Hackers Exploit Cloudflare Tunnels in Serpentine Malware Surge

Cloudflare security breach enables cybercriminals to hide malware within encrypted tunnel traffic across major Western nations

Three Key Facts

• Cloudflare Tunnels exploited by cybercriminals in medium-to-large-scale Serpentine#Cloud malware campaign targeting multiple countries including US, UK, and Germany
• Python-based shellcode loader deployed through sophisticated multi-stage infection chain using LNK files disguised as PDF documents in phishing emails
• Legitimate cloud infrastructure weaponized to bypass security tools by leveraging Cloudflare’s trusted certificates and encrypted traffic to evade detection

Introduction

Cybercriminals have weaponized Cloudflare Tunnels to orchestrate a sophisticated malware campaign that exploits legitimate cloud infrastructure to evade detection. The Serpentine#Cloud campaign uses attacker-controlled subdomains to host malicious payloads while masquerading as trusted network traffic.

Security researchers at Securonix uncovered this active campaign, which delivers Python-based malware through a complex infection chain. The attack leverages Cloudflare’s reputation and encryption capabilities to bypass traditional security measures.

Key Developments

The campaign initially employed URL files but evolved to use BAT files in ZIP archives before shifting to its current tactics. Attackers now distribute LNK files masquerading as PDF documents through phishing emails with payment and invoice themes.

The infection chain begins when victims click malicious links in phishing emails. This triggers an elaborate multi-stage process involving batch files, VBScript, and Python components that ultimately deploy shellcode using “Early Bird APC injection” techniques.

The malware operates as a shellcode loader that executes payloads entirely in memory using the open-source Donut loader. These payloads often resolve into remote access tools including AsyncRAT and RevengeRAT, hosted on Cloudflare’s “trycloudflare[.]com” tunneling service.

Market Impact

The abuse of Cloudflare Tunnels creates reputational risks for the company while potentially increasing operational costs for threat monitoring and response. Organizations face higher defense costs as attackers leverage trusted infrastructure to complicate detection efforts.

The campaign drives demand for next-generation security products capable of detecting sophisticated, memory-based attacks. Traditional domain-blocking and URL filtering tools prove ineffective against this approach, requiring enhanced endpoint security solutions.

Strategic Insights

The campaign represents a broader trend of “living-off-the-land” attacks where threat actors abuse legitimate services to blend malicious activity with normal traffic. This approach eliminates the need for attackers to register domains or rent VPS servers, complicating attribution and takedown efforts.

Security vendors face increased pressure to develop advanced detection capabilities that can identify malicious behavior within legitimate cloud services. Organizations must invest in user training and endpoint detection technologies rather than relying solely on network-based security measures.

The use of disposable, scalable infrastructure using free cloud resources allows attackers to rapidly adapt and scale campaigns. This operational agility forces defenders to continuously evolve their security strategies and threat intelligence capabilities.

Expert Opinions and Data

Tim Peck, senior researcher at Securonix, describes the campaign as “medium- to large-scale” and “very active today.” The total number of infections remains unknown, but telemetry indicates significant presence across Western countries and expanding to Singapore and India.

According to SecurityWeek, the campaign targets no specific sector or industry exclusively, demonstrating the broad applicability of these attack techniques. The threat actor demonstrates English fluency based on code comments and scripting practices, though Securonix declines to attribute attacks to specific groups due to obfuscation methods.

Cloudflare responds to these threats through machine learning-based detection systems and claims to rapidly disable malicious tunnels upon discovery or third-party reporting. The company actively collaborates with security vendors to identify and mitigate abuse of its infrastructure.

Security experts note that similar campaigns identified by Proofpoint involve multiple RAT families including GuLoader, Remcos, VenomRAT, and Xworm. The consistent abuse pattern suggests this approach provides significant operational advantages for cybercriminals.

Conclusion

The Serpentine#Cloud campaign demonstrates how cybercriminals increasingly exploit legitimate cloud services to enhance attack effectiveness while evading detection. The sophisticated multi-stage infection process and memory-based execution techniques represent a significant challenge for traditional security approaches.

Organizations must adapt their security strategies to address threats that leverage trusted infrastructure and encrypted communications. The campaign underscores the critical need for advanced endpoint detection capabilities and comprehensive user education programs to counter these evolving attack methodologies.