Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware
Essential information
- Published
- 20/06/2025 06:08
- Modified
- 23/06/2025 21:43
- Tags
- 2025-06-20 asyncrat cloudflare tunnels donut packer memory injection obfuscation phishing python-based malware rat revengerat shellcode loader stealth techniques webdav
- Related entities
- 147 observables, 2 malware, 7 others
Description
The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.