The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging compromised or phishing-linked domains. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user credentials or sensitive data exfiltration.
IOC Summary
Threat: ClearFake Total URLs: 49 Active URLs: 44
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://srvlogs.tonmixin.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://imagedraw.mav2lirex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://neotcdk.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://devbits.tonmixin.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://sp4rk-plate.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://appboxs.tonmixin.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://ieke13.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://dnswebs.sixunzip.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://vpsruns.sixunzip.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://thread-mark.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://hgt3.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://cpupros.sixunzip.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://splitfleet.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://opsmgrs.sixunzip.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://vel-nexon.7toralex.lat/sh1ne-apps-testsh-zec833-lives7z/put34b.camp | online | malware_download | 2026-05-06 |
hxxps://topsvcs.sixunzip.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://bitfoxs.sixunzip.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://gitlabh.ultrashiftnet.surf/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-06 |
hxxps://apiopss.ultrashiftnet.surf/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-06 |
hxxps://hotfixs.cargowhy.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://logbins.ultrashiftnet.surf/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-06 |
hxxps://ipnodes.cargowhy.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://getcfgs.cargowhy.surf/draw-msft-cl0ud-acc-trust7934/gettwo.dll | online | malware_download | 2026-05-06 |
hxxps://appsrch.ultrashiftnet.surf/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-06 |
hxxps://webdocs.ultrashiftnet.surf/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm | online | malware_download | 2026-05-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["splitfleet.7toralex.lat", "bitfoxs.sixunzip.surf", "dnswebs.sixunzip.surf", "ieke13.7toralex.lat", "sp4rk-plate.7toralex.lat", "imagedraw.mav2lirex.lat", "thread-mark.7toralex.lat", "logbins.ultrashiftnet.surf", "opsmgrs.sixunzip.surf", "getcfgs.cargowhy.surf", "gitlabh.ultrashiftnet.surf", "hgt3.7toralex.lat", "devbits.tonmixin.surf", "syskeys.ultrashiftnet.surf", "appboxs.tonmixin.surf", "apiopss.ultrashiftnet.surf", "vpsruns.sixunzip.surf", "appsrch.ultrashiftnet.surf", "netmans.cybermetagrid.surf", "sslkeys.cargowhy.surf", "neotcdk.7toralex.lat", "ipnodes.cargowhy.surf", "cpupros.sixunzip.surf", "sshbins.cargowhy.surf", "vel-nexon.7toralex.lat", "tmpdirs.cargowhy.surf", "topsvcs.sixunzip.surf", "hotfixs.cargowhy.surf", "webdocs.ultrashiftnet.surf", "srvlogs.tonmixin.surf"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["splitfleet.7toralex.lat", "bitfoxs.sixunzip.surf", "dnswebs.sixunzip.surf", "ieke13.7toralex.lat", "sp4rk-plate.7toralex.lat", "imagedraw.mav2lirex.lat", "thread-mark.7toralex.lat", "logbins.ultrashiftnet.surf", "opsmgrs.sixunzip.surf", "getcfgs.cargowhy.surf", "gitlabh.ultrashiftnet.surf", "hgt3.7toralex.lat", "devbits.tonmixin.surf", "syskeys.ultrashiftnet.surf", "appboxs.tonmixin.surf", "apiopss.ultrashiftnet.surf", "vpsruns.sixunzip.surf", "appsrch.ultrashiftnet.surf", "netmans.cybermetagrid.surf", "sslkeys.cargowhy.surf", "neotcdk.7toralex.lat", "ipnodes.cargowhy.surf", "cpupros.sixunzip.surf", "sshbins.cargowhy.surf", "vel-nexon.7toralex.lat", "tmpdirs.cargowhy.surf", "topsvcs.sixunzip.surf", "hotfixs.cargowhy.surf", "webdocs.ultrashiftnet.surf", "srvlogs.tonmixin.surf"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by inputting known benign URLs from the URLhaus database for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.com domain or any URLs that are part of a known validation test suite (e.g., testurlhaus.com).
Scenario: A scheduled job runs to update the enterprise’s threat intelligence feed, which includes pulling in URLs from URLhaus.
Filter/Exclusion: Exclude URLs that are part of a scheduled update process (e.g., urlhaus.org/api/v1/feeds/ or any URLs containing update or sync in the path).
Scenario: A security analyst is using the ClearFake tool (a legitimate threat intelligence tool) to generate and test fake URLs for red team exercises.
Filter/Exclusion: Exclude URLs that are tagged with a specific test identifier (e.g., test-clearfake-2024) or originate from the ClearFake tool’s internal test environment.
Scenario: A backup or archival process is copying files from a server that contains URLs from URLhaus as part of documentation or configuration files.
Filter/Exclusion: Exclude URLs that appear in configuration files or documentation (e.g., files with .conf, .txt, or .docx extensions, or paths containing docs/, config/, or backup/).
Scenario: A developer is using a CI/CD pipeline to deploy a new application that includes a list of URLs for internal services, some of which are sourced from URLhaus for reference.
Filter/Exclusion: Exclude URLs that appear in CI/CD pipelines or deployment scripts (e.g., files with .sh, .yml, or .json extensions, or paths containing ci/, deploy/, or scripts/).