{ "type": "URL", "indicator": "https://bold-accepts-wide-te.trycloudflare.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bold-accepts-wide-te.trycloudflare.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4073390779, "indicator": "https://bold-accepts-wide-te.trycloudflare.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6854faeabddec88ea8dace57", "name": "Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware", "description": "The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.", "modified": "2025-06-20T08:28:57.303000", "created": "2025-06-20T06:08:42.481000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 387033, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684150f8ab8fe1229def2bea", "name": "Analysis of the APT-C-53 (Gamaredon) organization's attack operations.", "description": "APT-C-53, also known as Gamaredon, is a persistent advanced persistent threat group that has been operational since 2013, primarily targeting government and military sectors to acquire intelligence. Recent activities indicate that Gamaredon is not diminishing despite ongoing disclosures of its methodologies by security vendors; rather, it appears to be escalating its attacks. The group predominantly utilizes malicious VBS scripts characterized by high obfuscation techniques, including code fragmentation and Base64 encoding, to enhance its evasion tactics. A notable aspect of their strategy involves using military-related themes in social engineering attempts, which helps lower the vigilance of potential victims and increases the likelihood of successful malware execution.", "modified": "2025-07-05T08:00:58.306000", "created": "2025-06-05T08:10:32.633000", "tags": [ "public", "temp", "appdata", "windowsresponby", "gamaredon", "windowsdetect", "windowstelegra", "https", "aptc53gamaredon", "ocwstwz5hzufor", "cookie" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "public": 1, "adversary": "APT-C-53", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 1, "URL": 48, "hostname": 36 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685906ca0a4910f364b0c165", "name": "IOC - Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels", "description": "", "modified": "2025-06-23T07:48:26.286000", "created": "2025-06-23T07:48:26.286000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6854faeabddec88ea8dace57", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "344 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685492848a33bffb13e4a5dc", "name": "SERPENTINE#CLOUD Exploits Cloudflare Tunnels for Malware Delivery", "description": "A new phishing campaign, dubbed SERPENTINE#CLOUD, is exploiting Cloudflare Tunnel subdomains to deliver malware through obfuscated scripts and memory-injected payloads. Researchers said the attack begins with invoice-themed phishing emails containing a ZIP file with a malicious LNK shortcut.", "modified": "2025-06-19T22:43:16.481000", "created": "2025-06-19T22:43:16.481000", "tags": [], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/", "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research", "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Asyncrat", "Revengerat" ], "industries": [], "unique_indicators": 189 }, "other": { "adversary": [ "APT-C-53" ], "malware_families": [ "", "Asyncrat", "Revengerat" ], "industries": [], "unique_indicators": 279 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trycloudflare.com", "whois": "http://whois.domaintools.com/trycloudflare.com", "domain": "trycloudflare.com", "hostname": "bold-accepts-wide-te.trycloudflare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6854faeabddec88ea8dace57", "name": "Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware", "description": "The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.", "modified": "2025-06-20T08:28:57.303000", "created": "2025-06-20T06:08:42.481000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 387033, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684150f8ab8fe1229def2bea", "name": "Analysis of the APT-C-53 (Gamaredon) organization's attack operations.", "description": "APT-C-53, also known as Gamaredon, is a persistent advanced persistent threat group that has been operational since 2013, primarily targeting government and military sectors to acquire intelligence. Recent activities indicate that Gamaredon is not diminishing despite ongoing disclosures of its methodologies by security vendors; rather, it appears to be escalating its attacks. The group predominantly utilizes malicious VBS scripts characterized by high obfuscation techniques, including code fragmentation and Base64 encoding, to enhance its evasion tactics. A notable aspect of their strategy involves using military-related themes in social engineering attempts, which helps lower the vigilance of potential victims and increases the likelihood of successful malware execution.", "modified": "2025-07-05T08:00:58.306000", "created": "2025-06-05T08:10:32.633000", "tags": [ "public", "temp", "appdata", "windowsresponby", "gamaredon", "windowsdetect", "windowstelegra", "https", "aptc53gamaredon", "ocwstwz5hzufor", "cookie" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "public": 1, "adversary": "APT-C-53", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 1, "URL": 48, "hostname": 36 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685906ca0a4910f364b0c165", "name": "IOC - Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels", "description": "", "modified": "2025-06-23T07:48:26.286000", "created": "2025-06-23T07:48:26.286000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6854faeabddec88ea8dace57", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "344 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685492848a33bffb13e4a5dc", "name": "SERPENTINE#CLOUD Exploits Cloudflare Tunnels for Malware Delivery", "description": "A new phishing campaign, dubbed SERPENTINE#CLOUD, is exploiting Cloudflare Tunnel subdomains to deliver malware through obfuscated scripts and memory-injected payloads. Researchers said the attack begins with invoice-themed phishing emails containing a ZIP file with a malicious LNK shortcut.", "modified": "2025-06-19T22:43:16.481000", "created": "2025-06-19T22:43:16.481000", "tags": [], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bold-accepts-wide-te.trycloudflare.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bold-accepts-wide-te.trycloudflare.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780471853.6089232 }