← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware
WHITE AlienVault 2025-06-20 Modified: 2025-06-20
189
IOCs
HIGH VOLUME
The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.
asyncratphishingstealth techniquesshellcode loaderobfuscationwebdavpython-based malwareratcloudflare tunnelsrevengeratdonut packermemory injection
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
AsyncRAT RevengeRAT
Indicators of Compromise (189)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 bb130f424ebd3b45a8f9d69efae863f4 2025-06-20
FileHash-SHA1 8e9d18b754aaf7aadb3bd2c20ab9f4aee409b73d 2025-06-20
FileHash-SHA256 aece8fa3b8ea803e9ca9bf06b6fd147b54cd3a00207aad36871da424a9ca4748 2025-06-20
FileHash-MD5 013cf008d024e83183c8ddc7ecefb266 2025-06-20
FileHash-MD5 06480f1e6aa48daab019e8f1a6b834c9 2025-06-20
FileHash-MD5 198553480cb100a5018aa08ebc599ff0 2025-06-20
FileHash-MD5 3f9399b450f054528b439f0a75ffa1a6 2025-06-20
FileHash-MD5 51d2b363ffbacbe2807ac36ba6f2ad26 2025-06-20
FileHash-MD5 5289c94f1ae20f78d23b2c6c7cfd0276 2025-06-20
FileHash-MD5 61b02d5a6fce25548108e1783913f74e 2025-06-20
FileHash-MD5 6d1db0e5f9fd207372fa3e0a9f3d08ab 2025-06-20
FileHash-MD5 70ae4d535a8330fd6992e6f88f4c25dd 2025-06-20
FileHash-MD5 7592231319e5b0748606b17bd65a8b08 2025-06-20
FileHash-MD5 8bfc2e4c7ee611fc0f7b15006af299ab 2025-06-20
FileHash-MD5 9cde8a6bab01d52d2065d0f479e68548 2025-06-20
FileHash-MD5 9cf6d945c93c5c5040e0775720f0916b 2025-06-20
FileHash-MD5 bc0d4b2844de0e9327bab2891ff32cf6 2025-06-20
FileHash-MD5 c385ea81fa960ee586d9a53e6262fad0 2025-06-20
FileHash-MD5 c4549537366f720536e4ac4ac3ed1be0 2025-06-20
FileHash-MD5 d1b9ad51e6d8a9faf620ef3d69b069e5 2025-06-20
FileHash-MD5 eb5c383734b18b21a9a24a717ce1b280 2025-06-20
FileHash-SHA1 037736cf63cf047f5165f0b6e0ab1d86d3d96512 2025-06-20
FileHash-SHA1 03e875c55f3b1c95dd7f0a370d1fc0a3d043b688 2025-06-20
FileHash-SHA1 27752e008f1aaa83b0b09f82632f47aeb05f51d9 2025-06-20
FileHash-SHA1 38fab408803fbe65079b66cb5ecbf6686efe9353 2025-06-20
FileHash-SHA1 76bdb98ac85ceca629357c469606eabf3f9ad49c 2025-06-20
FileHash-SHA1 80c83fcd717bd03fa463a75684c5541fce9fff55 2025-06-20
FileHash-SHA1 8f1f544c57b26784e0d191c9678067a505b4f339 2025-06-20
FileHash-SHA1 965d653fee4acd9c3fa7258096782d9ee3246916 2025-06-20
FileHash-SHA1 a375e27ec85dd7b04ce44d4c02a0e5e162e484f0 2025-06-20
FileHash-SHA1 a4265b36ecc13e1c4ecd9a1eb33727cdb3354a45 2025-06-20
FileHash-SHA1 ae271809c8f2bd86db95199dcf7081b42e7f61f5 2025-06-20
FileHash-SHA1 c1c2e51f52552c8a1e23d31d8d57662acb9bf6de 2025-06-20
FileHash-SHA1 c735c2d22e2fe79a39111e76a9966d0720f023a1 2025-06-20
FileHash-SHA1 e0553dba46dba677e8b509acc7076ee8cf75b5f8 2025-06-20
FileHash-SHA1 e05ea2ddb8df7cd9006d3b3114270093356ac161 2025-06-20
FileHash-SHA1 f08195863426c9dae4f1fc89014e9ae49ae576fd 2025-06-20
FileHash-SHA1 f6698a92f659dbae256a4726bd52c1e934d9cdce 2025-06-20
