Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware
The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.
AI Analysis
Technical Summary
The SERPENTINE#CLOUD campaign is a sophisticated malware operation that abuses Cloudflare Tunnels to deliver stealthy, Python-based malware payloads to targeted systems. The attack initiates through malicious Windows shortcut (.lnk) files that are disguised as legitimate documents to entice victims into execution. These shortcuts fetch remote code hosted on Cloudflare subdomains, leveraging Cloudflare's infrastructure to provide anonymity and evade traditional detection mechanisms. The infection chain is multi-staged and complex, involving batch scripts, VBScript, and Python loaders that work together to execute memory injection techniques. The final payload is a shellcode loader that uses the Donut packer to embed a Portable Executable (PE) payload directly into memory, avoiding disk writes and reducing forensic footprints. This PE payload is a Remote Access Trojan (RAT), specifically linked to variants such as AsyncRAT and RevengeRAT, granting attackers full control over compromised hosts. The campaign has evolved from using simpler .url files to more complex .lnk files, indicating an adaptive threat actor improving stealth and delivery mechanisms. The use of obfuscation and memory injection techniques further complicates detection and analysis. The campaign primarily targets Western organizations, exploiting the trust and ubiquity of Cloudflare services to host malicious payloads and maintain operational security. No known exploits in the wild have been reported yet, but the campaign's medium severity rating reflects its potential impact and stealth capabilities.
Potential Impact
For European organizations, the SERPENTINE#CLOUD campaign poses significant risks, particularly to enterprises relying on Windows environments and those with employees who frequently handle document-based communications. The RAT payload enables attackers to gain persistent, remote control over infected systems, potentially leading to data exfiltration, espionage, lateral movement within networks, and disruption of critical services. The use of Cloudflare tunnels complicates attribution and response, as malicious traffic blends with legitimate cloud traffic, potentially bypassing perimeter defenses. The stealthy nature of memory injection and obfuscated scripts increases the likelihood of prolonged undetected presence, which can exacerbate damage and complicate incident response. Sectors such as finance, government, technology, and critical infrastructure in Europe are particularly vulnerable due to their strategic importance and the value of their data. Additionally, the campaign's focus on Western targets aligns with the presence of many multinational corporations and governmental bodies in Europe, increasing the probability of targeted attacks. The campaign's reliance on social engineering through disguised shortcut files also highlights the risk posed by insufficient user awareness and endpoint protection.
Mitigation Recommendations
