Pulse Detail — Threat Intelligence

PULSE NAME

SERPENTINE#CLOUD returns: ClickFix lure drops five RATs

WHITE Serpentine_cloud PetrP.73 2026-04-07 Modified: 2026-04-07

IOCs

MEDIUM VOLUME

The recent cyber threat activity associated with SERPENTINE#CLOUD has been identified once again, with the attack completing successfully five weeks post-remediation. This resurgence employs ClickFix social engineering tactics, utilizing ephemeral Cloudflare tunnels to deliver multiple Remote Access Trojans (RATs) targeting the same organization. Notably, the attack was caught at an early stage by Huntress, preventing the payload from executing.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1036 T1041 T1047 T1055 T1055.004 T1059.003 T1059.005

Indicators of Compromise (37)

All IPv4 hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	12.202.180.133	CC=US ASN=AS7018 att services inc	2026-04-07
hostname	bsmaopm.duckdns.org	—	2026-04-07
hostname	uejrhnfq.duckdns.org	—	2026-04-07
FileHash-MD5	addb2f9bc9ffad336cbee648fdfcf138	MD5 of 4bb4a303b8e4873401be1cea68d50bdaa454471685dc30ad61e9ef746181aa29	2026-04-07
FileHash-SHA1	a44be384a8c20df29544e9aa86f2a28679e3566b	SHA1 of 4bb4a303b8e4873401be1cea68d50bdaa454471685dc30ad61e9ef746181aa29	2026-04-07
FileHash-SHA256	4bb4a303b8e4873401be1cea68d50bdaa454471685dc30ad61e9ef746181aa29	—	2026-04-07
FileHash-MD5	403f1a3b591c6da42efd290ec3094cdd	MD5 of 8cda591f526a09954c7a60337daa767be7948367ee52accebc30061be1dc581a	2026-04-07
FileHash-MD5	99062a3f541b007e61fbb486ee11b2a8	MD5 of 218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c	2026-04-07
FileHash-MD5	a1dfce8e37a7f1a4ef5c722049521352	MD5 of 58d9f039ec38bbe03a1e1bf58a0102ce9c94d6efe39d2450cb44917d4a5c75af	2026-04-07
FileHash-MD5	e2759b5ef495bfcfad9074678497f649	MD5 of 59079dbdfb0346deae4efc361d78844141bf77d916adec96b23d8061e20e123c	2026-04-07
FileHash-SHA1	2d85ab32e77ddc0a365985cfd287d5153216a516	SHA1 of 59079dbdfb0346deae4efc361d78844141bf77d916adec96b23d8061e20e123c	2026-04-07
FileHash-SHA1	6f2509fc57bdea2642b27b00b5dbc19fc47dba21	SHA1 of 58d9f039ec38bbe03a1e1bf58a0102ce9c94d6efe39d2450cb44917d4a5c75af	2026-04-07
FileHash-SHA1	89b06bbc0b2a85578ed8b48937aa5146d98543b2	SHA1 of 8cda591f526a09954c7a60337daa767be7948367ee52accebc30061be1dc581a	2026-04-07
FileHash-SHA1	f5eebbfd20e17045abb5238dfe972cf0f549ab4b	SHA1 of 218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c	2026-04-07
FileHash-SHA256	010ce592bcabf0d4e786b20d46bbd25893734a176e1f5322a5f28c4f94d4c6e1	—	2026-04-07
FileHash-SHA256	026f71d40fa2e3c530283c1a70925d14eeee18d98f95506dd88cb698ccca6859	—	2026-04-07
FileHash-SHA256	218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c	—	2026-04-07
FileHash-SHA256	3bc36b9b7bc5ee73b26dd94d34a31cb707feb9a68d2e4832d276e9274e780a34	—	2026-04-07
FileHash-SHA256	58d9f039ec38bbe03a1e1bf58a0102ce9c94d6efe39d2450cb44917d4a5c75af	—	2026-04-07
FileHash-SHA256	59079dbdfb0346deae4efc361d78844141bf77d916adec96b23d8061e20e123c	—	2026-04-07
FileHash-SHA256	6b45e1a38609b9b7f2f2508b0b38f700a75ee1ea9b6c548d1a086bd91863efc3	—	2026-04-07
FileHash-SHA256	8cda591f526a09954c7a60337daa767be7948367ee52accebc30061be1dc581a	—	2026-04-07
FileHash-SHA256	e06dd348a334de7e2e43ef7a3739d4b4cf792b615595262aa212eec4e3005564	—	2026-04-07
FileHash-SHA256	e84cbbbc018d7e54c5afed760f04c06731ba57c1d40414c8b94ba1c488b9c9c5	—	2026-04-07
FileHash-SHA256	f56a53ec6817c918d9a0056277022d694a06727bc9064bee95e4b80c50067f2a	—	2026-04-07
IPv4	12.202.180.105	CC=US ASN=AS7018 att services inc	2026-04-07
URL	http://bsmaopm.duckdns.org:6757	—	2026-04-07
URL	http://uejrhnfq.duckdns.org:6745	—	2026-04-07
URL	http://vivogrouplink.duckdns.org:2128	—	2026-04-07
URL	http://y57kdsa.duckdns.org:7878	—	2026-04-07
domain	trycloudflare.com	—	2026-04-07
hostname	edward-fwd-vacuum-changelog.trycloudflare.com	—	2026-04-07
hostname	handed-mines-abc-intensity.trycloudflare.com	—	2026-04-07
hostname	represents-causes-conflicts-silver.trycloudflare.com	—	2026-04-07
hostname	rover-earlier-baseline-karen.trycloudflare.com	—	2026-04-07
hostname	vivogrouplink.duckdns.org	—	2026-04-07
hostname	y57kdsa.duckdns.org	—	2026-04-07

References (1)

↗ https://www.derp.ca/research/serpentine-cloud-clickfix-return/