{ "type": "URL", "indicator": "https://shed-determination-conviction-herself.trycloudflare.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://shed-determination-conviction-herself.trycloudflare.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4055942895, "indicator": "https://shed-determination-conviction-herself.trycloudflare.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6854faeabddec88ea8dace57", "name": "Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware", "description": "The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.", "modified": "2025-06-20T08:28:57.303000", "created": "2025-06-20T06:08:42.481000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 387184, "modified_text": "348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685906ca0a4910f364b0c165", "name": "IOC - Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels", "description": "", "modified": "2025-06-23T07:48:26.286000", "created": "2025-06-23T07:48:26.286000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6854faeabddec88ea8dace57", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "345 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685492848a33bffb13e4a5dc", "name": "SERPENTINE#CLOUD Exploits Cloudflare Tunnels for Malware Delivery", "description": "A new phishing campaign, dubbed SERPENTINE#CLOUD, is exploiting Cloudflare Tunnel subdomains to deliver malware through obfuscated scripts and memory-injected payloads. Researchers said the attack begins with invoice-themed phishing emails containing a ZIP file with a malicious LNK shortcut.", "modified": "2025-06-19T22:43:16.481000", "created": "2025-06-19T22:43:16.481000", "tags": [], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5b0cdb30efbd1817f038d", "name": "Twitter Feed - malwrhunterteam - 08-04-2025", "description": "", "modified": "2025-05-08T23:02:05.353000", "created": "2025-04-08T23:27:09.766000", "tags": [], "references": [ "https://x.com/malwrhunterteam/status/1909516586202833235", "https://x.com/malwrhunterteam/status/1909547655165882784", "https://x.com/malwrhunterteam/status/1909520239466889326", "https://x.com/malwrhunterteam/status/1909548955647586722", "https://x.com/malwrhunterteam/status/1909595081444556975", "https://x.com/malwrhunterteam/status/1909599096203075663", "https://x.com/malwrhunterteam/status/1909601624969855075", "https://x.com/malwrhunterteam/status/1909602934830117263", "https://x.com/malwrhunterteam/status/1909637396338966915", "https://x.com/malwrhunterteam/status/1909639802636378558", "https://x.com/malwrhunterteam/status/1909640364903805165", "https://x.com/malwrhunterteam/status/1909596414692172119", "https://x.com/malwrhunterteam/status/1909595988643230049" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "hostname": 6, "URL": 8 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/", "https://x.com/malwrhunterteam/status/1909595988643230049", "https://x.com/malwrhunterteam/status/1909637396338966915", "https://x.com/malwrhunterteam/status/1909516586202833235", "https://x.com/malwrhunterteam/status/1909599096203075663", "https://x.com/malwrhunterteam/status/1909547655165882784", "https://x.com/malwrhunterteam/status/1909601624969855075", "https://x.com/malwrhunterteam/status/1909639802636378558", "https://x.com/malwrhunterteam/status/1909520239466889326", "https://x.com/malwrhunterteam/status/1909548955647586722", "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research", "https://x.com/malwrhunterteam/status/1909596414692172119", "https://x.com/malwrhunterteam/status/1909602934830117263", "https://x.com/malwrhunterteam/status/1909595081444556975", "https://x.com/malwrhunterteam/status/1909640364903805165" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Revengerat", "Asyncrat" ], "industries": [], "unique_indicators": 189 }, "other": { "adversary": [], "malware_families": [ "Revengerat", "Asyncrat" ], "industries": [], "unique_indicators": 213 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trycloudflare.com", "whois": "http://whois.domaintools.com/trycloudflare.com", "domain": "trycloudflare.com", "hostname": "shed-determination-conviction-herself.trycloudflare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6854faeabddec88ea8dace57", "name": "Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware", "description": "The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.", "modified": "2025-06-20T08:28:57.303000", "created": "2025-06-20T06:08:42.481000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 387184, "modified_text": "348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685906ca0a4910f364b0c165", "name": "IOC - Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels", "description": "", "modified": "2025-06-23T07:48:26.286000", "created": "2025-06-23T07:48:26.286000", "tags": [ "asyncrat", "phishing", "stealth techniques", "shellcode loader", "obfuscation", "webdav", "python-based malware", "rat", "cloudflare tunnels", "revengerat", "donut packer", "memory injection" ], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "RevengeRAT", "display_name": "RevengeRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6854faeabddec88ea8dace57", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 58, "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 189, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "345 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685492848a33bffb13e4a5dc", "name": "SERPENTINE#CLOUD Exploits Cloudflare Tunnels for Malware Delivery", "description": "A new phishing campaign, dubbed SERPENTINE#CLOUD, is exploiting Cloudflare Tunnel subdomains to deliver malware through obfuscated scripts and memory-injected payloads. Researchers said the attack begins with invoice-themed phishing emails containing a ZIP file with a malicious LNK shortcut.", "modified": "2025-06-19T22:43:16.481000", "created": "2025-06-19T22:43:16.481000", "tags": [], "references": [ "https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "domain": 3, "hostname": 52 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5b0cdb30efbd1817f038d", "name": "Twitter Feed - malwrhunterteam - 08-04-2025", "description": "", "modified": "2025-05-08T23:02:05.353000", "created": "2025-04-08T23:27:09.766000", "tags": [], "references": [ "https://x.com/malwrhunterteam/status/1909516586202833235", "https://x.com/malwrhunterteam/status/1909547655165882784", "https://x.com/malwrhunterteam/status/1909520239466889326", "https://x.com/malwrhunterteam/status/1909548955647586722", "https://x.com/malwrhunterteam/status/1909595081444556975", "https://x.com/malwrhunterteam/status/1909599096203075663", "https://x.com/malwrhunterteam/status/1909601624969855075", "https://x.com/malwrhunterteam/status/1909602934830117263", "https://x.com/malwrhunterteam/status/1909637396338966915", "https://x.com/malwrhunterteam/status/1909639802636378558", "https://x.com/malwrhunterteam/status/1909640364903805165", "https://x.com/malwrhunterteam/status/1909596414692172119", "https://x.com/malwrhunterteam/status/1909595988643230049" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "hostname": 6, "URL": 8 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://shed-determination-conviction-herself.trycloudflare.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://shed-determination-conviction-herself.trycloudflare.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780523302.175946 }