Recherche : [securonix]

Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware - Securonix https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/

20/06/2025 09:06:08

Securonix Threat Research uncovers SERPENTINE#CLOUD, a stealthy malware campaign abusing Cloudflare Tunnels to deliver in-memory Python-based payloads via .lnk phishing lures. Learn how this multi-stage attack evades detection, establishes persistence, and executes Donut-packed shellcode using Early Bird APC injection.
An ongoing malware campaign tracked as SERPENTINE#CLOUD has been identified as leveraging the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. For initial access, the threat actors are luring users to execute malicious .lnk files (shortcut files) disguised as documents to silently fetch and execute remote code. This kicks off a rather elaborate attack chain consisting of a combination of batch, VBScript and Python stages to ultimately deploy shellcode that loads a Donut-packed PE payload.

The shortcut files are delivered via phishing emails that contain a link to download a zipped document, often themed around payment or invoice scams. This assessment is based on the naming convention of the ZIP files observed, many of which included the word “invoice.”

Attribution remains unknown, though the attacker demonstrates fluency in English based on code comments and scripting practices. Telemetry indicates a strong focus on Western targets, with confirmed activity observed in the United States, United Kingdom, Germany and other regions across Europe and Asia. The use of Cloudflare for payload hosting allows the attackers to remain anonymous and since their infrastructure is secured behind a trusted network, monitored traffic to this network will rarely raise alarms or be flagged as suspicious by network monitoring tools.

CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging - Securonix https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/

04/11/2024 16:55:53

In a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails.

Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/

15/05/2023 21:16:07

An unusual attack/phishing campaign delivering malware while using meme-filled code and complex obfuscation methods continues dropping Xworm payloads for the last few months and is still ongoing today.

Liens par page

Filtres