter/Exclusion: Exclude traffic from known CDN IP ranges or DNS resolver IPs, or apply a domain-based exclusion for the affected domain.