A new cyber attack campaign, named SERPENTINE#CLOUD, leverages Cloudflare Tunnel infrastructure and Python loaders to distribute malicious payloads via phishing emails. The campaign targets multiple regions and employs sophisticated evasion techniques, including encrypted transport layers and in-memory execution. #SERPENTINECLOUD #CloudflareTunnel
Keypoints
- The campaign uses Cloudflare subdomains to host and deliver malware discreetly.
- Initial access is gained through phishing emails with ZIP files containing disguised Windows Shortcut (LNK) files.
- The infection chain culminates with a Python-based shellcode loader that executes in-memory payloads.
- Threat actors target regions in the US, UK, Germany, Europe, and Asia, with unknown identities but fluent English communication.
- Methods have shifted from URL files to LNK shortcuts masquerading as PDFs, enhancing stealth and evasion.
Read More: https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html