{
  "name": "Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware",
  "slug": "analyzing-serpentinecloud-threat-actors-abuse-cloudflare-tunnels-to-infect-systems-with-stealthy-python-based-malware",
  "description": "The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.",
  "published": "2025-06-20T04:08:42+00:00",
  "created_at": "2025-06-20T04:08:42+00:00",
  "modified_at": "2025-06-23T19:43:25+00:00",
  "created_at_opencti": "2025-06-20T04:08:42+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-06-20",
    "asyncrat",
    "cloudflare tunnels",
    "donut packer",
    "memory injection",
    "obfuscation",
    "phishing",
    "python-based malware",
    "rat",
    "revengerat",
    "shellcode loader",
    "stealth techniques",
    "webdav"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://works-clubs-attendance-vi.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://works-clubs-attendance-vi.trycloudflare.co"
      },
      {
        "id": "",
        "name": "https://wizard-individual-intervals-franklin.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://vocabulary-bangladesh-designation-manhattan.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://whatever-hearings-transmission-daisy.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://violin-amendment-stranger-job.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://vertical-pentium-b-dead.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://uploaded-overall-seating-browser.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://travel-sagem-distant-potential.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://surprise-poly-longitude-populations.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://superb-rotation-gourmet-frequently.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://shed-determination-conviction-herself.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://reensboro-even-suburban-str.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://pop-incl-accountability-pharmacy.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://obtaining-removing-blocking-effectiveness.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://opportunities-choosing-non-torture.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://now-refer-several-tariff.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://milton-smithsonian-raising-mind.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://menu-conviction-given-not.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://integration-previous-brilliant-true.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://lender-router-exclusively-fraction.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://hose-jerusalem-sure-older.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://fy-golf-fraction-bath.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://hobbies-gratis-literally-dry.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://greensboro-even-suburban-str.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://eastern-instructional-ant-jungle.trycloudflare.com/cam.zip"
      },
      {
        "id": "",
        "name": "https://flour-riding-merit-refers.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://flexibility-hawaiian-ever-bon.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://dolls-pet-bon-shirts.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://diy-solution-warriors-workflow.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://depot-arrange-zero-kai.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://departments-emperor-maximize-synopsis.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://cold-neon-springfield-asset.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://catalogs-amounts-functions-chicago.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://bought-boulder-algeria-warned.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://bold-accepts-wide-te.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://archived-hungary-paxil-tubes.trycloudflare.com"
      },
      {
        "id": "",
        "name": "https://agricultural-brooks-nevertheless-hawk.trycloudflare.com"
      },
      {
