top of page
Search

Huntress Is Presenting On ClearFake Today. We Named The Latest Rebuild May 1. Here's The Path Signature.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 38 minutes ago
  • 5 min read

Domain rotation is the symptom. Path signature is the disease.


May 5, 2026 · Patrick Duggan, DugganUSA LLC




Huntress is on stage today walking through ClearFake — the malware-delivery framework that's been chewing through workforces for two years now. The take, from the abstract going around, is roughly: ClearFake is impossible to protect against because the operators rotate domains faster than blocklists can keep up.


That's true if you're looking at domains.


It is not true if you're looking at paths.


We caught the latest ClearFake rebuild four days ago. We named it The Apothecary. We mapped 32 parent .bet domains plus 184 subdomains, all registered at PDR Ltd (IANA 303) inside a 24-hour window. We fingerprinted three distinct Cloudflare accounts fronting it. And we did all of that before any victim hit it, because the path signature is the same across every wing of the campaign and that's where pivots actually live.


This post is the receipt.



What landed in our index Apr 30 at 23:56 UTC


PreCog Sweep — our left-of-boom hunting cron — surfaced a cluster fingerprint nobody had named yet. The signal:


  • 24-hour batch registration of 32 parent .bet domains. Not steady-state churn. A wave.

  • Single registrar (PDR Ltd, IANA 303) across 8 of 8 sampled. Same paperwork, same throwaway 1-year terms.

  • Three Cloudflare accounts fronting the wings — louis/melina, arnold/elle, dimitris/georgia. The naming convention alone is a tell.

  • Zero TXT records on any parent — no SPF, no DKIM, no verification. Pure malware delivery.

  • Zero Tor overlap — Cloudflare-fronted only, which is ClearFake's standard MO and a useful exclusion.

  • One identical path showing up everywhere: /software-distribution-dxnp2c7/meta-verify.index

The path is the campaign-instance ID. The token dxnp2c7 is what binds 32 parents and 184 subdomains into a single operator's rebuild. Every wing serves the same payload from the same path. The domains don't matter once you have the path.


We named it The Apothecary because a campaign that distributes 32 different "shopfronts" all dispensing the same poison from the same shelf earns the name.



Why path signature beats domain rotation


Blocklists rotate at the speed of takedown reporting. A 32-domain wave is gone before the first cert transparency log alert reaches a SOC console. The 184 subdomains nobody published in the first place. By the time you've blocked one, the operator has already prepared the next 50.


Path signature doesn't rotate. It can't rotate, because the path is how the loader on victim machines knows which payload to pull. Change the path and you've broken your own deployment. So the operator keeps dxnp2c7 until the campaign is burned, and then they roll a new token and we catch it again.


The architecture lift is two pieces:


Bloom-filter novelty check — every URL we see goes through a Bloom filter that gives us "have we seen this path token before, anywhere, ever?" When the answer is no AND the path has malware-distribution-shaped morphology AND it's appearing on dozens of fresh registrations, that's the campaign-instance birth signal.


Meilisearch cross-index correlation — we can ask "show me everything in our 17.9M-document corpus that touches this token" and get IOCs, blog mentions, OTX pulses, customer queries, prior cluster sightings, all merged. One token, one query, the whole shape of the operator's campaign drops out.


Those are not radically clever. They're plumbing. But you don't see them in any vendor presentation about ClearFake because they're not what EDR is built to do. EDR is endpoint-centric. Our pipe is registrar-centric, DNS-centric, Cloudflare-account-centric, and path-centric — the layers above the endpoint where ClearFake actually lives.



Receipts


Three blog posts shipped May 1 once we'd connected the cluster to ClearFake:


  • "We Named It The Apothecary — A Fresh Malware Delivery Cluster"

  • "Why The Apothecary Is a ClearFake Rebuild, Not a Rotation. Five Signals We Caught."

  • "The Apothecary Is ClearFake. PDR Ltd Registered All 32 Wings in 24 Hours. IANA 303."

A 5-post Bluesky thread.


32,063 ClearFake-tagged IOCs in our iocs index right now. 406 of those carry the dxnp2c7 token. Search the archive directly at analytics.dugganusa.com/api/v1/search?q=dxnp2c7 and the cluster falls out.


The 17 highest-confidence parent domains are now in our c2-domain-monitor.js watchlist with group=Apothecary-DXNP2C7. Daily DNS + cert change tracking. If the operators rotate something, we know.



What this is not


This is not "Huntress is wrong." Huntress is a serious EDR/MDR shop and their endpoint visibility into ClearFake-served payloads is something we can't and don't try to compete with. Two-year exposure to live infections gives them telemetry we'd never see.


This is "the framing of ClearFake as unstoppable assumes domain-level defense." It is unstoppable at the domain level. But the campaign-instance level is where it lives — and that's where the architecture for stopping it sits. We do that part. They do their part. The picture is more complete when both are in the conversation.



What you can do today


If you run threat intel: subscribe to our STIX feed at analytics.dugganusa.com/api/v1/stix-feed. The Apothecary cluster's IOCs ship with tlp:white, confidence:95, and the campaign-instance tag included. Ingestable into Splunk ES, Sentinel, Elastic, anything that speaks STIX 2.1.


If you run a SOC: search your DNS logs for the literal path token dxnp2c7. If a workstation hit anything with that string in the URL between Apr 29 and now, it touched the campaign. The path is the question.


If you run a Cloudflare property: block the three account clusters. We named them in the May 1 post.


If you run a registrar: PDR Ltd is processing 24-hour-window malware registrations at scale. The 32 .bet wings of dxnp2c7 are one batch of many.



The architecture difference


We are not going to outscale Huntress. They have endpoint footprint we will never match. We are going to keep beating them and every other big vendor to the naming moment — the second a campaign-instance is born and the operator is one move from going live. That's a craft problem, not a budget problem. And it's where path signatures live.


ClearFake is not impossible. It's just hard at the wrong layer.


— Patrick Duggan, DugganUSA LLC, Minneapolis · 2026-05-05




Receipts: 32,063 ClearFake IOCs and 406 dxnp2c7-tagged indicators are searchable now at analytics.dugganusa.com/api/v1/search. The umbrella record for the cluster is at analytics.dugganusa.com/api/v1/search?q=Apothecary+Umbrella. STIX feed at analytics.dugganusa.com/api/v1/stix-feed.


95% epistemic ceiling, as always. Five percent of any complex assessment is wrong. The path signature, registrar attribution, and Cloudflare account clustering are all verified by direct probe and registrar lookup. The "Huntress is presenting today" claim is from public abstract — if their actual presentation walks the registrar/path layer, this post overlaps with their work rather than competing with it. Both are fine.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page