FileHash-SHA1 fca3dc54787f1a9dd44750f12da4b25563db85e7 2025-06-20
FileHash-SHA256 0172ca7c07d1d52dc163090886d5f32a5dcf528506d19203e4c405495f51c60b 2025-06-20
FileHash-SHA256 017fd2003f8eaa65ff85131322f5faec1e338511788328438020848edf3dfd8d 2025-06-20
FileHash-SHA256 0484de293f2c125132caa585229a8702af00cb645aa27684c2ee6f9f4f3edb6f 2025-06-20
FileHash-SHA256 049a576a5bc77af51065d28a711656bd93ff6bd5fe74d54064a66a802d14e438 2025-06-20
FileHash-SHA256 100970b2eb83e3a80cb463126845619a05c979d235b07eca4b1c2027772334ec 2025-06-20
FileHash-SHA256 139b2b11b1c0d9697a78c1a9535a7a4e4f41d4833b247c1cddc91abe3bebe3e4 2025-06-20
FileHash-SHA256 13a8150b68a3fad30c48778b80baa7c97c1a813f37688cbe14b1d3f5ab69ac72 2025-06-20
FileHash-SHA256 1534d21ddd3a58b076ef49682e0cf7009abfb4248fa70426b5436c02caeaf82f 2025-06-20
FileHash-SHA256 193218243c54d7903c65f5e7be9b865ddb286da9005c69e6e955e31ec3efa1a7 2025-06-20
FileHash-SHA256 1a15c4d654d88dc3f1943361cb69bb5dea90c758a6fe4e8b72e683ba9354c480 2025-06-20
FileHash-SHA256 1cacc0e005a506572b26d859579840188758c37377b19f33bbd084d7ef2956a8 2025-06-20
FileHash-SHA256 22de5ffc9bffe49c4713113ac171b95e016ed0f09065bfee1394a579174e8dd6 2025-06-20
FileHash-SHA256 32253d3ea50927d0fd79f5bfdd6ee93c46aa26126ce4360d9915fabd2e5f562f 2025-06-20
FileHash-SHA256 35db935e80beda545577a5f7ff6de7c8a8b1376c363b0d5c704dc14ebc1d2f93 2025-06-20
FileHash-SHA256 36d05b8ca1b6e629bfccc2342db331eb88d21ebce773ca266f664cd606bc31b7 2025-06-20
FileHash-SHA256 36f02254bf8631e5e4cdb83ffb4621c85ab5e41fb20983c7b1e2b2292ef02d0a 2025-06-20
FileHash-SHA256 3ad13c59cebdf654d2f04c26c4a0726f2e1bb3b1682bc9810a3b99fbd17d59c0 2025-06-20
FileHash-SHA256 3b97a79ed920a508b4cd91240d0795713c559c36862c75ec6c9a41b4ec05d279 2025-06-20
FileHash-SHA256 3cf0e84ea719b026aa6ef04ee7396974aeb3ec3480823fd0bb1867043c6d2bf9 2025-06-20
FileHash-SHA256 3d3a6d7905ca1387f3ec7a637cb672d6b6efa0f8efdbf819f756a8e5f92bc960 2025-06-20
FileHash-SHA256 408a7c9b1afcc367a086c1386da621d532632e2b54c47f7061161105bd63a37e 2025-06-20
FileHash-SHA256 427fa98fc638d1ec0d8c6863d9b2e7e58642287bef11404089b45024564b54f4 2025-06-20
FileHash-SHA256 45babdcbd661450b3643a14dc960daf7fafaea2876fee249a2a2417b15272a4b 2025-06-20
FileHash-SHA256 5022cd6152998d31b55e5770a7b334068ce8264876c5d6017fd37beb28e585ca 2025-06-20
FileHash-SHA256 521982a864b3b40b2627cf2067546accf346e2c97924a73dbc767907071c4029 2025-06-20
FileHash-SHA256 547250102b3b779cfeab6f9ff4b67ffd577d83d9e8027df90697b01e24256d67 2025-06-20
FileHash-SHA256 5710a67e4a3a633a8b3446a9e94b8cdd11b00e922a5585802a94bd91fa2a5d82 2025-06-20
FileHash-SHA256 5d932bfda0ffd31715700de2fd43fc89c0f1d89eeabac92081ebe2062da84152 2025-06-20
FileHash-SHA256 6134bac7a6215a158dfee2f6824b9e648de073eeb0499a325c8ef2ea43dab84c 2025-06-20
FileHash-SHA256 6211e469524a4bd7d3fa9c59a11a2f5bc6eac34d839a5ba0ba8a616b82a098c8 2025-06-20
FileHash-SHA256 63ffc2b66e32111cd5be311ad499bd15da5d28edc05b7f3da43dfe77f3e2c7f8 2025-06-20
