The hypothesis is that the detected URLs are part of a ClearFake campaign designed to deceive users into visiting malicious sites, thereby enabling phishing or malware delivery. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user credentials and systems.
IOC Summary
Threat: ClearFake Total URLs: 9 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://botanicalautomationframework.garden/3f0493c2-1d7e-4eec-97d4-b79f68d6909f/google.cl | online | malware_download | 2026-05-19 |
hxxps://3zqfx034.subfossiloakchronology.digital/?ublib=34842bde-de43-48dc-bf78-418653d70220 | offline | malware_download | 2026-05-19 |
hxxps://distributedgardenanalytics.garden/e2f7316c-f595-4f54-a6b3-acf48e330f4c/google.cl | online | malware_download | 2026-05-19 |
hxxps://wildfloramanagementplatform.garden/a49fac3f-acb0-4e73-8aec-dec37b0f879a/google.cl | online | malware_download | 2026-05-19 |
hxxps://petalresourceengine.garden/04f88403-b560-4b6e-b150-7c9d3f8d2d56/google.cl | online | malware_download | 2026-05-19 |
hxxps://carbon-fiber-monocoque.garden/63f9a529-b49f-4704-8249-78af7c915719/google.cl | online | malware_download | 2026-05-19 |
hxxps://46fmfamd.crispychickencutlets.digital/?ublib=1e13d931-cbb9-488c-be4d-e0bb12c9063a | offline | malware_download | 2026-05-19 |
hxxps://bioluminescent-fungi-spore.garden/da4ccdc1-2edb-4dd3-8c0e-05c3082dd829/google.cl | online | malware_download | 2026-05-19 |
hxxps://interstellar-dust-nebula.garden/ff2118f2-7b15-4399-819d-e91c2a58c21d/google.cl | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["bioluminescent-fungi-spore.garden", "botanicalautomationframework.garden", "petalresourceengine.garden", "wildfloramanagementplatform.garden", "carbon-fiber-monocoque.garden", "distributedgardenanalytics.garden", "interstellar-dust-nebula.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["bioluminescent-fungi-spore.garden", "botanicalautomationframework.garden", "petalresourceengine.garden", "wildfloramanagementplatform.garden", "carbon-fiber-monocoque.garden", "distributedgardenanalytics.garden", "interstellar-dust-nebula.garden"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security exercise or red team simulation.
Filter/Exclusion: Exclude URLs that match the domain test.clearfake.com or any subdomains used in internal security testing.
Scenario: A scheduled job runs a script that fetches and validates URLs from a known safe source, such as a company’s internal knowledge base, which includes URLs tagged as ClearFake.
Filter/Exclusion: Exclude URLs that originate from the internal domain internal-kb.example.com or any IP addresses within the company’s private network range.
Scenario: A user clicks on a ClearFake URL that was shared via email by a legitimate internal support team to direct users to a phishing awareness page.
Filter/Exclusion: Exclude URLs that contain the query parameter ?utm_source=security-training or are hosted on the internal training portal training.example.com.
Scenario: A security tool like OSSEC or Splunk is configured to periodically check for known malicious URLs and reports any matches, including ClearFake URLs, as part of its routine monitoring.
Filter/Exclusion: Exclude URLs that are part of the internal monitoring system, such as those hosted on monitoring.example.com or any URLs with the path /check-url.
Scenario: A developer is using a tool like Burp Suite or Postman to manually test API endpoints, and one of the endpoints is flagged as a ClearFake URL during a scan.
Filter/Exclusion: Exclude URLs that include the query parameter ?test=true or are associated with the development environment domain dev.example.com.