To mitigate the SERPENTINE#CLOUD threat, European organizations should implement several targeted measures beyond generic advice: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting memory injection and script-based attacks, focusing on behavioral indicators rather than signature-based detection alone. 2) Enforce strict application whitelisting policies that restrict execution of .lnk files and scripts originating from email attachments or untrusted sources. 3) Implement network monitoring to identify anomalous outbound connections to Cloudflare subdomains, leveraging threat intelligence feeds to flag suspicious tunnel usage. 4) Conduct regular phishing awareness training emphasizing the risks of opening unexpected shortcut files and recognizing social engineering tactics. 5) Utilize PowerShell and script execution logging with centralized analysis to detect unusual script activity, especially involving batch, VBScript, and Python scripts. 6) Harden endpoint configurations by disabling or restricting Windows shortcut file execution where possible, and applying least privilege principles to limit the ability of malware to execute or escalate privileges. 7) Collaborate with Cloudflare and ISPs to monitor and potentially block malicious subdomains used for payload hosting. 8) Maintain up-to-date backups and incident response plans tailored to memory-resident malware scenarios to enable rapid recovery and containment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Belgium, Italy, Spain, Sweden
Indicators of Compromise
- hash: bb130f424ebd3b45a8f9d69efae863f4
- hash: 8e9d18b754aaf7aadb3bd2c20ab9f4aee409b73d
- hash: aece8fa3b8ea803e9ca9bf06b6fd147b54cd3a00207aad36871da424a9ca4748
- hash: 013cf008d024e83183c8ddc7ecefb266
- hash: 06480f1e6aa48daab019e8f1a6b834c9
- hash: 198553480cb100a5018aa08ebc599ff0
- hash: 3f9399b450f054528b439f0a75ffa1a6
- hash: 51d2b363ffbacbe2807ac36ba6f2ad26
- hash: 5289c94f1ae20f78d23b2c6c7cfd0276
- hash: 61b02d5a6fce25548108e1783913f74e
- hash: 6d1db0e5f9fd207372fa3e0a9f3d08ab
- hash: 70ae4d535a8330fd6992e6f88f4c25dd
- hash: 7592231319e5b0748606b17bd65a8b08
- hash: 8bfc2e4c7ee611fc0f7b15006af299ab
- hash: 9cde8a6bab01d52d2065d0f479e68548
- hash: 9cf6d945c93c5c5040e0775720f0916b
- hash: bc0d4b2844de0e9327bab2891ff32cf6
- hash: c385ea81fa960ee586d9a53e6262fad0
- hash: c4549537366f720536e4ac4ac3ed1be0
- hash: d1b9ad51e6d8a9faf620ef3d69b069e5
- hash: eb5c383734b18b21a9a24a717ce1b280
- hash: 037736cf63cf047f5165f0b6e0ab1d86d3d96512
- hash: 03e875c55f3b1c95dd7f0a370d1fc0a3d043b688
- hash: 27752e008f1aaa83b0b09f82632f47aeb05f51d9
- hash: 38fab408803fbe65079b66cb5ecbf6686efe9353
- hash: 76bdb98ac85ceca629357c469606eabf3f9ad49c
- hash: 80c83fcd717bd03fa463a75684c5541fce9fff55
- hash: 8f1f544c57b26784e0d191c9678067a505b4f339
- hash: 965d653fee4acd9c3fa7258096782d9ee3246916
- hash: a375e27ec85dd7b04ce44d4c02a0e5e162e484f0
- hash: a4265b36ecc13e1c4ecd9a1eb33727cdb3354a45
- hash: ae271809c8f2bd86db95199dcf7081b42e7f61f5
- hash: c1c2e51f52552c8a1e23d31d8d57662acb9bf6de
- hash: c735c2d22e2fe79a39111e76a9966d0720f023a1
- hash: e0553dba46dba677e8b509acc7076ee8cf75b5f8
- hash: e05ea2ddb8df7cd9006d3b3114270093356ac161
- hash: f08195863426c9dae4f1fc89014e9ae49ae576fd
- hash: f6698a92f659dbae256a4726bd52c1e934d9cdce
- hash: fca3dc54787f1a9dd44750f12da4b25563db85e7
- hash: 0172ca7c07d1d52dc163090886d5f32a5dcf528506d19203e4c405495f51c60b