FileHash-SHA256 6912f9484886ec8b8837ac3e2e63397a9c4fd499407dbab92f730f0d6b4315fc 2025-06-20
FileHash-SHA256 715cef51ffcfaec05a080a0e0db4d88bb5123e2ade4a1c72fd8c10f412310c1d 2025-06-20
FileHash-SHA256 759d6929e4456668a93d92b2aea311d9b7590ebab4a4da3cd8602b8c0b8111d5 2025-06-20
FileHash-SHA256 7aa7406147e1365a78412ba44adecee8c5f5b8365c61a2bc4de3bc2c37c0e1dd 2025-06-20
FileHash-SHA256 7b4931e498ce8b3a15bff5fdfd3a547397e85296462de3d2d322b4b3fe52f26c 2025-06-20
FileHash-SHA256 8164643b2efdcfedafafb61919cf93c496375002f6ad806725c85a7c871c34ea 2025-06-20
FileHash-SHA256 81c47e749e8a3376294de8593c2387a0642080303bb17d902babff1de561e743 2025-06-20
FileHash-SHA256 821f0956d3f52819c90035041c0f4c0ec644924af46222c5913e05de1c385b04 2025-06-20
FileHash-SHA256 850fb460f68ab1b5810f96db1ff16954cd1b590b921968fcbc3203135b40acc0 2025-06-20
FileHash-SHA256 9096d706d90598ba0dd6473a1cf0529ab7ab486e753b2ebf6b180d2bebf68990 2025-06-20
FileHash-SHA256 9dc84272d11e273b6b4defeabb7e3dd6ebe0e418fb96f9386dd7f1f695636384 2025-06-20
FileHash-SHA256 a6f04f0c7b2827f4c102b1b1e3978805a628db1ee83fb61e640ff215ba732262 2025-06-20
FileHash-SHA256 ac6eb3435cec6058ffea590ac51507b3313a74ea07893b984f2d87be12e17027 2025-06-20
FileHash-SHA256 b57f591866a0d5a68b76382476087310a6f96c34b9449d070619df6b763e6a1d 2025-06-20
FileHash-SHA256 c2c8f3a7a7b07fc4f62b943011ef4239ff938077fde2cc248b406616254f44d5 2025-06-20
FileHash-SHA256 cdcd71a62cd579b8aa01792769b99961cde2d34419e066c4a45943559e0c4029 2025-06-20
FileHash-SHA256 cdd097329d2c539a3c67c278530d951964f593a4ffb90a31b0efad4c3e0ed5ba 2025-06-20
FileHash-SHA256 d70b2ec135b1dc4d0be8e029574d9e686b29c0225022fc65d0af0811fdf88ce7 2025-06-20
FileHash-SHA256 def421b838a43054ab8336ab4db6bf8f973e1bbabc2c38e278c3fa4ea459f961 2025-06-20
FileHash-SHA256 df9ecde8058cb9756bde3de1a2a2727a3709f238885165b7feb747eb10de1502 2025-06-20
FileHash-SHA256 e78ff6f51a3faecf4d20cd5b71b2396b7c2fec74af19122b1e1eee432c13b773 2025-06-20
FileHash-SHA256 e8dab17006948378b94183226f8e2d345a6aeb6688be02e4ee578d4618d9fb43 2025-06-20
FileHash-SHA256 f0f7276c54e6d6b41732d51fb1b61366aa49c6992a54d13ffd24aee572ffaf95 2025-06-20
FileHash-SHA256 f626a8e8e1eb51a23b56b69060a76b9f566944c1b4df044b8b4b68861fb8a761 2025-06-20
FileHash-SHA256 f6b403d719d770ffb6cc310e2f97889998224a563a1a629be5b7f8642b5f00ba 2025-06-20
FileHash-SHA256 fcad11819fca303372182c881397e0b607c0da64ecda1cf9b2c87cf5f8f5957a 2025-06-20
URL https://agricultural-brooks-nevertheless-hawk.trycloudflare.com 2025-06-20
URL https://archived-hungary-paxil-tubes.trycloudflare.com 2025-06-20
URL https://bold-accepts-wide-te.trycloudflare.com 2025-06-20
URL https://bought-boulder-algeria-warned.trycloudflare.com 2025-06-20
URL https://catalogs-amounts-functions-chicago.trycloudflare.com 2025-06-20
URL https://cold-neon-springfield-asset.trycloudflare.com 2025-06-20
