The detection identifies potential ClearFake malicious URLs that adversaries may use to deliver malware or phishing payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversary campaigns and protect organizational assets before compromise.
IOC Summary
Threat: ClearFake Total URLs: 33 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://backup-terminal-gateway-handle-list.wiki/931c1f4c-c65d-4544-a2b4-15835e711dae/google.ct | offline | malware_download | 2026-05-13 |
hxxps://obese-uzousweb-play.wiki/6a15feb6-1c4b-4183-962e-b5f4376b3e5a/google.ct | offline | malware_download | 2026-05-13 |
hxxps://active-instance-registry-support-index.wiki/6526b071-e02e-4c45-847d-a53b8da412af/google.ct | offline | malware_download | 2026-05-13 |
hxxps://lyapissvebechkopassword.wiki/94d807a8-84f9-434c-bc33-2552924f4513/google.ct | offline | malware_download | 2026-05-13 |
hxxps://distributed-source-element-package-site.wiki/d2419200-ed11-4f5d-b4d5-b0ee729b7bbc/google.ct | offline | malware_download | 2026-05-13 |
hxxps://handout-voivodeshiplink.wiki/fcf3664b-c373-4fec-879f-ee04989f4725/google.ct | offline | malware_download | 2026-05-13 |
hxxps://accoun-table-unleash-soft.wiki/862eca77-d08f-4668-9388-2aba73630cef/google.ct | offline | malware_download | 2026-05-13 |
hxxps://enterprise-solution-buffer-utility-log.wiki/50542787-0f3b-4bb7-8597-211406a88877/google.ct | offline | malware_download | 2026-05-13 |
hxxps://sub-substituteunfeignedflash.wiki/0f84517d-6d16-4c2f-af65-b44669c004f5/google.ct | offline | malware_download | 2026-05-13 |
hxxps://root-directory-repository-process-vault.wiki/398df28f-7fed-4c5f-a7f1-b888d2e9317e/google.ct | offline | malware_download | 2026-05-13 |
hxxps://cherish-cultscreencard.wiki/af58c925-cc5d-4345-bc31-38fdf6bb1d1c/google.ct | offline | malware_download | 2026-05-13 |
hxxps://cluster-module-deployment-standard-map.wiki/32e15bee-eb27-4657-9ae5-aece1ed079f1/google.ct | offline | malware_download | 2026-05-13 |
hxxps://cherish-cultscreencard.wiki/33f9da35-5e63-4875-ac96-cb78b24afa04/google.ct | offline | malware_download | 2026-05-13 |
hxxps://pro-architecture-engineering-vault-info.wiki/132c7c19-2abb-4b53-8286-ffae42e63f36/google.ct | offline | malware_download | 2026-05-13 |
hxxps://cherish-cultscreencard.wiki/56a84247-0951-410f-b61e-6978b6481cd5/google.ct | offline | malware_download | 2026-05-13 |
hxxp://cherish-cultscreencard.wiki/56a84247-0951-410f-b61e-6978b6481cd5/google.ct | offline | malware_download | 2026-05-13 |
hxxps://pro-architecture-engineering-vault-info.wiki/ee7786d2-9f32-47d8-9a22-9bda422cc6a8/google.ct | offline | malware_download | 2026-05-13 |
hxxps://eaglefungustourismscreen.wiki/ac459173-32bf-40ba-86e9-9530cedddeda/google.ct | offline | malware_download | 2026-05-13 |
hxxps://cafe-club-oracle-card.wiki/5783b1e8-e7d5-45b1-b83c-3e69cfee20f8/google.ct | offline | malware_download | 2026-05-13 |
hxxps://prime-object-container-task-archive.wiki/f182beb6-0467-4553-af3f-48058a0d8dfb/google.ct | offline | malware_download | 2026-05-13 |
hxxps://cluster-module-deployment-standard-map.wiki/d942bd10-63f2-49f1-88d1-4c8e609fc2b1/google.ct | offline | malware_download | 2026-05-13 |
hxxps://open-api-protocol-storage-guide.wiki/8b0e64a9-81d0-41fb-955c-dd2617f99115/google.ct | offline | malware_download | 2026-05-13 |
hxxps://secure-remote-access-method-file.wiki/b6efe3ce-5d0a-4bce-bbef-acedbf0419fe/google.ct | offline | malware_download | 2026-05-13 |
hxxps://network-security-ops-flow-base.wiki/b4617571-a23f-4592-bf6f-ed70d8bfb7f1/google.ct | offline | malware_download | 2026-05-13 |
hxxps://virtual-compute-engine-template-doc.wiki/38424c6a-314e-4e65-94f3-52b32ae00d65/google.ct | offline | malware_download | 2026-05-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["obese-uzousweb-play.wiki", "eaglefungustourismscreen.wiki", "backup-terminal-gateway-handle-list.wiki", "secure-remote-access-method-file.wiki", "enterprise-solution-buffer-utility-log.wiki", "accoun-table-unleash-soft.wiki", "cherish-cultscreencard.wiki", "prime-object-container-task-archive.wiki", "cafe-club-oracle-card.wiki", "distributed-source-element-package-site.wiki", "network-security-ops-flow-base.wiki", "lyapissvebechkopassword.wiki", "root-directory-repository-process-vault.wiki", "cluster-module-deployment-standard-map.wiki", "pro-architecture-engineering-vault-info.wiki", "open-api-protocol-storage-guide.wiki", "handout-voivodeshiplink.wiki", "virtual-compute-engine-template-doc.wiki", "active-instance-registry-support-index.wiki", "sub-substituteunfeignedflash.wiki"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["obese-uzousweb-play.wiki", "eaglefungustourismscreen.wiki", "backup-terminal-gateway-handle-list.wiki", "secure-remote-access-method-file.wiki", "enterprise-solution-buffer-utility-log.wiki", "accoun-table-unleash-soft.wiki", "cherish-cultscreencard.wiki", "prime-object-container-task-archive.wiki", "cafe-club-oracle-card.wiki", "distributed-source-element-package-site.wiki", "network-security-ops-flow-base.wiki", "lyapissvebechkopassword.wiki", "root-directory-repository-process-vault.wiki", "cluster-module-deployment-standard-map.wiki", "pro-architecture-engineering-vault-info.wiki", "open-api-protocol-storage-guide.wiki", "handout-voivodeshiplink.wiki", "virtual-compute-engine-template-doc.wiki", "active-instance-registry-support-index.wiki", "sub-substituteunfeignedflash.wiki"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: System updates are a common legitimate activity and should not be flagged as malicious.
Scenario: Scheduled backup job using Veeam
Filter/Exclusion: Exclude URLs containing veeam.com or backup.veeam.com
Rationale: Veeam backup tools often use specific URLs for cloud storage or API interactions, which may be falsely flagged.
Scenario: Admin task using PowerShell for log analysis
Filter/Exclusion: Exclude URLs containing powershellgallery.com or gallery.powershell.org
Rationale: PowerShell modules and scripts are often downloaded from these domains as part of legitimate administrative tasks.
Scenario: Internal tool for user activity reporting
Filter/Exclusion: Exclude URLs containing internal.reporting.tool or intranet.reporting
Rationale: Some internal tools use custom domains or subdomains that may be misclassified as malicious URLs.
Scenario: Cloud storage sync using OneDrive or SharePoint
Filter/Exclusion: Exclude URLs containing onedrive.com, sharepoint.com, or microsoft.com
Rationale: File sync and collaboration tools often use these domains, and their URLs may be falsely flagged by the detection logic.