The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 59 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | r0ad-hold.di7ectkoshevoy.lat | payload_delivery | 2026-05-08 | 100% |
| domain | serforge8en.xamir4al.lat | payload_delivery | 2026-05-08 | 100% |
| domain | cove-sdk.di7ectkoshevoy.lat | payload_delivery | 2026-05-08 | 100% |
| domain | aligncolu.xamir4al.lat | payload_delivery | 2026-05-08 | 100% |
| domain | yz8pj.di7ectkoshevoy.lat | payload_delivery | 2026-05-08 | 100% |
| domain | tridraar.xamir4al.lat | payload_delivery | 2026-05-08 | 100% |
| domain | cgkeayqe.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | velvetcalm[.]5toravex.lat | payload_delivery | 2026-05-08 | 100% |
| domain | sort4-mesh.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | lumspireen1[.]5toravex.lat | payload_delivery | 2026-05-08 | 100% |
| domain | svcd.tavro6xen.lat | payload_delivery | 2026-05-08 | 100% |
| domain | neuraldepot.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | 5bzb.tavro6xen.lat | payload_delivery | 2026-05-08 | 100% |
| domain | ultra-d0ck.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | kdffa87z[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
| domain | 5ound-span.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | st0n-beam[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
| domain | 4vxdasln.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | hs01[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
| domain | apiass.brand5calpel.lat | payload_delivery | 2026-05-08 | 100% |
| domain | wz08rx0[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
| domain | dfsdf.sixbaud.lat | payload_delivery | 2026-05-08 | 100% |
| domain | windharbor[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
| domain | aobgz[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
| domain | lum-fluxen[.]1zarelin.lat | payload_delivery | 2026-05-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["r0ad-hold.di7ectkoshevoy.lat", "serforge8en.xamir4al.lat", "cove-sdk.di7ectkoshevoy.lat", "aligncolu.xamir4al.lat", "yz8pj.di7ectkoshevoy.lat", "tridraar.xamir4al.lat", "cgkeayqe.brand5calpel.lat", "velvetcalm.5toravex.lat", "sort4-mesh.brand5calpel.lat", "lumspireen1.5toravex.lat", "svcd.tavro6xen.lat", "neuraldepot.brand5calpel.lat", "5bzb.tavro6xen.lat", "ultra-d0ck.brand5calpel.lat", "kdffa87z.1zarelin.lat", "5ound-span.brand5calpel.lat", "st0n-beam.1zarelin.lat", "4vxdasln.brand5calpel.lat", "hs01.1zarelin.lat", "apiass.brand5calpel.lat", "wz08rx0.1zarelin.lat", "dfsdf.sixbaud.lat", "windharbor.1zarelin.lat", "aobgz.1zarelin.lat", "lum-fluxen.1zarelin.lat", "vpsk.qen8vorel.lat", "crestdeliv.qen8vorel.lat", "68uvag.qen8vorel.lat", "quorvalea5.qen8vorel.lat", "vortide7en.qen8vorel.lat", "yslgmz.qen8vorel.lat", "invoimeado.qen8vorel.lat", "flame-reage.mav2lorix.lat", "routercircuit.mav2lorix.lat", "genomecatalog.mav2lorix.lat", "vinespr.mav2lorix.lat", "3awswdxc.mav2lorix.lat", "proxyss.sixbaud.lat", "xmz60xrj.mav2lorix.lat", "lanhops.sixbaud.lat", "layoutamp.mav2lorix.lat", "subclis.sixbaud.lat", "stea-summ.5toravex.lat", "bitkits.sixbaud.lat", "private2-port.5toravex.lat", "envsets.sixbaud.lat", "arkfluxum.5toravex.lat", "doclabs.sixbaud.lat", "t0n3-wave.5toravex.lat", "lumlithen.5toravex.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled job to clean up temporary files using the clear command.
Filter/Exclusion: Exclude processes where the command line includes clear and the user is a system admin (e.g., user = "root" OR user = "admin").
Scenario: Security Tool Scanning for Malware
Description: A security tool like CrowdStrike Falcon or Microsoft Defender is performing a full system scan and temporarily uses a file or process name associated with ClearFake.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., parent_process = "falcon-sensor" OR parent_process = "msdefender").
Scenario: Scheduled Job for Log Rotation
Description: A scheduled job using logrotate is rotating logs and temporarily creates files with names similar to known ClearFake IOCs.
Filter/Exclusion: Exclude processes where the command line includes logrotate or the file path contains /var/log/.
Scenario: Legitimate Software Update Process
Description: A legitimate software update process, such as Ansible or Chef, is deploying a package that has a filename matching a ClearFake IOC.
Filter/Exclusion: Exclude processes where the command line includes ansible-playbook or chef-client, and the file path is within a known update directory (e.g., /opt/update/).
Scenario: User-Initiated File Cleanup
Description: A user manually deletes files using the rm command, and one of the files matches a ClearFake IOC.
Filter/Exclusion: Exclude processes where the command line includes rm and the user is a regular user (e.g., `user