URL https://departments-emperor-maximize-synopsis.trycloudflare.com 2025-06-20
URL https://depot-arrange-zero-kai.trycloudflare.com 2025-06-20
URL https://diy-solution-warriors-workflow.trycloudflare.com 2025-06-20
URL https://dolls-pet-bon-shirts.trycloudflare.com 2025-06-20
URL https://eastern-instructional-ant-jungle.trycloudflare.com/cam.zip 2025-06-20
URL https://flexibility-hawaiian-ever-bon.trycloudflare.com 2025-06-20
URL https://flour-riding-merit-refers.trycloudflare.com 2025-06-20
URL https://fy-golf-fraction-bath.trycloudflare.com 2025-06-20
URL https://greensboro-even-suburban-str.trycloudflare.com 2025-06-20
URL https://hobbies-gratis-literally-dry.trycloudflare.com 2025-06-20
URL https://hose-jerusalem-sure-older.trycloudflare.com 2025-06-20
URL https://integration-previous-brilliant-true.trycloudflare.com 2025-06-20
URL https://lender-router-exclusively-fraction.trycloudflare.com 2025-06-20
URL https://menu-conviction-given-not.trycloudflare.com 2025-06-20
URL https://milton-smithsonian-raising-mind.trycloudflare.com 2025-06-20
URL https://now-refer-several-tariff.trycloudflare.com 2025-06-20
URL https://obtaining-removing-blocking-effectiveness.trycloudflare.com 2025-06-20
URL https://opportunities-choosing-non-torture.trycloudflare.com 2025-06-20
URL https://pop-incl-accountability-pharmacy.trycloudflare.com 2025-06-20
URL https://reensboro-even-suburban-str.trycloudflare.com 2025-06-20
URL https://shed-determination-conviction-herself.trycloudflare.com 2025-06-20
URL https://superb-rotation-gourmet-frequently.trycloudflare.com 2025-06-20
URL https://surprise-poly-longitude-populations.trycloudflare.com 2025-06-20
URL https://travel-sagem-distant-potential.trycloudflare.com 2025-06-20
URL https://uploaded-overall-seating-browser.trycloudflare.com 2025-06-20
URL https://vertical-pentium-b-dead.trycloudflare.com 2025-06-20
URL https://violin-amendment-stranger-job.trycloudflare.com 2025-06-20
URL https://vocabulary-bangladesh-designation-manhattan.trycloudflare.com 2025-06-20
URL https://whatever-hearings-transmission-daisy.trycloudflare.com 2025-06-20
URL https://wizard-individual-intervals-franklin.trycloudflare.com 2025-06-20
URL https://works-clubs-attendance-vi.trycloudflare.co 2025-06-20
URL https://works-clubs-attendance-vi.trycloudflare.com 2025-06-20
domain nhvncpure.click 2025-06-20
domain nhvncpure.sbs 2025-06-20
domain nhvncpure.shop 2025-06-20
hostname 048304848392524.pdf.lnk.download 2025-06-20
hostname 06159364732024.pdf.lnk.download 2025-06-20
hostname 0618394720134.pdf.lnk.download 2025-06-20
hostname 08403844758424.pdf.lnk.download 2025-06-20
hostname agricultural-brooks-nevertheless-hawk.trycloudflare.com 2025-06-20
hostname archived-hungary-paxil-tubes.trycloudflare.com 2025-06-20
hostname bold-accepts-wide-te.trycloudflare.com 2025-06-20
hostname bought-boulder-algeria-warned.trycloudflare.com 2025-06-20
