ClearFake malware is likely exfiltrating data through covert network channels, as indicated by the presence of known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate data exfiltration attempts before significant data loss occurs.
IOC Summary
Malware Family: ClearFake Total IOCs: 153 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | agmdojf[.]7zorelax.lat | payload_delivery | 2026-05-07 | 100% |
| domain | apiopss.openlinksys.lat | payload_delivery | 2026-05-07 | 100% |
| domain | 4rray-dock[.]7zorelax.lat | payload_delivery | 2026-05-07 | 100% |
| domain | logbins.openlinksys.lat | payload_delivery | 2026-05-07 | 100% |
| domain | pipelin-reach[.]7zorelax.lat | payload_delivery | 2026-05-07 | 100% |
| domain | appsrch.openlinksys.lat | payload_delivery | 2026-05-07 | 100% |
| domain | jwosviuw[.]7zorelax.lat | payload_delivery | 2026-05-07 | 100% |
| domain | webdocs.openlinksys.lat | payload_delivery | 2026-05-07 | 100% |
| domain | filte-path[.]7zorelax.lat | payload_delivery | 2026-05-07 | 100% |
| domain | syskeys.openlinksys.lat | payload_delivery | 2026-05-07 | 100% |
| domain | wornod.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | netmans.datarunkey.lat | payload_delivery | 2026-05-07 | 100% |
| domain | steadymeasure.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | tcpcons.datarunkey.lat | payload_delivery | 2026-05-07 | 100% |
| domain | sandman.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | sshpros.datarunkey.lat | payload_delivery | 2026-05-07 | 100% |
| domain | oixkxhga.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | vmlists.datarunkey.lat | payload_delivery | 2026-05-07 | 100% |
| domain | 75aohwq.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | usrgrps.datarunkey.lat | payload_delivery | 2026-05-07 | 100% |
| domain | 3ohr8brt.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | optwebs.datarunkey.lat | payload_delivery | 2026-05-07 | 100% |
| domain | fmnnyp.qen2virex.lat | payload_delivery | 2026-05-07 | 100% |
| domain | proxyss.linkdevbase.lat | payload_delivery | 2026-05-07 | 100% |
| domain | ciabjdb.mav8loren.lat | payload_delivery | 2026-05-07 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["agmdojf.7zorelax.lat", "apiopss.openlinksys.lat", "4rray-dock.7zorelax.lat", "logbins.openlinksys.lat", "pipelin-reach.7zorelax.lat", "appsrch.openlinksys.lat", "jwosviuw.7zorelax.lat", "webdocs.openlinksys.lat", "filte-path.7zorelax.lat", "syskeys.openlinksys.lat", "wornod.qen2virex.lat", "netmans.datarunkey.lat", "steadymeasure.qen2virex.lat", "tcpcons.datarunkey.lat", "sandman.qen2virex.lat", "sshpros.datarunkey.lat", "oixkxhga.qen2virex.lat", "vmlists.datarunkey.lat", "75aohwq.qen2virex.lat", "usrgrps.datarunkey.lat", "3ohr8brt.qen2virex.lat", "optwebs.datarunkey.lat", "fmnnyp.qen2virex.lat", "proxyss.linkdevbase.lat", "ciabjdb.mav8loren.lat", "lanhops.linkdevbase.lat", "go1d8-core.mav8loren.lat", "subclis.linkdevbase.lat", "arkdraor.mav8loren.lat", "gt5kq695.die-reformer.digital", "ya15z70c.die-reformer.digital", "a62fkli6.die-reformer.digital", "bitkits.linkdevbase.lat", "ultra-narr0.mav8loren.lat", "envsets.linkdevbase.lat", "m0del9-spool.mav8loren.lat", "doclabs.linkdevbase.lat", "doclabs.linkdevbase.lat", "30vw.mav8loren.lat", "syncits.softworkapi.lat", "roughvocal.mav8loren.lat", "ioflows.softworkapi.lat", "5t4g3-port.3toravix.lat", "taskids.softworkapi.lat", "lum-valeon.3toravix.lat", "comwebs.softworkapi.lat", "trackeglacie.3toravix.lat", "refid-xs.softworkapi.lat", "railmix.3toravix.lat", "autboxs.softworkapi.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync or robocopy that transfers large amounts of data across the network.
Filter/Exclusion: Exclude traffic where the source is a known backup server or where the destination is a secure internal storage system.
Scenario: System administrators using PowerShell to generate reports or export logs to a centralized log management tool like Splunk or ELK Stack.
Filter/Exclusion: Exclude processes initiated by admin accounts with known legitimate PowerShell scripts or where the destination is a log aggregation system.
Scenario: Regular use of scp or sftp for secure file transfers between servers in a multi-tiered application architecture.
Filter/Exclusion: Exclude traffic between servers in a known internal network segment or where the file transfer is part of a documented DevOps pipeline.
Scenario: Use of curl or wget by a legitimate monitoring tool like Nagios or Zabbix to fetch external metrics or configuration data.
Filter/Exclusion: Exclude traffic from known monitoring hosts or where the request is to a whitelisted external service.
Scenario: Administrative tasks involving net use or mount commands to map network drives for shared file access in a Windows environment.
Filter/Exclusion: Exclude commands executed by domain admins or where the mapped drive is part of a known shared file system used for collaboration.