Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware
June 23, 2025, 9:43 p.m.
Description
The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.
Tags
Date
- Created: June 20, 2025, 6:08 a.m.
- Published: June 20, 2025, 6:08 a.m.
- Modified: June 23, 2025, 9:43 p.m.
Indicators
- f6b403d719d770ffb6cc310e2f97889998224a563a1a629be5b7f8642b5f00ba
- f626a8e8e1eb51a23b56b69060a76b9f566944c1b4df044b8b4b68861fb8a761
- fcad11819fca303372182c881397e0b607c0da64ecda1cf9b2c87cf5f8f5957a
- f0f7276c54e6d6b41732d51fb1b61366aa49c6992a54d13ffd24aee572ffaf95
- e78ff6f51a3faecf4d20cd5b71b2396b7c2fec74af19122b1e1eee432c13b773
- e8dab17006948378b94183226f8e2d345a6aeb6688be02e4ee578d4618d9fb43
- df9ecde8058cb9756bde3de1a2a2727a3709f238885165b7feb747eb10de1502
- def421b838a43054ab8336ab4db6bf8f973e1bbabc2c38e278c3fa4ea459f961
- d70b2ec135b1dc4d0be8e029574d9e686b29c0225022fc65d0af0811fdf88ce7
- cdd097329d2c539a3c67c278530d951964f593a4ffb90a31b0efad4c3e0ed5ba
- cdcd71a62cd579b8aa01792769b99961cde2d34419e066c4a45943559e0c4029
- c2c8f3a7a7b07fc4f62b943011ef4239ff938077fde2cc248b406616254f44d5
- b57f591866a0d5a68b76382476087310a6f96c34b9449d070619df6b763e6a1d
- a6f04f0c7b2827f4c102b1b1e3978805a628db1ee83fb61e640ff215ba732262
- 9dc84272d11e273b6b4defeabb7e3dd6ebe0e418fb96f9386dd7f1f695636384
- ac6eb3435cec6058ffea590ac51507b3313a74ea07893b984f2d87be12e17027
- 850fb460f68ab1b5810f96db1ff16954cd1b590b921968fcbc3203135b40acc0
- 9096d706d90598ba0dd6473a1cf0529ab7ab486e753b2ebf6b180d2bebf68990
- 821f0956d3f52819c90035041c0f4c0ec644924af46222c5913e05de1c385b04
- 81c47e749e8a3376294de8593c2387a0642080303bb17d902babff1de561e743
- 8164643b2efdcfedafafb61919cf93c496375002f6ad806725c85a7c871c34ea
- 7b4931e498ce8b3a15bff5fdfd3a547397e85296462de3d2d322b4b3fe52f26c
- 7aa7406147e1365a78412ba44adecee8c5f5b8365c61a2bc4de3bc2c37c0e1dd
- 759d6929e4456668a93d92b2aea311d9b7590ebab4a4da3cd8602b8c0b8111d5
- 715cef51ffcfaec05a080a0e0db4d88bb5123e2ade4a1c72fd8c10f412310c1d
- 6912f9484886ec8b8837ac3e2e63397a9c4fd499407dbab92f730f0d6b4315fc
- 63ffc2b66e32111cd5be311ad499bd15da5d28edc05b7f3da43dfe77f3e2c7f8
- 6211e469524a4bd7d3fa9c59a11a2f5bc6eac34d839a5ba0ba8a616b82a098c8
- 6134bac7a6215a158dfee2f6824b9e648de073eeb0499a325c8ef2ea43dab84c
- 547250102b3b779cfeab6f9ff4b67ffd577d83d9e8027df90697b01e24256d67
- 5710a67e4a3a633a8b3446a9e94b8cdd11b00e922a5585802a94bd91fa2a5d82
- 521982a864b3b40b2627cf2067546accf346e2c97924a73dbc767907071c4029
- 45babdcbd661450b3643a14dc960daf7fafaea2876fee249a2a2417b15272a4b
- 5022cd6152998d31b55e5770a7b334068ce8264876c5d6017fd37beb28e585ca
- 427fa98fc638d1ec0d8c6863d9b2e7e58642287bef11404089b45024564b54f4
- 408a7c9b1afcc367a086c1386da621d532632e2b54c47f7061161105bd63a37e
- 3d3a6d7905ca1387f3ec7a637cb672d6b6efa0f8efdbf819f756a8e5f92bc960
- 3cf0e84ea719b026aa6ef04ee7396974aeb3ec3480823fd0bb1867043c6d2bf9
- 3b97a79ed920a508b4cd91240d0795713c559c36862c75ec6c9a41b4ec05d279
- 3ad13c59cebdf654d2f04c26c4a0726f2e1bb3b1682bc9810a3b99fbd17d59c0
