The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to lure users into downloading malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user endpoints and data exfiltration.
IOC Summary
Threat: ClearFake Total URLs: 74 Active URLs: 52
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://aligalpha.mongofixcore.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | offline | malware_download | 2026-05-10 |
hxxps://dynmarkal.codeflux.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://kelven7or.mongofixcore.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | offline | malware_download | 2026-05-10 |
hxxps://cryptovault.codeflux.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://pway7.mongofixcore.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxp://zirviss9.codeflux.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | offline | malware_download | 2026-05-10 |
hxxps://zirviss9.codeflux.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://5tone-mesh.mongofixcore.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | offline | malware_download | 2026-05-10 |
hxxp://5tone-mesh.mongofixcore.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | offline | malware_download | 2026-05-10 |
hxxps://queu-scan.codeflux.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://gentletide.setqueueat.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | offline | malware_download | 2026-05-10 |
hxxps://lvbj1i51.codeflux.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | offline | malware_download | 2026-05-10 |
hxxps://bloom7-hinge.setqueueat.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxps://shipdem.lipshellcore.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://si1e-branch.setqueueat.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxps://script1-gate.lipshellcore.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | offline | malware_download | 2026-05-10 |
hxxps://oakbalancer.setqueueat.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxps://boosmars.lipshellcore.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | offline | malware_download | 2026-05-10 |
hxxps://anchorfreigh.setqueueat.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxps://98ykbe5.lipshellcore.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://solspireex3.queuedimsys.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxps://quer-graph.lipshellcore.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://assetprotect.queuedimsys.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
hxxps://r3age8-index.lipshellcore.lat/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review | online | malware_download | 2026-05-10 |
hxxps://sub-vit4.queuedimsys.lat/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check | online | malware_download | 2026-05-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["pway7.mongofixcore.lat", "quer-graph.lipshellcore.lat", "casual-trail.mixzipcore64.lat", "solspireex3.queuedimsys.lat", "oakbalancer.setqueueat.lat", "assetprotect.queuedimsys.lat", "not1fie-mesh.mixzipcore64.lat", "talnex5on.userssawtone.lat", "cryptovault.codeflux.lat", "209id.queuedimsys.lat", "quormark2et.wetshardauth.lat", "rainstudio.userssawtone.lat", "zirviss9.codeflux.lat", "98ykbe5.lipshellcore.lat", "bandwid-route.mixzipcore64.lat", "shipdem.lipshellcore.lat", "warmhar.mixzipcore64.lat", "bloom7-hinge.setqueueat.lat", "r3age8-index.lipshellcore.lat", "sub-vit4.queuedimsys.lat", "si1e-branch.setqueueat.lat", "tide6-well.mixzipcore64.lat", "dynmarkal.codeflux.lat", "queu-scan.codeflux.lat", "channe-grid.wetshardauth.lat", "granitebroad.mixzipcore64.lat", "cry5t4-stream.wetshardauth.lat", "mervaleet.userssawtone.lat", "arktide8ex.queuedimsys.lat", "anchorfreigh.setqueueat.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["pway7.mongofixcore.lat", "quer-graph.lipshellcore.lat", "casual-trail.mixzipcore64.lat", "solspireex3.queuedimsys.lat", "oakbalancer.setqueueat.lat", "assetprotect.queuedimsys.lat", "not1fie-mesh.mixzipcore64.lat", "talnex5on.userssawtone.lat", "cryptovault.codeflux.lat", "209id.queuedimsys.lat", "quormark2et.wetshardauth.lat", "rainstudio.userssawtone.lat", "zirviss9.codeflux.lat", "98ykbe5.lipshellcore.lat", "bandwid-route.mixzipcore64.lat", "shipdem.lipshellcore.lat", "warmhar.mixzipcore64.lat", "bloom7-hinge.setqueueat.lat", "r3age8-index.lipshellcore.lat", "sub-vit4.queuedimsys.lat", "si1e-branch.setqueueat.lat", "tide6-well.mixzipcore64.lat", "dynmarkal.codeflux.lat", "queu-scan.codeflux.lat", "channe-grid.wetshardauth.lat", "granitebroad.mixzipcore64.lat", "cry5t4-stream.wetshardauth.lat", "mervaleet.userssawtone.lat", "arktide8ex.queuedimsys.lat", "anchorfreigh.setqueueat.lat"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service usage
Description: Employees use URL shortening services like Bitly or TinyURL for internal documentation or sharing links.
Filter/Exclusion: Exclude URLs containing known shortening domains (e.g., bit.ly, tinyurl.com, is.gd) or use a custom list of approved shorteners.
Scenario: Scheduled system updates via internal repository
Description: System administrators use a private repository (e.g., Nexus, Artifactory) to distribute updates or patches.
Filter/Exclusion: Exclude URLs matching internal repository domains (e.g., nexus.internal.company.com, artifactory.company.net) or use a whitelist of known internal update endpoints.
Scenario: Admin task for malware analysis
Description: Security analysts manually download malware samples from a sandboxing platform like Cuckoo Sandbox or VirusTotal for analysis.
Filter/Exclusion: Exclude URLs from known analysis platforms (e.g., cuckoo.sh, virustotal.com) or add a field to the detection logic that excludes URLs containing analysis-related keywords.
Scenario: Legitimate cloud storage access
Description: Users access files from cloud storage services like Google Drive or OneDrive for collaboration.
Filter/Exclusion: Exclude URLs containing domains like drive.google.com, onedrive.com, or microsoft.com and filter by user roles (e.g., exclude non-admin users).
Scenario: Internal phishing simulation tool usage
Description: The security team uses a tool like PhishMe or KnowBe4 to send simulated phishing emails with fake URLs.
Filter/Exclusion: Exclude URLs containing known phishing simulation domains (e.g., phishme.com, knowbe4.com) or use a custom list of internal phishing test URLs.