        "id": "",
        "name": "works-clubs-attendance-vi.trycloudflare.com"
      },
      {
        "id": "",
        "name": "works-clubs-attendance-vi.trycloudflare.co"
      },
      {
        "id": "",
        "name": "wizard-individual-intervals-franklin.trycloudflare.com"
      },
      {
        "id": "",
        "name": "whatever-hearings-transmission-daisy.trycloudflare.com"
      },
      {
        "id": "",
        "name": "vocabulary-bangladesh-designation-manhattan.trycloudflare.com"
      },
      {
        "id": "",
        "name": "violin-amendment-stranger-job.trycloudflare.com"
      },
      {
        "id": "",
        "name": "vertical-pentium-b-dead.trycloudflare.com"
      },
      {
        "id": "",
        "name": "uploaded-overall-seating-browser.trycloudflare.com"
      },
      {
        "id": "",
        "name": "travel-sagem-distant-potential.trycloudflare.com"
      },
      {
        "id": "",
        "name": "surprise-poly-longitude-populations.trycloudflare.com"
      },
      {
        "id": "",
        "name": "superb-rotation-gourmet-frequently.trycloudflare.com"
      },
      {
        "id": "",
        "name": "shed-determination-conviction-herself.trycloudflare.com"
      },
      {
        "id": "",
        "name": "reensboro-even-suburban-str.trycloudflare.com"
      },
      {
        "id": "",
        "name": "pop-incl-accountability-pharmacy.trycloudflare.com"
      },
      {
        "id": "",
        "name": "opportunities-choosing-non-torture.trycloudflare.com"
      },
      {
        "id": "",
        "name": "now-refer-several-tariff.trycloudflare.com"
      },
      {
        "id": "",
        "name": "obtaining-removing-blocking-effectiveness.trycloudflare.com"
      },
      {
        "id": "",
        "name": "nhvncpureybs.duckdns.org"
      },
      {
        "id": "",
        "name": "nhvncpurekfl.duckdns.org"
      },
      {
        "id": "",
        "name": "nhvncpure2.mooo.com"
      },
      {
        "id": "",
        "name": "nhvncpure1.strangled.net"
      },
      {
        "id": "",
        "name": "nhvncpure.twilightparadox.com"
      },
      {
        "id": "",
        "name": "nhvncpure.duckdns.org"
      },
      {
        "id": "",
        "name": "milton-smithsonian-raising-mind.trycloudflare.com"
      },
      {
        "id": "",
        "name": "menu-conviction-given-not.trycloudflare.com"
      },
      {
        "id": "",
        "name": "lender-router-exclusively-fraction.trycloudflare.com"
      },
      {
        "id": "",
        "name": "ip145.ip-51-89-212.eu"
      },
      {
        "id": "",
        "name": "integration-previous-brilliant-true.trycloudflare.com"
      },
      {
        "id": "",
        "name": "hvncmomentpure.duckdns.org"
      },
      {
        "id": "",
        "name": "hose-jerusalem-sure-older.trycloudflare.com"
      },
      {
        "id": "",
        "name": "hobbies-gratis-literally-dry.trycloudflare.com"
      },
      {
        "id": "",
        "name": "greensboro-even-suburban-str.trycloudflare.com"
      },
      {
        "id": "",
        "name": "fy-golf-fraction-bath.trycloudflare.com"
      },
      {
        "id": "",
        "name": "flour-riding-merit-refers.trycloudflare.com"
      },
      {
        "id": "",
        "name": "flexibility-hawaiian-ever-bon.trycloudflare.com"
      },
      {
        "id": "",
        "name": "eastern-instructional-ant-jungle.trycloudflare.com"
      },
      {
        "id": "",
        "name": "dolls-pet-bon-shirts.trycloudflare.com"
      },
      {
        "id": "",
        "name": "djksncb.duckdns.org"
      },
      {
        "id": "",
        "name": "diy-solution-warriors-workflow.trycloudflare.com"
      },
      {
        "id": "",
        "name": "departments-emperor-maximize-synopsis.trycloudflare.com"
      },
      {
        "id": "",
        "name": "depot-arrange-zero-kai.trycloudflare.com"
      },
      {
        "id": "",
        "name": "cold-neon-springfield-asset.trycloudflare.com"
      },
      {
        "id": "",
        "name": "catalogs-amounts-functions-chicago.trycloudflare.com"
      },
      {
        "id": "",