- 36f02254bf8631e5e4cdb83ffb4621c85ab5e41fb20983c7b1e2b2292ef02d0a
- 36d05b8ca1b6e629bfccc2342db331eb88d21ebce773ca266f664cd606bc31b7
- 35db935e80beda545577a5f7ff6de7c8a8b1376c363b0d5c704dc14ebc1d2f93
- 32253d3ea50927d0fd79f5bfdd6ee93c46aa26126ce4360d9915fabd2e5f562f
- 22de5ffc9bffe49c4713113ac171b95e016ed0f09065bfee1394a579174e8dd6
- 1cacc0e005a506572b26d859579840188758c37377b19f33bbd084d7ef2956a8
- 1a15c4d654d88dc3f1943361cb69bb5dea90c758a6fe4e8b72e683ba9354c480
- 193218243c54d7903c65f5e7be9b865ddb286da9005c69e6e955e31ec3efa1a7
- 13a8150b68a3fad30c48778b80baa7c97c1a813f37688cbe14b1d3f5ab69ac72
- 1534d21ddd3a58b076ef49682e0cf7009abfb4248fa70426b5436c02caeaf82f
- 139b2b11b1c0d9697a78c1a9535a7a4e4f41d4833b247c1cddc91abe3bebe3e4
- 049a576a5bc77af51065d28a711656bd93ff6bd5fe74d54064a66a802d14e438
- 100970b2eb83e3a80cb463126845619a05c979d235b07eca4b1c2027772334ec
- 0484de293f2c125132caa585229a8702af00cb645aa27684c2ee6f9f4f3edb6f
- 017fd2003f8eaa65ff85131322f5faec1e338511788328438020848edf3dfd8d
- 0172ca7c07d1d52dc163090886d5f32a5dcf528506d19203e4c405495f51c60b
- aece8fa3b8ea803e9ca9bf06b6fd147b54cd3a00207aad36871da424a9ca4748
- 5d932bfda0ffd31715700de2fd43fc89c0f1d89eeabac92081ebe2062da84152
- https://works-clubs-attendance-vi.trycloudflare.com
- https://works-clubs-attendance-vi.trycloudflare.co
- https://wizard-individual-intervals-franklin.trycloudflare.com
- https://vocabulary-bangladesh-designation-manhattan.trycloudflare.com
- https://whatever-hearings-transmission-daisy.trycloudflare.com
- https://violin-amendment-stranger-job.trycloudflare.com
- https://vertical-pentium-b-dead.trycloudflare.com
- https://uploaded-overall-seating-browser.trycloudflare.com
- https://travel-sagem-distant-potential.trycloudflare.com
- https://surprise-poly-longitude-populations.trycloudflare.com
- https://superb-rotation-gourmet-frequently.trycloudflare.com
- https://shed-determination-conviction-herself.trycloudflare.com
- https://reensboro-even-suburban-str.trycloudflare.com
- https://pop-incl-accountability-pharmacy.trycloudflare.com
- https://obtaining-removing-blocking-effectiveness.trycloudflare.com
- https://opportunities-choosing-non-torture.trycloudflare.com
- https://now-refer-several-tariff.trycloudflare.com
- https://milton-smithsonian-raising-mind.trycloudflare.com
- https://menu-conviction-given-not.trycloudflare.com
- https://integration-previous-brilliant-true.trycloudflare.com
- https://lender-router-exclusively-fraction.trycloudflare.com
- https://hose-jerusalem-sure-older.trycloudflare.com
- https://fy-golf-fraction-bath.trycloudflare.com
- https://hobbies-gratis-literally-dry.trycloudflare.com
- https://greensboro-even-suburban-str.trycloudflare.com
- https://eastern-instructional-ant-jungle.trycloudflare.com/cam.zip
- https://flour-riding-merit-refers.trycloudflare.com
- https://flexibility-hawaiian-ever-bon.trycloudflare.com
- https://dolls-pet-bon-shirts.trycloudflare.com
- https://diy-solution-warriors-workflow.trycloudflare.com
