SERPENTINE#CLOUD Campaign Abuse Cloudflare Tunnel to Deliver Python-Based RATs

• A covert campaign abuses Cloudflare's temporary subdomains to host and deliver malicious payloads.
• Attackers distribute RATs hosted on attacker-controlled Cloudflare Tunnel subdomains. 
• The batch, VBScript, and Python infection stages ultimately deploy shellcode that loads a Donut-packed PE payload.

Security researchers have recently uncovered SERPENTINE#CLOUD, a complex malware campaign that weaponizes Cloudflare tunnel infrastructure to deliver Python-based remote access trojans (RATs) through highly stealthy infection chains. 

At the core of the attack is the abuse of Cloudflare's tunneling services, such as temporary subdomains under “trycloudflare[.]com,” to host and deliver malicious payloads, the latest Securonix report says.

The infection chain begins with deceptive .lnk shortcut files disguised as legitimate documents, frequently combined with phishing lures themed around fake invoices. These files are often delivered via ZIP archives, drawing users into triggering the attack. 

Once engaged, a sequence of obfuscated scripts—including .wsf and .bat files—is initiated. These scripts facilitate the subsequent stages of infection while maintaining stealth and augmenting the campaign's anti-forensic measures.

Key stages of infection include the use of:

• Shortcut (.lnk) Files to lure victims into triggering the attack chain.
• WebDAV over HTTPS for encrypted payload delivery via Cloudflare tunnels.
• Obfuscated Scripts in Batch, VBScript, and Python formats designed to gradually execute the full malware suite while maintaining stealth.
• Memory Injection Techniques, such as Early Bird APC injection, to execute payloads without leaving traces on disk.

The malicious payload ultimately includes well-disguised RATs such as AsyncRAT or RevengeRAT, giving attackers full remote control of compromised systems, including the ability to steal credentials, exfiltrate sensitive data, and potentially move laterally within networks.

Cloudflare tunnel abuse provides attackers with significant strategic advantages, including trusted domain usage, CDN protection, and TLS-encrypted traffic, all of which make detection harder for standard monitoring tools.

This campaign is actively targeting businesses in regions including the U.S., the U.K., and Germany.

While attribution remains inconclusive, certain indicators—including the use of English-language comments within the code and the campaign's focus on Western targets—point to a relatively sophisticated adversary experimenting with scalable delivery mechanisms. 

Tools such as the Kramer obfuscator reinforce this actor's commitment to remaining stealthy while testing advanced methodologies.