The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks before they escalate to data exfiltration or network compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 107 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | voicemacro.nova7frame.life | payload_delivery | 2026-05-09 | 100% |
| domain | pal3t8-loop.messy-zamai.pics | payload_delivery | 2026-05-09 | 100% |
| domain | 03f7.nova7frame.life | payload_delivery | 2026-05-09 | 100% |
| domain | voyagefroz.messy-zamai.pics | payload_delivery | 2026-05-09 | 100% |
| domain | fcbxn.nova7frame.life | payload_delivery | 2026-05-09 | 100% |
| domain | gene-track.messy-zamai.pics | payload_delivery | 2026-05-09 | 100% |
| domain | 74l3it.messy-zamai.pics | payload_delivery | 2026-05-09 | 100% |
| domain | 3e30omav.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | 98yn.messy-zamai.pics | payload_delivery | 2026-05-09 | 100% |
| domain | meta-1nspect.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | steri-data.nanovo5kull.pics | payload_delivery | 2026-05-09 | 100% |
| domain | 67b0njwj.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | wildmerg.nanovo5kull.pics | payload_delivery | 2026-05-09 | 100% |
| domain | iscx3.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | sorix8el.digital | payload_delivery | 2026-05-09 | 100% |
| domain | fox-glow.nanovo5kull.pics | payload_delivery | 2026-05-09 | 100% |
| domain | geo-gu1d3.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | fllegi2j.nanovo5kull.pics | payload_delivery | 2026-05-09 | 100% |
| domain | mramn.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | 9rtfhxav.nanovo5kull.pics | payload_delivery | 2026-05-09 | 100% |
| domain | mercore7is.velorix.life | payload_delivery | 2026-05-09 | 100% |
| domain | memory-tone.nanovo5kull.pics | payload_delivery | 2026-05-09 | 100% |
| domain | dsff.softwincli.pics | payload_delivery | 2026-05-09 | 100% |
| domain | sshpro.skynodecfg.pics | payload_delivery | 2026-05-09 | 100% |
| domain | tcp.skynodecfg.pics | payload_delivery | 2026-05-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["voicemacro.nova7frame.life", "pal3t8-loop.messy-zamai.pics", "03f7.nova7frame.life", "voyagefroz.messy-zamai.pics", "fcbxn.nova7frame.life", "gene-track.messy-zamai.pics", "74l3it.messy-zamai.pics", "3e30omav.velorix.life", "98yn.messy-zamai.pics", "meta-1nspect.velorix.life", "steri-data.nanovo5kull.pics", "67b0njwj.velorix.life", "wildmerg.nanovo5kull.pics", "iscx3.velorix.life", "sorix8el.digital", "fox-glow.nanovo5kull.pics", "geo-gu1d3.velorix.life", "fllegi2j.nanovo5kull.pics", "mramn.velorix.life", "9rtfhxav.nanovo5kull.pics", "mercore7is.velorix.life", "memory-tone.nanovo5kull.pics", "dsff.softwincli.pics", "sshpro.skynodecfg.pics", "tcp.skynodecfg.pics", "netman.skynodecfg.pics", "git.softwincli.pics", "sys.softnetlink.pics", "ops.softwincli.pics", "webdoc.softnetlink.pics", "bin.softwincli.pics", "app.softnetlink.pics", "cli.softwincli.pics", "logbin.softnetlink.pics", "win.softwincli.pics", "apiops.softnetlink.pics", "sys.softwincli.pics", "git.softnetlink.pics", "pro.skyprodoc.pics", "pro.skyprodoc.pics", "877zsa.earoauth.life", "tcp.skyprodoc.pics", "ultra-sh4p3.earoauth.life", "ssh.skyprodoc.pics", "0dptx.earoauth.life", "doc.skyprodoc.pics", "c4che-pulse.earoauth.life", "usr.skyprodoc.pics", "yuo7qefc.mixruby.life", "opt.skyprodoc.pics"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that coincidentally matches one of the ClearFake IOCs.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job Running PowerShell Script for Reporting
Description: A scheduled job runs a PowerShell script that generates reports, and the script’s file path or command line matches a ClearFake IOC.
Filter/Exclusion: process.name != "powershell.exe" or process.args !~ "reporting|generate"
Scenario: Admin Task Using WMI for System Monitoring
Description: An administrator uses WMI to query system performance, and the WMI query string matches a ClearFake IOC.
Filter/Exclusion: process.name != "wmic.exe" or process.args !~ "query|system"
Scenario: Legitimate Software Deployment via SCCM
Description: A Software Center (SCCM) deployment package includes a file that matches a ClearFake IOC due to naming overlap.
Filter/Exclusion: process.name != "setup.exe" or process.parent.name != "ccmsetup.exe"
Scenario: User-Initiated File Download for Research Purposes
Description: A user downloads a file (e.g., from a secure research repository) that has a filename matching a ClearFake IOC.
Filter/Exclusion: process.name != "curl.exe" or process.args !~ "research|secure|download"