        "name": "bought-boulder-algeria-warned.trycloudflare.com"
      },
      {
        "id": "",
        "name": "archived-hungary-paxil-tubes.trycloudflare.com"
      },
      {
        "id": "",
        "name": "bold-accepts-wide-te.trycloudflare.com"
      },
      {
        "id": "",
        "name": "agricultural-brooks-nevertheless-hawk.trycloudflare.com"
      },
      {
        "id": "",
        "name": "nhvncpure.shop"
      },
      {
        "id": "",
        "name": "nhvncpure.sbs"
      },
      {
        "id": "",
        "name": "nhvncpure.click"
      },
      {
        "id": "",
        "name": "ncmomenthv.duckdns.org"
      },
      {
        "id": "",
        "name": "f6b403d719d770ffb6cc310e2f97889998224a563a1a629be5b7f8642b5f00ba"
      },
      {
        "id": "",
        "name": "f626a8e8e1eb51a23b56b69060a76b9f566944c1b4df044b8b4b68861fb8a761"
      },
      {
        "id": "",
        "name": "fcad11819fca303372182c881397e0b607c0da64ecda1cf9b2c87cf5f8f5957a"
      },
      {
        "id": "",
        "name": "f0f7276c54e6d6b41732d51fb1b61366aa49c6992a54d13ffd24aee572ffaf95"
      },
      {
        "id": "",
        "name": "e78ff6f51a3faecf4d20cd5b71b2396b7c2fec74af19122b1e1eee432c13b773"
      },
      {
        "id": "",
        "name": "e8dab17006948378b94183226f8e2d345a6aeb6688be02e4ee578d4618d9fb43"
      },
      {
        "id": "",
        "name": "df9ecde8058cb9756bde3de1a2a2727a3709f238885165b7feb747eb10de1502"
      },
      {
        "id": "",
        "name": "def421b838a43054ab8336ab4db6bf8f973e1bbabc2c38e278c3fa4ea459f961"
      },
      {
        "id": "",
        "name": "d70b2ec135b1dc4d0be8e029574d9e686b29c0225022fc65d0af0811fdf88ce7"
      },
      {
        "id": "",
        "name": "cdd097329d2c539a3c67c278530d951964f593a4ffb90a31b0efad4c3e0ed5ba"
      },
      {
        "id": "",
        "name": "cdcd71a62cd579b8aa01792769b99961cde2d34419e066c4a45943559e0c4029"
      },
      {
        "id": "",
        "name": "c2c8f3a7a7b07fc4f62b943011ef4239ff938077fde2cc248b406616254f44d5"
      },
      {
        "id": "",
        "name": "b57f591866a0d5a68b76382476087310a6f96c34b9449d070619df6b763e6a1d"
      },
      {
        "id": "",
        "name": "a6f04f0c7b2827f4c102b1b1e3978805a628db1ee83fb61e640ff215ba732262"
      },
      {
        "id": "",
        "name": "9dc84272d11e273b6b4defeabb7e3dd6ebe0e418fb96f9386dd7f1f695636384"
      },
      {
        "id": "",
        "name": "ac6eb3435cec6058ffea590ac51507b3313a74ea07893b984f2d87be12e17027"
      },
      {
        "id": "",
        "name": "850fb460f68ab1b5810f96db1ff16954cd1b590b921968fcbc3203135b40acc0"
      },
      {
        "id": "",
        "name": "9096d706d90598ba0dd6473a1cf0529ab7ab486e753b2ebf6b180d2bebf68990"
      },
      {
        "id": "",
        "name": "821f0956d3f52819c90035041c0f4c0ec644924af46222c5913e05de1c385b04"
      },
      {
        "id": "",
        "name": "81c47e749e8a3376294de8593c2387a0642080303bb17d902babff1de561e743"
      },
      {
        "id": "",
        "name": "8164643b2efdcfedafafb61919cf93c496375002f6ad806725c85a7c871c34ea"
      },
      {
        "id": "",
        "name": "7b4931e498ce8b3a15bff5fdfd3a547397e85296462de3d2d322b4b3fe52f26c"
      },
      {
        "id": "",
        "name": "7aa7406147e1365a78412ba44adecee8c5f5b8365c61a2bc4de3bc2c37c0e1dd"
      },
      {
        "id": "",
        "name": "759d6929e4456668a93d92b2aea311d9b7590ebab4a4da3cd8602b8c0b8111d5"
      },
      {
        "id": "",
        "name": "715cef51ffcfaec05a080a0e0db4d88bb5123e2ade4a1c72fd8c10f412310c1d"
      },
      {
        "id": "",
        "name": "6912f9484886ec8b8837ac3e2e63397a9c4fd499407dbab92f730f0d6b4315fc"
      },
      {
        "id": "",
        "name": "63ffc2b66e32111cd5be311ad499bd15da5d28edc05b7f3da43dfe77f3e2c7f8"
      },
      {
        "id": "",
        "name": "6211e469524a4bd7d3fa9c59a11a2f5bc6eac34d839a5ba0ba8a616b82a098c8"
      },
      {
        "id": "",
        "name": "6134bac7a6215a158dfee2f6824b9e648de073eeb0499a325c8ef2ea43dab84c"
      },
      {
        "id": "",
        "name": "547250102b3b779cfeab6f9ff4b67ffd577d83d9e8027df90697b01e24256d67"
      },
