Securonix has identified an ongoing malware attack campaign named Serpentine#Cloud that utilizes Cloudflare tunnel subdomains. This campaign is marked by its stealthy, medium-to-large scale operations and widespread presence across various Western nations, indicating sophisticated English-speaking attackers. Highlighting operational agility, the campaign begins with deceptive phishing emails that trick victims into executing malicious payloads. Although the attackers remain unidentified, their choice of infrastructure and delivery methods suggests a focus on scalability and discretion, leading to long-term access to affected systems.
The use of a disposable infrastructure and staged delivery payloads implies the actor is prioritizing stealth and operational agility.
The campaign appears to be rather widespread as there was no clear sector, industry or country involved.
Identified telemetry indicates a large overall footprint with observed infections in many Western countries like the United States, the United Kingdom or Germany.
The attack starts off with an invoice-themed phishing email that contains a Windows shortcut (.lnk) file disguised as a PDF document.
Collection
[
|
...
]