ThreatFox: ClearFake IOCs

Hunt Hypothesis

The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.

IOC Summary

Malware Family: ClearFake Total IOCs: 27 IOC Types: domain

Type	Value	Threat Type	First Seen	Confidence
domain	`datapulse.wiki`	payload_delivery	2026-05-12	100%
domain	`dashcorpcloud.co`	payload_delivery	2026-05-12	100%
domain	`master-system-data-core-wiki.wiki`	payload_delivery	2026-05-12	100%
domain	`tech-script-logic-unit-reference.wiki`	payload_delivery	2026-05-12	100%
domain	`bz6o5g3c.hor1inka-lonely.digital`	payload_delivery	2026-05-12	100%
domain	`yywyvtur.hor1inka-lonely.digital`	payload_delivery	2026-05-12	100%
domain	`digital-node-cloud-ops-manual.wiki`	payload_delivery	2026-05-12	100%
domain	`infra-point-bits-service-atlas.wiki`	payload_delivery	2026-05-12	100%
domain	`web-logic-stack-dev-notebook.wiki`	payload_delivery	2026-05-12	100%
domain	`data-core-logic-resource-center.wiki`	payload_delivery	2026-05-12	100%
domain	`network-security-ops-flow-base.wiki`	payload_delivery	2026-05-12	100%
domain	`open-api-protocol-storage-guide.wiki`	payload_delivery	2026-05-12	100%
domain	`system-stack-node-data-reference.wiki`	payload_delivery	2026-05-12	100%
domain	`global-cloud-infra-logic-manual.wiki`	payload_delivery	2026-05-12	100%
domain	`sys-core-node-stack.co`	payload_delivery	2026-05-12	100%
domain	`data-flow-ops-mgr.co`	payload_delivery	2026-05-12	100%
domain	`infra-net-logic-unit.co`	payload_delivery	2026-05-12	100%
domain	`cloud-stack-run-base.co`	payload_delivery	2026-05-11	100%
domain	`system-core-set.co`	payload_delivery	2026-05-11	100%
domain	`global-cloud-infra-logic.co`	payload_delivery	2026-05-11	100%
domain	`data-stack-node.co`	payload_delivery	2026-05-11	100%
domain	`net-ops-flow-master.co`	payload_delivery	2026-05-11	100%
domain	`global-data-mgr-proc-unit.wiki`	payload_delivery	2026-05-11	100%
domain	`viablestonewall.digital`	payload_delivery	2026-05-11	100%
domain	`cmgr.web-stack-node.wiki`	payload_delivery	2026-05-11	100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["datapulse.wiki", "dashcorpcloud.co", "master-system-data-core-wiki.wiki", "tech-script-logic-unit-reference.wiki", "bz6o5g3c.hor1inka-lonely.digital", "yywyvtur.hor1inka-lonely.digital", "digital-node-cloud-ops-manual.wiki", "infra-point-bits-service-atlas.wiki", "web-logic-stack-dev-notebook.wiki", "data-core-logic-resource-center.wiki", "network-security-ops-flow-base.wiki", "open-api-protocol-storage-guide.wiki", "system-stack-node-data-reference.wiki", "global-cloud-infra-logic-manual.wiki", "sys-core-node-stack.co", "data-flow-ops-mgr.co", "infra-net-logic-unit.co", "cloud-stack-run-base.co", "system-core-set.co", "global-cloud-infra-logic.co", "data-stack-node.co", "net-ops-flow-master.co", "global-data-mgr-proc-unit.wiki", "viablestonewall.digital", "cmgr.web-stack-node.wiki", "run.web-stack-node.wiki", "web-stack-node.wiki"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled

References

ThreatFox — ClearFake

False Positive Guidance

Scenario: Legitimate System Maintenance Task
Description: A scheduled job runs ClearFake as part of a system cleanup or disk defragmentation process.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or at.exe with known maintenance task names.
Scenario: Security Tool Integration
Description: A security tool like Microsoft Defender or CrowdStrike Falcon uses ClearFake as part of its threat intelligence integration.
Filter/Exclusion: Exclude processes that are child processes of known security tools or have parent process names like mpsvc.exe, falcon.exe, or msseces.exe.
Scenario: Admin Task for Log Clearing
Description: An administrator uses a script or tool like PowerShell or LogParser to clear log files, which may trigger the ClearFake IOC.
Filter/Exclusion: Exclude processes with command lines containing Clear-Log, Clear-EventLog, or logparser with known admin scripts.
Scenario: Legacy Software Cleanup
Description: A legacy application or service, such as SQL Server or IIS, performs a cleanup task that matches the ClearFake IOC.
Filter/Exclusion: Exclude processes associated with sqlservr.exe, iisexpress.exe, or services running under LocalSystem with known cleanup tasks.
Scenario: False Positive from Threat Intelligence Feed
Description: The IOC is incorrectly listed in a threat intelligence feed like ThreatFox, but is actually a benign file or network endpoint.
Filter/Exclusion: Exclude IPs or hashes that are present in known benign threat intelligence feeds or whitelisted by the organization’s internal threat intel team.