Securonix has uncovered a malware distribution campaign that abuses Cloudflare Tunnel to host payloads on attacker-controlled subdomains.
Dubbed Serpentine#Cloud, the campaign relies on a complex infection chain involving shortcut (LNK) files and obfuscated scripts to deliver a Python-based loader that can execute a Donut-packed PE payload in memory.
Early attacks linked to this campaign relied on URL files for payload execution, but later transitioned to using BAT files, often in ZIP archives, to fetch and execute payloads from Cloudflare tunnels.
In more recent attacks, LNK files disguised as PDF documents have been used for payload delivery. Victims are served these files via phishing emails featuring payment and invoice themes, with links to a ZIP file containing the LNK file.
Cloudflare tunnels provide remote access to resources, like VPNs, and threat actors are increasingly abusing them for malware delivery, as it allows them to remain anonymous while bypassing network protections and detection, since traffic comes from a legitimate service.
As part of the Serpentine#Cloud campaign, the LNK file served to potential victims was observed triggering a complex infection chain that relied on robocopy to fetch a Windows Script File (WSF) from a remote WebDAV share hosted on Cloudflare’s tunnel infrastructure, and continued with script execution via Windows Script Host (WSH).
The infection sequence continued with the execution of an obfuscated batch file that fetches Python-based malware, establishes persistence, hides the malware’s directories, and then executes it.
The malware is a shellcode loader that uses “Early Bird APC injection to stealthily execute shellcode within a newly spawned process”, Securonix explains. The executed shellcode resolves into a Windows PE file that turns out to be either a common or open source RAT, such as AsyncRAT or RevengeRAT.
Serpentine#Cloud is not the first malicious operation to abuse Cloudflare tunnels for backdoor infection. Last year, Proofpoint flagged a similar campaign that distributed AsyncRAT, GuLoader, Remcos, VenomRAT, and Xworm.
Related: ClickFix Attack Exploits Fake Cloudflare Turnstile to Deliver Malware
Related: In Other News: Cloudflare Abuse, UK and EU Cybersecurity Reports, FBI Gen-AI Alert
Related: New Ransomware With RAT Capabilities Impersonating Sophos
Related: Microsoft Warns Accounting, Tax Return Preparation Firms of Remcos RAT Attacks