      {
        "id": "",
        "name": "5710a67e4a3a633a8b3446a9e94b8cdd11b00e922a5585802a94bd91fa2a5d82"
      },
      {
        "id": "",
        "name": "521982a864b3b40b2627cf2067546accf346e2c97924a73dbc767907071c4029"
      },
      {
        "id": "",
        "name": "45babdcbd661450b3643a14dc960daf7fafaea2876fee249a2a2417b15272a4b"
      },
      {
        "id": "",
        "name": "5022cd6152998d31b55e5770a7b334068ce8264876c5d6017fd37beb28e585ca"
      },
      {
        "id": "",
        "name": "427fa98fc638d1ec0d8c6863d9b2e7e58642287bef11404089b45024564b54f4"
      },
      {
        "id": "",
        "name": "408a7c9b1afcc367a086c1386da621d532632e2b54c47f7061161105bd63a37e"
      },
      {
        "id": "",
        "name": "3d3a6d7905ca1387f3ec7a637cb672d6b6efa0f8efdbf819f756a8e5f92bc960"
      },
      {
        "id": "",
        "name": "3cf0e84ea719b026aa6ef04ee7396974aeb3ec3480823fd0bb1867043c6d2bf9"
      },
      {
        "id": "",
        "name": "3b97a79ed920a508b4cd91240d0795713c559c36862c75ec6c9a41b4ec05d279"
      },
      {
        "id": "",
        "name": "3ad13c59cebdf654d2f04c26c4a0726f2e1bb3b1682bc9810a3b99fbd17d59c0"
      },
      {
        "id": "",
        "name": "36f02254bf8631e5e4cdb83ffb4621c85ab5e41fb20983c7b1e2b2292ef02d0a"
      },
      {
        "id": "",
        "name": "36d05b8ca1b6e629bfccc2342db331eb88d21ebce773ca266f664cd606bc31b7"
      },
      {
        "id": "",
        "name": "35db935e80beda545577a5f7ff6de7c8a8b1376c363b0d5c704dc14ebc1d2f93"
      },
      {
        "id": "",
        "name": "32253d3ea50927d0fd79f5bfdd6ee93c46aa26126ce4360d9915fabd2e5f562f"
      },
      {
        "id": "",
        "name": "22de5ffc9bffe49c4713113ac171b95e016ed0f09065bfee1394a579174e8dd6"
      },
      {
        "id": "",
        "name": "1cacc0e005a506572b26d859579840188758c37377b19f33bbd084d7ef2956a8"
      },
      {
        "id": "",
        "name": "1a15c4d654d88dc3f1943361cb69bb5dea90c758a6fe4e8b72e683ba9354c480"
      },
      {
        "id": "",
        "name": "193218243c54d7903c65f5e7be9b865ddb286da9005c69e6e955e31ec3efa1a7"
      },
      {
        "id": "",
        "name": "13a8150b68a3fad30c48778b80baa7c97c1a813f37688cbe14b1d3f5ab69ac72"
      },
      {
        "id": "",
        "name": "1534d21ddd3a58b076ef49682e0cf7009abfb4248fa70426b5436c02caeaf82f"
      },
      {
        "id": "",
        "name": "139b2b11b1c0d9697a78c1a9535a7a4e4f41d4833b247c1cddc91abe3bebe3e4"
      },
      {
        "id": "",
        "name": "049a576a5bc77af51065d28a711656bd93ff6bd5fe74d54064a66a802d14e438"
      },
      {
        "id": "",
        "name": "100970b2eb83e3a80cb463126845619a05c979d235b07eca4b1c2027772334ec"
      },
      {
        "id": "",
        "name": "0484de293f2c125132caa585229a8702af00cb645aa27684c2ee6f9f4f3edb6f"
      },
      {
        "id": "",
        "name": "017fd2003f8eaa65ff85131322f5faec1e338511788328438020848edf3dfd8d"
      },
      {
        "id": "",
        "name": "0172ca7c07d1d52dc163090886d5f32a5dcf528506d19203e4c405495f51c60b"
      },
      {
        "id": "",
        "name": "aece8fa3b8ea803e9ca9bf06b6fd147b54cd3a00207aad36871da424a9ca4748"
      },
      {
        "id": "",
        "name": "5d932bfda0ffd31715700de2fd43fc89c0f1d89eeabac92081ebe2062da84152"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:7fe6c1c517e7e0f1",
        "name": "RevengeRAT",
        "slug": "revengerat"
      },
      {
        "id": "f200fb60-5446-493f-9712-9f26d65956cc",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Germany"
      },
      {
        "id": "",
        "name": "United Kingdom of Great Britain and Northern Ireland"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "06159364732024.pdf.lnk.download"
      },
      {
        "id": "",
        "name": "08403844758424.pdf.lnk.download"
      },
      {
        "id": "",
        "name": "0618394720134.pdf.lnk.download"
      },
      {
        "id": "",
        "name": "048304848392524.pdf.lnk.download"
      }
    ]
  },
  "external_refs": [
    "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research",
    "https://otx.alienvault.com/pulse/6854faeabddec88ea8dace57"
  ]
}