← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
SERPENTINE#CLOUD returns: ClickFix lure drops five RATs
WHITE Serpentine_cloud PetrP.73 2026-04-07 Modified: 2026-04-07
37
IOCs
MEDIUM VOLUME
The recent cyber threat activity associated with SERPENTINE#CLOUD has been identified once again, with the attack completing successfully five weeks post-remediation. This resurgence employs ClickFix social engineering tactics, utilizing ephemeral Cloudflare tunnels to deliver multiple Remote Access Trojans (RATs) targeting the same organization. Notably, the attack was caught at an early stage by Huntress, preventing the payload from executing.
asyncratpurehvncdeliveryuserprofilenetwork typevalue contextxwormviolet v5brc4 c2venomratpurehvncbrc4 c2webdav
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (5 / 37 total)
All IPv4 hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 addb2f9bc9ffad336cbee648fdfcf138 MD5 of 4bb4a303b8e4873401be1cea68d50bdaa454471685dc30ad61e9ef746181aa29 2026-04-07
FileHash-MD5 403f1a3b591c6da42efd290ec3094cdd MD5 of 8cda591f526a09954c7a60337daa767be7948367ee52accebc30061be1dc581a 2026-04-07
FileHash-MD5 99062a3f541b007e61fbb486ee11b2a8 MD5 of 218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c 2026-04-07
FileHash-MD5 a1dfce8e37a7f1a4ef5c722049521352 MD5 of 58d9f039ec38bbe03a1e1bf58a0102ce9c94d6efe39d2450cb44917d4a5c75af 2026-04-07
FileHash-MD5 e2759b5ef495bfcfad9074678497f649 MD5 of 59079dbdfb0346deae4efc361d78844141bf77d916adec96b23d8061e20e123c 2026-04-07
References (1)
↗ https://www.derp.ca/research/serpentine-cloud-clickfix-return/