The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malware. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential phishing or malware distribution attempts before they cause harm.
IOC Summary
Threat: ClearFake Total URLs: 10 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://formkey.asia/d01af252-520e-49c5-bb8f-dedf96636d23/ton.ch | online | malware_download | 2026-05-22 |
hxxps://chickencutlet-hacks.christmas/96a44b1a-a1ce-4725-92a8-c3de38e825ee/ton.ch | online | malware_download | 2026-05-22 |
hxxps://chickencutlet-hacks.christmas/28601180-c97e-4631-91ff-c70af4e7e173/g.ch | online | malware_download | 2026-05-22 |
hxxps://chroniclearchivekeeper.christmas/a69046cd-ffaa-4b2e-95d3-c3c082cfe1b6/g.ch | online | malware_download | 2026-05-22 |
hxxps://logicbufferskills.christmas/6bfc3d4d-4b96-418d-9580-ba33fc9fee48/g.ch | online | malware_download | 2026-05-22 |
hxxps://pixelart-canvas.christmas/92c054f2-ff2b-41bb-abe2-04b838ace443/g.ch | online | malware_download | 2026-05-22 |
hxxps://vintagevinylrestoration.christmas/f6b92bf0-7e99-48e6-8b94-178717dfab11/g.ch | online | malware_download | 2026-05-22 |
hxxps://trading-academyexpert.christmas/614bf1e9-4498-4c92-8a38-0bc6b48678c9/g.ch | online | malware_download | 2026-05-22 |
hxxps://neon-cyberpunk.christmas/d0d852ed-9946-4317-8b96-e1740da525d7/g.ch | offline | malware_download | 2026-05-22 |
hxxps://linguisticpuzzlesolver.christmas/d2cfd9d2-c83c-49b2-a54b-ae75333809dd/g.ch | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["vintagevinylrestoration.christmas", "logicbufferskills.christmas", "chroniclearchivekeeper.christmas", "pixelart-canvas.christmas", "chickencutlet-hacks.christmas", "trading-academyexpert.christmas", "formkey.asia"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vintagevinylrestoration.christmas", "logicbufferskills.christmas", "chroniclearchivekeeper.christmas", "pixelart-canvas.christmas", "chickencutlet-hacks.christmas", "trading-academyexpert.christmas", "formkey.asia"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains under it.
Scenario: A scheduled job runs a script that downloads a legitimate update from a ClearFake-hosted repository.
Filter/Exclusion: Exclude URLs containing the path /updates/ or any file names with .zip or .tar.gz extensions.
Scenario: A user is accessing a phishing simulation URL that is flagged as ClearFake by the URLhaus feed.
Filter/Exclusion: Exclude URLs that include the query parameter ?sim=phishing or originate from the domain phishing-sim.example.com.
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins to fetch a dependency from a ClearFake-hosted artifact repository.
Filter/Exclusion: Exclude URLs that match the pattern https://artifactory.example.com/repo/ or contain the string ci-artifact.
Scenario: A security team is using a tool like Splunk or ELK to query a ClearFake URL as part of a threat intelligence investigation.
Filter/Exclusion: Exclude URLs that contain the query parameter ?query=threatintel or are accessed from the IP range 192.168.0.0/16.