Summary: A sophisticated phishing campaign, attributed to a Russian-speaking threat actor, exploits Cloudflare services and Telegram for malicious activities. The attacks use branded Cloudflare phishing pages and employ advanced techniques to evade detection, including obfuscation and leveraging the βsearch-msβ protocol to initiate malware downloads. This campaign marks a notable shift in tactics, utilizing Telegram for victim tracking while continuing to demonstrate operational security lapses.
Affected: Cloudflare services and victims targeted by phishing
Keypoints :
- The campaign uses Cloudflare’s Pages.dev and Workers.dev to host phishing pages impersonating DMCA takedown notices.
- Victims are deceived into downloading malicious files disguised as PDFs, which initiate a malware infection chain.
- The malware communicates with an attacker-operated Telegram bot for tracking infected hosts.
- Researchers identified over 20 domains involved, revealing the scale of this operation.
- Security teams are urged to monitor Cloudflare domains, protocol handler abuse, and Telegram communications for emerging threats.