- https://depot-arrange-zero-kai.trycloudflare.com
- https://departments-emperor-maximize-synopsis.trycloudflare.com
- https://cold-neon-springfield-asset.trycloudflare.com
- https://catalogs-amounts-functions-chicago.trycloudflare.com
- https://bought-boulder-algeria-warned.trycloudflare.com
- https://bold-accepts-wide-te.trycloudflare.com
- https://archived-hungary-paxil-tubes.trycloudflare.com
- https://agricultural-brooks-nevertheless-hawk.trycloudflare.com
- works-clubs-attendance-vi.trycloudflare.com
- works-clubs-attendance-vi.trycloudflare.co
- wizard-individual-intervals-franklin.trycloudflare.com
- whatever-hearings-transmission-daisy.trycloudflare.com
- vocabulary-bangladesh-designation-manhattan.trycloudflare.com
- violin-amendment-stranger-job.trycloudflare.com
- vertical-pentium-b-dead.trycloudflare.com
- uploaded-overall-seating-browser.trycloudflare.com
- travel-sagem-distant-potential.trycloudflare.com
- surprise-poly-longitude-populations.trycloudflare.com
- superb-rotation-gourmet-frequently.trycloudflare.com
- shed-determination-conviction-herself.trycloudflare.com
- reensboro-even-suburban-str.trycloudflare.com
- pop-incl-accountability-pharmacy.trycloudflare.com
- opportunities-choosing-non-torture.trycloudflare.com
- now-refer-several-tariff.trycloudflare.com
- obtaining-removing-blocking-effectiveness.trycloudflare.com
- nhvncpureybs.duckdns.org
- nhvncpurekfl.duckdns.org
- nhvncpure2.mooo.com
- nhvncpure1.strangled.net
- nhvncpure.twilightparadox.com
- nhvncpure.duckdns.org
- milton-smithsonian-raising-mind.trycloudflare.com
- menu-conviction-given-not.trycloudflare.com
- lender-router-exclusively-fraction.trycloudflare.com
- ip145.ip-51-89-212.eu
- integration-previous-brilliant-true.trycloudflare.com
- hvncmomentpure.duckdns.org
- hose-jerusalem-sure-older.trycloudflare.com
- hobbies-gratis-literally-dry.trycloudflare.com
- greensboro-even-suburban-str.trycloudflare.com
- fy-golf-fraction-bath.trycloudflare.com
- flour-riding-merit-refers.trycloudflare.com
- flexibility-hawaiian-ever-bon.trycloudflare.com
- eastern-instructional-ant-jungle.trycloudflare.com
- dolls-pet-bon-shirts.trycloudflare.com
- djksncb.duckdns.org
- diy-solution-warriors-workflow.trycloudflare.com
- departments-emperor-maximize-synopsis.trycloudflare.com
- depot-arrange-zero-kai.trycloudflare.com
- cold-neon-springfield-asset.trycloudflare.com
- catalogs-amounts-functions-chicago.trycloudflare.com
- bought-boulder-algeria-warned.trycloudflare.com
- archived-hungary-paxil-tubes.trycloudflare.com
- bold-accepts-wide-te.trycloudflare.com
- agricultural-brooks-nevertheless-hawk.trycloudflare.com
- nhvncpure.shop
- nhvncpure.sbs
- nhvncpure.click
- ncmomenthv.duckdns.org
Attack Patterns
- RevengeRAT
- AsyncRAT
Additional Informations
- 06159364732024.pdf.lnk.download
- 08403844758424.pdf.lnk.download
- 0618394720134.pdf.lnk.download
- 048304848392524.pdf.lnk.download
- Germany
- United Kingdom of Great Britain and Northern Ireland
- United States of America