The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 15 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://packet-distribution-core.christmas/a8a06604-6284-4b24-8a3b-ac76f3884920/g.ch | online | malware_download | 2026-05-21 |
hxxps://container-mesh.christmas/5dff1e15-07cf-41aa-853e-094be4ca2aec/g.ch | online | malware_download | 2026-05-21 |
hxxps://telemetry-control-hub.christmas/5a5ef6ea-aff7-420f-97dc-f9d824824654/g.ch | online | malware_download | 2026-05-21 |
hxxps://stackbridge.christmas/e5a01d55-d272-4e70-97f5-32f8da384549/g.ch | online | malware_download | 2026-05-21 |
hxxps://network-flow-system.christmas/d2e6c986-8be9-43ca-a1a9-3180380aad4a/g.ch | online | malware_download | 2026-05-21 |
hxxps://byte-vault.christmas/6fcd3983-7edf-4419-a07c-6f5ba1cc67ef/g.ch | online | malware_download | 2026-05-21 |
hxxps://signal-processing-core.christmas/de1ede75-0cc2-4104-9d8d-e289c3645697/g.ch | online | malware_download | 2026-05-21 |
hxxps://proxy-hub.christmas/652f1bc5-e123-452e-9b8f-4dabded787a9/g.ch | online | malware_download | 2026-05-21 |
hxxps://cloud-sync-engine.christmas/1fb89b25-45fa-4267-bf89-9dba7489b2a8/g.ch | online | malware_download | 2026-05-21 |
hxxps://microservice-hub.christmas/b8f82153-4c34-4b9d-a842-791cf45d3bdc/g.ch | online | malware_download | 2026-05-21 |
hxxps://telemetry-grid.christmas/1372c504-375d-467b-9978-c2d199db2a80/g.ch | offline | malware_download | 2026-05-21 |
hxxps://0frduisp.cloud-meridian.digital/?ublib=92fa774c-a9f6-4cd1-ab4e-b18058e58bb4 | offline | malware_download | 2026-05-21 |
hxxps://stack-flow.christmas/58350bdd-1b1c-4830-9c1c-fe1ddfe98e9a/g.ch | offline | malware_download | 2026-05-21 |
hxxps://signal-core-engine.christmas/b176b5c0-e343-43ed-a792-08c71e38f649/g.ch | offline | malware_download | 2026-05-21 |
hxxps://runtime-control.christmas/e2aead27-190e-4dd5-91a5-a29e3b34c767/g.ch | offline | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["byte-vault.christmas", "signal-processing-core.christmas", "microservice-hub.christmas", "stackbridge.christmas", "cloud-sync-engine.christmas", "network-flow-system.christmas", "proxy-hub.christmas", "telemetry-control-hub.christmas", "container-mesh.christmas", "packet-distribution-core.christmas"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["byte-vault.christmas", "signal-processing-core.christmas", "microservice-hub.christmas", "stackbridge.christmas", "cloud-sync-engine.christmas", "network-flow-system.christmas", "proxy-hub.christmas", "telemetry-control-hub.christmas", "container-mesh.christmas", "packet-distribution-core.christmas"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus feed integration
Description: The SOC is using the URLhaus feed as part of its threat intelligence integration, and the feed includes URLs tagged as ClearFake due to their association with known malicious domains.
Filter/Exclusion: Exclude URLs that are part of the URLhaus feed by checking the source or using a field like source or feed_id to filter out known benign entries.
Scenario: Scheduled system update job
Description: A scheduled job runs a system update that downloads a ClearFake URL as part of a legitimate patching process.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., updates.microsoft.com, download.oracle.com) or use a process.name filter to exclude known update tools like wuauclt.exe or updatenow.exe.
Scenario: Admin task for endpoint configuration
Description: An admin is manually configuring endpoints and uses a ClearFake URL to download a configuration file or script.
Filter/Exclusion: Exclude URLs that are associated with admin tools or configuration management systems (e.g., puppet, ansible, chef) by checking the process.name or user field for admin accounts.
Scenario: Legitimate phishing simulation test
Description: The security team is running a phishing simulation and uses a ClearFake URL as part of the test to gauge employee response.
Filter/Exclusion: Exclude URLs that are part of a phishing simulation tool (e.g., phishsim.com, testphish.net) or use a category field to filter out test URLs.
Scenario: Malware analysis lab activity
Description: A malware analysis lab is using a ClearFake URL to download a sample for analysis, which is part of their routine testing.
*