Ten Days Later, Eight Tunnels Deep: The German-Targeting Actor Behind Operation Nutten Tunnel Returns With Five RATs and an Early Bird Injection DLL
Same actor, same SID, same OPSEC — but one tunnel became eight, one payload became five RATs, and CreateRemoteThread became Early Bird APC injection
Two days ago, we published our analysis of Operation Nutten Tunnel -- a six-stage attack chain hidden behind a single Cloudflare Quick Tunnel targeting German-speaking users. Zero detections across every major platform. A VPS hostname baked into the LNK metadata. A Python-to-shellcode injection chain.
Today, @smica83 flagged another WsgiDAV open directory on a new Cloudflare tunnel: crest-ind-snake-dublin. We investigated expecting a copycat. Instead, we found the same actor, ten days later, with an arsenal that makes their first campaign look like a proof of concept.
One tunnel became eight. One payload became five RATs plus a custom DLL. CreateRemoteThread became Early Bird APC injection. Downloaded Python became bundled Python. German-only targeting expanded to include daily UK campaigns.
Confirming the Link
The connection to Nutten Tunnel is definitive:
- Shared tunnel:
wet-envelope-beam-laser.trycloudflare.comappears in both campaigns - Same build environment: Administrator account, identical LNK construction patterns
- Same WsgiDAV platform: Same WebDAV configuration, same Edge icon disguise
- Same OPSEC failure: Windows SID
S-1-5-21-3343087317-1842942590-547433828-500embedded in LNK metadata across both campaigns
This is the same operator. What changed is everything else.
Eight Tunnels, Compartmentalized
The actor now runs a multi-hop delivery network across eight separate Cloudflare Quick Tunnels, each serving a distinct function:
| Tunnel | Role |
|---|---|
crest-ind-snake-dublin | Lure delivery (LNK files) |
klein-changes-performed-complex | WSF dropper stage |
chubby-resident-ultimately-dose | BAT stager scripts |
highland-trend-outline-dispute | ZIP payload packages |
wet-envelope-beam-laser | Shared infrastructure (both campaigns) |
| 3 additional tunnels | Backup/rotation |
Compartmentalizing across separate tunnels means taking down one URL doesn't kill the chain. Each stage fetches the next from a different tunnel. If a defender blocks the lure tunnel, the dropper, stager, and payload tunnels remain untouched and can be reconnected to a new lure.
Five RATs, One Operator
The payload tunnels serve five distinct Python-based RATs, each bundled with a Python 3.12 runtime in a ~33MB ZIP package:
| RAT | Likely Function | Target |
|---|---|---|
| An | AnyDesk-style remote access | General |
| As | AsyncRAT variant | General |
| Hv | Hidden VNC (HVNC) | Banking fraud |
| UK-Vio | UK-targeted variant | United Kingdom |
| Laz | Unknown | Unknown |
All five use a custom "Kramer" obfuscator that compiles Python source to .pyc bytecode and disguises the compiled files with .py extensions. Static analysis tools that parse Python source code see garbage. Only a Python bytecode decompiler reveals the actual logic.
The shift from Python 3.11 downloaded at runtime (Nutten Tunnel) to Python 3.12 bundled in ZIPs (Crest Snake) eliminates a network dependency. The first campaign required the victim's machine to download Python from the internet -- a step that could fail behind corporate proxies or trigger network alerts. Now the entire runtime ships with the payload.
The DLL: Early Bird APC Injection
The most significant technical upgrade is jopfgl.dll -- a custom x64 DLL compiled with MinGW GCC 15.1.0 that exports three functions:
get_payload-- retrieves the encrypted shellcodexor_decrypt-- decrypts with keyvGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4inject_early_bird-- injects into a suspended process via QueueUserAPC
Early Bird APC injection creates a process in a suspended state, queues the malicious code as an Asynchronous Procedure Call, then resumes the process. The injected code executes before the process's own entry point runs -- before EDR hooks are installed, before user-mode monitoring begins. It's a significant evasion upgrade from the CreateRemoteThread technique used in Nutten Tunnel.
The decrypted shellcode (342 KB) is a Donut-style loader with a CALL/POP entry point -- a position-independent code stub that resolves its own address before bootstrapping the main payload.
