Post

Cloudflare Tunnels Exploited in New Malware Campaign Delivering RATs via Phishing

Explore how Cloudflare Tunnels are being exploited in a new malware campaign to deliver Remote Access Trojans (RATs) through sophisticated phishing techniques.

Posted
By Tom Grant
1 min read
Cloudflare Tunnels Exploited in New Malware Campaign Delivering RATs via Phishing

TL;DR

A new malware campaign, codenamed SERPENTINE#CLOUD, utilizes Cloudflare Tunnel subdomains to host and deliver malicious payloads via phishing emails. This campaign employs Python-based loaders and memory-injected payloads, making it a significant threat in the cybersecurity landscape.

Introduction

A newly identified malware campaign, dubbed SERPENTINE#CLOUD by Securonix 1, is leveraging Cloudflare Tunnel subdomains to host and deliver malicious payloads. This sophisticated campaign uses phishing emails with malicious attachments to infect targets. The use of Cloudflare Tunnel infrastructure and Python-based loaders allows the attackers to deliver memory-injected payloads through a complex chain of shortcut files and obfuscated scripts.

Campaign Overview

The SERPENTINE#CLOUD campaign stands out due to its advanced techniques:

  • Cloudflare Tunnel Subdomains: The campaign utilizes Cloudflare Tunnel subdomains to host malicious payloads, making it difficult for traditional security measures to detect and block the threats.
  • Phishing Emails: The initial infection vector is phishing emails containing malicious attachments. These emails are crafted to appear legitimate, increasing the likelihood of users falling for the trap.
  • Python-Based Loaders: The campaign employs Python-based loaders to deliver memory-injected payloads, which helps evade detection by traditional antivirus software.
  • Chain of Shortcut Files: The payload delivery involves a chain of shortcut files and obfuscated scripts, adding layers of complexity to the attack.

Implications and Impact

The SERPENTINE#CLOUD campaign highlights the evolving tactics used by cybercriminals to bypass security measures. The use of Cloudflare Tunnels and memory-injected payloads demonstrates the sophistication of modern malware campaigns. Organizations and individuals must remain vigilant and implement robust security practices to mitigate such threats.

Conclusion

The SERPENTINE#CLOUD campaign serves as a reminder of the constant evolution of cyber threats. By leveraging Cloudflare Tunnels and advanced obfuscation techniques, this campaign poses a significant risk. Staying informed about the latest threats and adopting proactive security measures is crucial for protecting against such sophisticated attacks.

Additional Resources

For further insights, check:

References

  1. (June 18, 2025). “New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains”. The Hacker News. Retrieved June 18, 2025. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity threat-intelligence malware
This post is licensed under CC BY 4.0 by the author.