URLhaus: ClearFake Malicious URLs

Hunt Hypothesis

The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or exfiltrate data, leveraging compromised or impersonated domains to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts early.

IOC Summary

Threat: ClearFake Total URLs: 15 Active URLs: 12

URL	Status	Threat	Date Added
`hxxps://bots-unical-resource-platform.garden/dab42d4d-82a4-4d71-89e2-701284677dd3/google.ct`	online	malware_download	2026-05-17
`hxxps://4getd0km.script-matrix.digital/?ublib=18e43fcd-7888-4712-86d7-27df8740abc2`	offline	malware_download	2026-05-17
`hxxps://shells-garden-framework.garden/5df02ade-be96-4b58-a8fb-9728a09fe44e/google.ct`	online	malware_download	2026-05-17
`hxxps://wild-flora-processing-go-system.garden/56ac5a7d-4560-415b-be81-60f72310a6da/google.ct`	online	malware_download	2026-05-17
`hxxps://got-flexl-distrib-engine.garden/9a77b1c8-2189-45f4-90e9-d491c1bf0053/google.ct`	online	malware_download	2026-05-17
`hxxps://flow-hub-green-house-work.garden/f0a864a4-6104-48f1-8efb-a7ead220fbab/google.ct`	online	malware_download	2026-05-17
`hxxps://wildfloraprocessingsystem.garden/763888fa-4152-4ed7-ad5d-6446639d67b1/google.ct`	online	malware_download	2026-05-17
`hxxps://petal-distribution-engine.garden/80594af8-ed70-430d-8f54-e3f6cf888a03/google.ct`	online	malware_download	2026-05-17
`hxxps://2b7f1jfa.cloud-forge.digital/?ublib=02d403b6-281a-4019-bb55-dcc49482e282`	offline	malware_download	2026-05-17
`hxxps://irrigation-control-network.garden/659ff5a6-9d6d-4f6c-ba32-75f10cdef407/google.ct`	online	malware_download	2026-05-17
`hxxps://greenhouseworkflowhub.garden/d281eb6c-934f-432e-9093-cca0631ee044/google.ct`	online	malware_download	2026-05-17
`hxxps://distributed-garden-framework.garden/1df0177d-28f4-4d6b-8853-b32b64c6dc59/google.ct`	online	malware_download	2026-05-17
`hxxps://botanicalresourceplatform.garden/4b12b23c-f549-40fc-ad78-fb77a8253d9a/google.ct`	online	malware_download	2026-05-17
`hxxps://forgotten-civilization-myth.garden/c61dcac6-41f2-4e86-bd4c-280e86e9ee3e/google.ct`	online	malware_download	2026-05-17
`hxxps://ba5ufc2h.logic-sphere.digital/?ublib=0938e072-a68b-4956-809d-84159a094e12`	offline	malware_download	2026-05-17

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["wildfloraprocessingsystem.garden", "botanicalresourceplatform.garden", "flow-hub-green-house-work.garden", "got-flexl-distrib-engine.garden", "wild-flora-processing-go-system.garden", "forgotten-civilization-myth.garden", "irrigation-control-network.garden", "greenhouseworkflowhub.garden", "shells-garden-framework.garden", "petal-distribution-engine.garden", "bots-unical-resource-platform.garden", "distributed-garden-framework.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["wildfloraprocessingsystem.garden", "botanicalresourceplatform.garden", "flow-hub-green-house-work.garden", "got-flexl-distrib-engine.garden", "wild-flora-processing-go-system.garden", "forgotten-civilization-myth.garden", "irrigation-control-network.garden", "greenhouseworkflowhub.garden", "shells-garden-framework.garden", "petal-distribution-engine.garden", "bots-unical-resource-platform.garden", "distributed-garden-framework.garden"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator manually enters a ClearFake URL into a ticketing system (e.g., ServiceNow) to test a phishing simulation.
Filter/Exclusion: Exclude URLs originating from known ticketing systems or internal testing environments (e.g., source == "ServiceNow" or url.contains("phishing-sim")).
Scenario: A scheduled job runs a script that downloads a ClearFake URL as part of a malware analysis process (e.g., using Cuckoo Sandbox or VirusTotal API).
Filter/Exclusion: Exclude URLs associated with malware analysis tools (e.g., url.contains("cuckoo") or url.contains("virustotal")).
Scenario: An IT department uses a legitimate tool like Microsoft Defender ATP to generate a ClearFake URL for internal testing or reporting purposes.
Filter/Exclusion: Exclude URLs from known security tools (e.g., url.contains("Microsoft Defender ATP") or source == "Microsoft Defender").
Scenario: A user clicks on a ClearFake URL shared via a company-wide internal communication platform (e.g., Microsoft Teams or Slack) as part of a security awareness training exercise.
Filter/Exclusion: Exclude URLs from internal communication platforms (e.g., source == "Microsoft Teams" or source == "Slack") or URLs containing training-related keywords (e.g., url.contains("security-training")).
Scenario: A backup or sync job (e.g., using rsync or Veeam) temporarily generates a ClearFake URL during file transfer or metadata processing.
Filter/Exclusion: Exclude URLs related to backup/sync tools (e.g., url.contains("rsync") or url.contains("Veeam")) or those with specific file transfer patterns (e.g., url.contains("backup")).