A new malware campaign is making headlines, as attackers have found a creative (and concerning) way to use Cloudflare Tunnel subdomains to host malicious software. Victims are being targeted through phishing emails with attachments that seem harmless but are actually designed to infect their devices.
It all starts with an email that appears to be related to payments or invoices, accompanied by a link to a compressed file. Inside that file is a Windows shortcut (LNK), disguised to look like a legitimate document. If someone opens it, it triggers a chain of malicious actions that ends with the execution of a payload directly in system memory, leaving few visible traces.
What's both interesting and dangerous is that the attackers are using a combination of obfuscated scripts and Python tools to load code directly into memory, without writing anything to the hard drive. This makes it difficult for many traditional security solutions to detect.
The approach is quite sophisticated: first, the user is tricked with a file that appears to be a PDF or some other common document; then, that file connects to servers using WebDAV through tunnels created with Cloudflare, helping to bypass network filters and more conventional security mechanisms.
This campaign has already targeted users in the United States, the United Kingdom, Germany, and other parts of Europe and Asia. It's still unclear who's behind it, but their strong command of English might offer some clues about their origin.
Moreover, the attackers aren’t staying idle. They've been modifying their initial access technique, shifting from shortcuts linking directly to URLs to others disguised as if they were PDF files, making them even more convincing.
To make matters worse, this campaign isn't entirely new. Similar variants were detected last year and served as entry points for tools like AsyncRAT, GuLoader, Remcos RAT, PureLogs Stealer, Venom RAT, and XWorm—all known for their ability to steal information and remotely take control of systems.
Using TryCloudflare gives attackers several valuable advantages. It's not new for cybercriminals to leverage legitimate cloud services as a cover for hiding their activities. Tools like these help them distribute malware or maintain remote control over infected systems without raising suspicion.
In this case, they’re using subdomains that appear completely trustworthy—those ending in *.trycloudflare.com. The result? It's extremely difficult for security teams to determine whether they're looking at a legitimate connection or a real threat. Since the domains look normal, they often go unnoticed and aren’t blocked, giving attackers a free pass.
It all begins when the victim opens an LNK file that appears harmless at first glance. That file triggers a download from a WebDAV resource hosted on a Cloudflare Tunnel subdomain. What gets downloaded is a script file (WSF), which is then executed using cscript.exe, a standard Windows tool. All of this happens in the background, without the user realizing anything is wrong.
According to a Securonix researcher, the WSF file functions as a lightweight loader written in VBScript. Its job is simple but effective: to execute a batch file hosted on another Cloudflare subdomain. That file, named kiki.bat, is what truly kicks off the next phase of the attack. In short, everything is designed to be stealthy and remain undetected on the system.
This batch script has several tasks: first, it opens a fake PDF file as a decoy so the victim doesn’t suspect anything. Then, it checks for installed antivirus software, and finally, it downloads and executes other files written in Python. Why? To launch memory-packed malware such as AsyncRAT or Revenge RAT, leaving no clear traces on the hard drive.
Interestingly, the script’s code includes clear and well-structured comments, suggesting it might have been written with the help of AI—possibly a large language model.
In summary, this campaign (nicknamed SERPENTINE#CLOUD) combines several techniques: a bit of social engineering, the use of system-native tools (known as "living off the land"), and memory-based code execution to evade detection. And by using Cloudflare Tunnel to deliver all their files, the attackers ensure they stay under the radar, hiding within infrastructure that typically appears trustworthy.