hostname catalogs-amounts-functions-chicago.trycloudflare.com 2025-06-20
hostname cold-neon-springfield-asset.trycloudflare.com 2025-06-20
hostname departments-emperor-maximize-synopsis.trycloudflare.com 2025-06-20
hostname depot-arrange-zero-kai.trycloudflare.com 2025-06-20
hostname diy-solution-warriors-workflow.trycloudflare.com 2025-06-20
hostname djksncb.duckdns.org 2025-06-20
hostname dolls-pet-bon-shirts.trycloudflare.com 2025-06-20
hostname eastern-instructional-ant-jungle.trycloudflare.com 2025-06-20
hostname flexibility-hawaiian-ever-bon.trycloudflare.com 2025-06-20
hostname flour-riding-merit-refers.trycloudflare.com 2025-06-20
hostname fy-golf-fraction-bath.trycloudflare.com 2025-06-20
hostname greensboro-even-suburban-str.trycloudflare.com 2025-06-20
hostname hobbies-gratis-literally-dry.trycloudflare.com 2025-06-20
hostname hose-jerusalem-sure-older.trycloudflare.com 2025-06-20
hostname hvncmomentpure.duckdns.org 2025-06-20
hostname integration-previous-brilliant-true.trycloudflare.com 2025-06-20
hostname ip145.ip-51-89-212.eu 2025-06-20
hostname lender-router-exclusively-fraction.trycloudflare.com 2025-06-20
hostname menu-conviction-given-not.trycloudflare.com 2025-06-20
hostname milton-smithsonian-raising-mind.trycloudflare.com 2025-06-20
hostname ncmomenthv.duckdns.org 2025-06-20
hostname nhvncpure.duckdns.org 2025-06-20
hostname nhvncpure.twilightparadox.com 2025-06-20
hostname nhvncpure1.strangled.net 2025-06-20
hostname nhvncpure2.mooo.com 2025-06-20
hostname nhvncpurekfl.duckdns.org 2025-06-20
hostname nhvncpureybs.duckdns.org 2025-06-20
hostname now-refer-several-tariff.trycloudflare.com 2025-06-20
hostname obtaining-removing-blocking-effectiveness.trycloudflare.com 2025-06-20
hostname opportunities-choosing-non-torture.trycloudflare.com 2025-06-20
hostname pop-incl-accountability-pharmacy.trycloudflare.com 2025-06-20
hostname reensboro-even-suburban-str.trycloudflare.com 2025-06-20
hostname shed-determination-conviction-herself.trycloudflare.com 2025-06-20
hostname superb-rotation-gourmet-frequently.trycloudflare.com 2025-06-20
hostname surprise-poly-longitude-populations.trycloudflare.com 2025-06-20
hostname travel-sagem-distant-potential.trycloudflare.com 2025-06-20
hostname uploaded-overall-seating-browser.trycloudflare.com 2025-06-20
hostname vertical-pentium-b-dead.trycloudflare.com 2025-06-20
hostname violin-amendment-stranger-job.trycloudflare.com 2025-06-20
hostname vocabulary-bangladesh-designation-manhattan.trycloudflare.com 2025-06-20
hostname whatever-hearings-transmission-daisy.trycloudflare.com 2025-06-20
hostname wizard-individual-intervals-franklin.trycloudflare.com 2025-06-20
hostname works-clubs-attendance-vi.trycloudflare.co 2025-06-20
hostname works-clubs-attendance-vi.trycloudflare.com 2025-06-20
References (1)
↗ https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research