SERPENTINE#CLOUD Exploits Cloudflare Tunnels for Malware Delivery

Credited by Freepik

VTA-004520 – SERPENTINE#CLOUD Exploits Cloudflare Tunnels for Malware Delivery

A new phishing campaign, dubbed SERPENTINE#CLOUD, is exploiting Cloudflare Tunnel subdomains to deliver malware through obfuscated scripts and memory-injected payloads. Researchers said the attack begins with invoice-themed phishing emails containing a ZIP file with a malicious LNK shortcut. Once opened, the shortcut triggers a multi-stage infection chain, ultimately deploying Python-based shellcode loaders that execute malware like AsyncRAT or Revenge RAT entirely in memory.

The attackers use Cloudflare’s legitimate subdomains (*.trycloudflare[.]com) to evade detection, making it difficult to distinguish between malicious and benign traffic. The infection involves downloading a Windows Script File (WSF) from a WebDAV share, followed by a stealthy batch script that checks for antivirus software before loading the final payload.

In a separate campaign, Colombian users were targeted via SVG smuggling, where attackers sent fake court notifications with malicious SVG files. These files either linked to JS/VBS scripts or delivered password-protected ZIPs containing AsyncRAT and Remcos RAT. The malware was hidden in Base64-encoded images hosted on platforms like Internet Archive, Bitbucket, and Dropbox.

Additionally, ClickFix social engineering attacks have surged, tricking users into downloading Lumma Stealer and SectopRAT under the guise of solving CAPTCHAs or fixing system issues.

Severity:
Medium

Attack Surface:
Content Management System, Email, Endpoint, File Storage, Remote Access Service, Web Application

Tactics:
Command and Control, Defense Evasion, Execution, Initial Access

Techniques:
T1021 – Remote Services
T1027 – Obfuscated Files or Information
T1036 – Masquerading
T1041 – Exfiltration Over C2 Channel
T1055 – Process Injection
T1056 – Input Capture
T1059 – Command and Scripting Interpreter
T1071 – Application Layer Protocol
T1072 – Software Deployment Tools
T1074 – Data Staged
T1105 – Ingress Tool Transfer
T1113 – Screen Capture
T1127 – Trusted Developer Utilities Proxy Execution
T1132 – Data Encoding
T1140 – Deobfuscate/Decode Files or Information
T1204 – User Execution
T1218 – System Binary Proxy Execution
T1547 – Boot or Logon Autostart Execution
T1564 – Hide Artifacts
T1566 – Phishing
T1572 – Protocol Tunneling
T1620 – Reflective Code Loading

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/685492848a33bffb13e4a5dc

References:
1. https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/

SuperPRO’s Threat Countermeasures Procedures:
1. Train employees to recognize phishing emails with fake invoices or urgent payment requests.
2. Block executable files (LNK, WSF, BAT) from being downloaded via email or external links.
3. Monitor network traffic for connections to Cloudflare Tunnel subdomains.
4. Disable WebDAV protocols if not required to prevent abuse in payload delivery.
5. Deploy behavior-based detection to identify memory injection and Python-based malware loaders.
6. Restrict script execution (VBS, JS, PowerShell) in corporate environments to limit attack surfaces.

Contributed by: Fatini