URLhaus: ClearFake Malicious URLs

Hunt Hypothesis

The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of internal systems before lateral movement or data exfiltration occurs.

IOC Summary

Threat: ClearFake Total URLs: 17 Active URLs: 9

URL	Status	Threat	Date Added
`hxxps://bloom-distribution-engine.garden/e8f5075d-9f41-48bb-96d8-8056d4b53d9f/google.ct`	online	malware_download	2026-05-20
`hxxps://0gmqmb12.orbitaldockingmodule.digital/?ublib=f16cb78f-d6de-4a34-89b1-ab6feb3ae80a`	offline	malware_download	2026-05-20
`hxxps://ecosystemworkflow.garden/4cb3dfe9-4e4e-45b2-9b7c-1a4584df16b7/google.ct`	online	malware_download	2026-05-20
`hxxps://containerized-growth-platform.garden/a3ce4a73-89b7-4aa4-9688-7c2a1ee21a71/google.ct`	online	malware_download	2026-05-20
`hxxps://floraresourcecenter.garden/7663be56-db0b-4116-9ee0-914b8298c559/google.ct`	online	malware_download	2026-05-20
`hxxps://meadow-observability-core.garden/84ef3dfd-6b83-4b82-8547-71cd5dfc7e4c/google.ct`	online	malware_download	2026-05-20
`hxxps://meadow-observability-core.garden/99f784de-bd42-4afc-aef6-7881bdf3b17d/google.ct`	online	malware_download	2026-05-20
`hxxps://meadow-observability-core.garden/d51d997c-ac95-43e6-b436-c2c24e946c31/google.ct`	offline	malware_download	2026-05-20
`hxxps://vt40b8nw.badabingsopranoslounge.digital/?ublib=1e984110-40dc-455d-90fe-c04a932871a9`	offline	malware_download	2026-05-20
`hxxps://meadow-observability-core.garden/aec518d1-92cf-4177-93a0-8228b8eef37a/google.ct`	online	malware_download	2026-05-20
`hxxps://federatedplantmesh.garden/9ff95e8f-34a8-4304-a526-fbdb2e2f349d/google.ct`	online	malware_download	2026-05-20
`hxxps://irrigation-control-framework.garden/49bdcbe2-cb1a-42f8-ad94-8956a05dac1c/google.ct`	online	malware_download	2026-05-20
`hxxps://jfmz4630.badabingsopranoslounge.digital/?ublib=14878b21-a9ff-45c7-8d6f-bd6889c267c0`	offline	malware_download	2026-05-20
`hxxps://botanicalprocessing.garden/474a6131-4608-4b21-95b8-4f47dd2a8766/google.ct`	offline	malware_download	2026-05-20
`hxxps://wildfloraanalyticshub.garden/700d8643-1d61-41c4-a317-82e8142078fc/google.ct`	offline	malware_download	2026-05-20
`hxxps://petal-resource-engine.garden/11625f76-9a47-4089-9e67-83f2f6988547/google.ct`	offline	malware_download	2026-05-20
`hxxps://baking-stone-thermal-mass.garden/98c54476-c660-4cde-8092-13f3f903c8a1/google.ct`	offline	malware_download	2026-05-20

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["floraresourcecenter.garden", "ecosystemworkflow.garden", "containerized-growth-platform.garden", "irrigation-control-framework.garden", "federatedplantmesh.garden", "bloom-distribution-engine.garden", "meadow-observability-core.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["floraresourcecenter.garden", "ecosystemworkflow.garden", "containerized-growth-platform.garden", "irrigation-control-framework.garden", "federatedplantmesh.garden", "bloom-distribution-engine.garden", "meadow-observability-core.garden"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Legitimate scheduled job downloading updates from a known ClearFake domain
Example: A system update job using wget or curl to fetch updates from clearfake.com/update
Filter/Exclusion: Exclude URLs matching clearfake.com/update or any subdomain of clearfake.com used for legitimate system updates
Scenario: Admin task using ClearFake for internal testing or phishing simulations
Example: An admin manually testing a phishing email using a ClearFake URL in a controlled environment
Filter/Exclusion: Exclude URLs containing phishing-test or simulator in the path or query parameters
Scenario: Automation tool using ClearFake for benign API calls
Example: A DevOps tool like Ansible or Terraform using a ClearFake URL to access a mock API for testing
Filter/Exclusion: Exclude URLs that match mock-api.clearfake.com or any URL with test in the domain or path
Scenario: Legitimate software using ClearFake as a CDN or proxy
Example: A company’s internal software using ClearFake as a CDN for static assets
Filter/Exclusion: Exclude URLs that match cdn.clearfake.com or any URL with static or assets in the path
Scenario: User-generated content with ClearFake URLs in a company blog or forum
Example: A company blog post or internal forum entry containing a ClearFake URL as part of a legitimate link
Filter/Exclusion: Exclude URLs that appear in content managed by a CMS like WordPress or Confluence, or URLs with blog or forum in the domain path