Dual Targeting: Germany and UK
Nutten Tunnel targeted only German-speaking users. Crest Snake targets both:
German campaigns: LNK files disguised as FSL invoices ("rechnung.pdf" -- German for "invoice"), financial document naming conventions matching German business formats.
UK campaigns: Daily-rotating campaign identifiers -- UKMar26, UKMar27, UKA01, UKA02 -- suggesting a structured, calendar-based targeting schedule. The UK-Vio RAT variant is specifically configured for British targets.
Ten Days of Evolution
| Aspect | Nutten Tunnel (Mar 23) | Crest Snake (Apr 2) |
|---|---|---|
| Tunnels | 1 | 8 (compartmentalized) |
| Payloads | 1 (shellcode) | 5 RATs + 1 DLL |
| Python | 3.11 downloaded at runtime | 3.12 bundled in ZIP |
| Injection | CreateRemoteThread | Early Bird APC (QueueUserAPC) |
| Targeting | German only | German + UK daily campaigns |
| Encryption | AES-256-CBC | XOR with 32-byte key |
| Stages | 6 | 8+ (multi-hop tunnel chain) |
This level of evolution in ten days indicates either a well-resourced operator with a development team, or a sophisticated individual iterating rapidly on their tooling. The shift to Early Bird injection and multi-tunnel compartmentalization suggests someone who reads security research and adapts.
Indicators of Compromise
Tunnel Domains
crest-ind-snake-dublin[.]trycloudflare[.]comklein-changes-performed-complex[.]trycloudflare[.]comchubby-resident-ultimately-dose[.]trycloudflare[.]comhighland-trend-outline-dispute[.]trycloudflare[.]comwet-envelope-beam-laser[.]trycloudflare[.]com
File Indicators
jopfgl.dll-- custom DLL withinject_early_birdexport- XOR key:
vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4 - Windows SID:
S-1-5-21-3343087317-1842942590-547433828-500 - 22 sample hashes in full report
Detection
Six YARA rules and ten Suricata signatures are available on our GitHub:
UPDATE: Operation Klein Changes -- The Full Timeline
Hours after publishing, @skocherhan identified another tunnel from the same actor: klein-changes-slim-starter[.]trycloudflare[.]com. We investigated immediately and recovered 6 WSF droppers spanning January 14 through April 2, 2026 -- the actor's complete three-month operational history.
Nine Tunnels, One Actor
Across three investigations (Nutten Tunnel, Crest Snake, Klein Changes), we have now mapped 9 Cloudflare Quick Tunnels operated by this actor:
requires-fortune-nutten-eligible(Nutten Tunnel, Mar 23)crest-ind-snake-dublin(Crest Snake, Apr 2, lure delivery)klein-changes-performed-complex(Crest Snake, WSF dropper)klein-changes-slim-starter(Klein Changes, WSF dropper, current)chubby-resident-ultimately-dose(Crest Snake, BAT stager)chubby-resident-airlines-converter(Klein Changes, BAT stager, new)highland-trend-outline-dispute(Crest Snake, ZIP payloads)wet-envelope-beam-laser(shared across campaigns)- Additional backup tunnel
Daily Evolution (Jan 14 to Apr 2)
| Date | Technique | Change |
|---|---|---|
| Jan 14 | Simple 2-stage BAT download (90s sleep) | Initial capability |
| Mar 25 | DLL sideloading via regsvr32 + German PDF decoy | Added evasion |
| Mar 26 | 4 simultaneous DLLs (Asy/Ana/Hvv/UK-vio) | Scaled targeting |
| Mar 27 | 3-stage BAT chain (10s sleep) | Reduced dwell time |
| Apr 1 | Python RATs + DLL hybrid (TokenSys/emand.dll) | Added persistence |
| Apr 2 | Python-only (DLL REMOVED) | Simplified, A/B testing |
The actor updates payloads daily and rotates tunnels every 3-7 days. They are actively A/B testing delivery methods.
Additional IOCs
klein-changes-slim-starter[.]trycloudflare[.]comchubby-resident-airlines-converter[.]trycloudflare[.]com- 6 WSF dropper hashes + 17 additional samples in the full Klein Changes report
h/t @skocherhan for the klein-changes tunnel identification.
h/t @smica83 for both the original and follow-up tips.