Why The Apothecary Is a ClearFake Rebuild, Not a Rotation. Five Signals We Caught at Hour Zero.

We have posted three times today about the cluster on .bet TLD that PreCog Sweep flagged at 23:56 UTC on April 30. We named the botanical wing The Apothecary, surfaced the broader 32-wing umbrella, and traced the registration paper trail to PDR Ltd at IANA 303 with all 32 parents pushed through a single 24-hour batch registration window.

The framework is ClearFake — URLhaus's classifier had 200 of 200 sampled IOCs tagged as malware_family equals ClearFake. ClearFake has been operating since 2023.

The honest read on what happened today is one degree past "fresh distribution wave." This looks like a ClearFake rebuild. Not a rotation. Not normal cadence. A ground-up redeployment of distribution infrastructure with new patterns the operator did not have last month. The 95-percent-cap version of that statement is what this post is about.

Five signals.

Signal one. Fresh TLD push. ClearFake's history runs through .com, .live, .top, .shop, .online — TLDs picked for either cheap registration or fast IP rotation tolerance. .bet is new in the ClearFake column. We do not see prior ClearFake activity on .bet in our IOC index pre-April-29. Operators who have been working a TLD for years do not pivot to a new one for fun. They pivot when the existing TLD gets too hot — registrar takedowns getting faster, abuse desks getting more responsive, vendor blocklists subscribing more aggressively. .bet is the experiment.

Signal two. Synchronized batch registration. Thirty-two parent domains through one registrar inside a twenty-four-hour window is not a steady-state pattern. ClearFake's normal cadence stages registrations across weeks across multiple registrars. When you see thirty-two domains pop on April 29 through 30 through PDR-IANA-303, that is a deployment event. Somebody clicked a button. The operator built or bought a registration-automation pipeline and used it.

Signal three. Three Cloudflare accounts. We mapped the cluster's nameserver assignments and found three distinct Cloudflare ns-pairs across the thirty-two parents — louis paired with melina, arnold paired with elle, dimitris paired with georgia. Cloudflare assigns those pairs per-account. Three pairs equals at least three separate Cloudflare accounts.

This is the most operationally interesting signal. Single-account fronting is the historical ClearFake pattern. Multi-account compartmentalization is what an operator builds after a takedown event costs them a campaign. Somebody on the ClearFake side learned that lesson the hard way and built three compartments before this deployment. That is not a rotation. That is post-mortem scar tissue showing up in the next-generation infrastructure.

Signal four. New path token. dxnp2c7. We have not seen this token in prior ClearFake activity in our index. Tokens rotate inside campaign instances all the time, but a brand-new token paired with a brand-new TLD paired with a brand-new fronting model paired with a synchronized registration push is not a token-rotation event. That is a campaign-instance reset.

Signal five. Templating-at-scale. Thirty-two parent domains, six thematic vocabularies — botanical, physics, gambling, thermal, algorithmic, edge — and one consistent generator pattern. Subdomains across every wing follow noun-digit-activity. The operator is not hand-naming domains. There is a script that takes a vocabulary and emits parent + subdomain pairs at scale. That is tooling investment. Tooling investments do not happen in the middle of steady-state operations. They happen when somebody decides to rebuild.

Five signals. All point the same direction.

The 95-percent cap.

We are calling this a ClearFake rebuild at high confidence. Not 100 because Murphy was an optimist and the next sample analysis from a researcher could surface a prior dxnp2c7 sighting on a different TLD that we missed. If that happens, we downgrade "rebuild" to "TLD pivot." We are still not at "normal cadence" — the volume plus window plus account-split is too clean for steady-state.

The other reason for the cap. We are calling this off public infrastructure data — RDAP, DNS, URLhaus tags. We have not pulled the actual ClearFake JavaScript payload from the landing pages. If the JavaScript on every wing is byte-identical, it is one operator running thirty-two compartments. If the JavaScript varies by wing, we are looking at a kit-rental affiliate model with multiple subscribers using the same back-end. Either case is consistent with "rebuild" — the affiliate-model thesis would just mean the rebuild is at the kit-vendor layer rather than the operator layer. Defenders do not care about that distinction; threat researchers will.

Why this matters.

The whole point of the architecture we built is to catch deployment events at hour zero. That is what PreCog Sweep is for. That is why we run Bloom novelty checks against our IOC index before we trust a feed-derived hit, why we cross-correlate path signatures across Meilisearch indexes instead of grepping blogs, why we maintain DNS surveillance on known-bad infra. We did not catch The Apothecary because we are smarter than ClearFake's operators. We caught it because the architecture is positioned to see deployment events when they happen, in real time, before customers click the links.

This is left-of-boom defense. Pre-crime, in the Philip K. Dick sense — see the precursor pattern, name it, distribute the IOCs to defenders, before the campaign reaches the people the operator is hunting.

The third post today was the wrong shape — we wrote it before the ClearFake correlation came back and called the cluster "fresh, unknown, no operator name yet." We deleted that post and replaced it with the attribution writeup. This post is the call we held back from making in the attribution writeup, because we wanted to confirm the framework first before stacking the rebuild thesis on top.

Receipts at the search API. Hunt query is the path. Cap stays at ninety-five.

Tomorrow we monitor for the rebuild's growth. The thirty-two parents are now in the c2_watchlist. Path signature is the alert. Cluster expansion goes into next week's writeup.

Whatever the operator clicked this week, we logged it.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com