- hash: 017fd2003f8eaa65ff85131322f5faec1e338511788328438020848edf3dfd8d
- hash: 0484de293f2c125132caa585229a8702af00cb645aa27684c2ee6f9f4f3edb6f
- hash: 049a576a5bc77af51065d28a711656bd93ff6bd5fe74d54064a66a802d14e438
- hash: 100970b2eb83e3a80cb463126845619a05c979d235b07eca4b1c2027772334ec
- hash: 139b2b11b1c0d9697a78c1a9535a7a4e4f41d4833b247c1cddc91abe3bebe3e4
- hash: 13a8150b68a3fad30c48778b80baa7c97c1a813f37688cbe14b1d3f5ab69ac72
- hash: 1534d21ddd3a58b076ef49682e0cf7009abfb4248fa70426b5436c02caeaf82f
- hash: 193218243c54d7903c65f5e7be9b865ddb286da9005c69e6e955e31ec3efa1a7
- hash: 1a15c4d654d88dc3f1943361cb69bb5dea90c758a6fe4e8b72e683ba9354c480
- hash: 1cacc0e005a506572b26d859579840188758c37377b19f33bbd084d7ef2956a8
- hash: 22de5ffc9bffe49c4713113ac171b95e016ed0f09065bfee1394a579174e8dd6
- hash: 32253d3ea50927d0fd79f5bfdd6ee93c46aa26126ce4360d9915fabd2e5f562f
- hash: 35db935e80beda545577a5f7ff6de7c8a8b1376c363b0d5c704dc14ebc1d2f93
- hash: 36d05b8ca1b6e629bfccc2342db331eb88d21ebce773ca266f664cd606bc31b7
- hash: 36f02254bf8631e5e4cdb83ffb4621c85ab5e41fb20983c7b1e2b2292ef02d0a
- hash: 3ad13c59cebdf654d2f04c26c4a0726f2e1bb3b1682bc9810a3b99fbd17d59c0
- hash: 3b97a79ed920a508b4cd91240d0795713c559c36862c75ec6c9a41b4ec05d279
- hash: 3cf0e84ea719b026aa6ef04ee7396974aeb3ec3480823fd0bb1867043c6d2bf9
- hash: 3d3a6d7905ca1387f3ec7a637cb672d6b6efa0f8efdbf819f756a8e5f92bc960
- hash: 408a7c9b1afcc367a086c1386da621d532632e2b54c47f7061161105bd63a37e
- hash: 427fa98fc638d1ec0d8c6863d9b2e7e58642287bef11404089b45024564b54f4
- hash: 45babdcbd661450b3643a14dc960daf7fafaea2876fee249a2a2417b15272a4b
- hash: 5022cd6152998d31b55e5770a7b334068ce8264876c5d6017fd37beb28e585ca
- hash: 521982a864b3b40b2627cf2067546accf346e2c97924a73dbc767907071c4029
- hash: 547250102b3b779cfeab6f9ff4b67ffd577d83d9e8027df90697b01e24256d67
- hash: 5710a67e4a3a633a8b3446a9e94b8cdd11b00e922a5585802a94bd91fa2a5d82
- hash: 5d932bfda0ffd31715700de2fd43fc89c0f1d89eeabac92081ebe2062da84152
- hash: 6134bac7a6215a158dfee2f6824b9e648de073eeb0499a325c8ef2ea43dab84c
- hash: 6211e469524a4bd7d3fa9c59a11a2f5bc6eac34d839a5ba0ba8a616b82a098c8
- hash: 63ffc2b66e32111cd5be311ad499bd15da5d28edc05b7f3da43dfe77f3e2c7f8
- hash: 6912f9484886ec8b8837ac3e2e63397a9c4fd499407dbab92f730f0d6b4315fc
- hash: 715cef51ffcfaec05a080a0e0db4d88bb5123e2ade4a1c72fd8c10f412310c1d
- hash: 759d6929e4456668a93d92b2aea311d9b7590ebab4a4da3cd8602b8c0b8111d5
- hash: 7aa7406147e1365a78412ba44adecee8c5f5b8365c61a2bc4de3bc2c37c0e1dd
- hash: 7b4931e498ce8b3a15bff5fdfd3a547397e85296462de3d2d322b4b3fe52f26c
- hash: 8164643b2efdcfedafafb61919cf93c496375002f6ad806725c85a7c871c34ea
- hash: 81c47e749e8a3376294de8593c2387a0642080303bb17d902babff1de561e743
- hash: 821f0956d3f52819c90035041c0f4c0ec644924af46222c5913e05de1c385b04
- hash: 850fb460f68ab1b5810f96db1ff16954cd1b590b921968fcbc3203135b40acc0
- hash: 9096d706d90598ba0dd6473a1cf0529ab7ab486e753b2ebf6b180d2bebf68990
- hash: 9dc84272d11e273b6b4defeabb7e3dd6ebe0e418fb96f9386dd7f1f695636384
- hash: a6f04f0c7b2827f4c102b1b1e3978805a628db1ee83fb61e640ff215ba732262
- hash: ac6eb3435cec6058ffea590ac51507b3313a74ea07893b984f2d87be12e17027
- hash: b57f591866a0d5a68b76382476087310a6f96c34b9449d070619df6b763e6a1d
- hash: c2c8f3a7a7b07fc4f62b943011ef4239ff938077fde2cc248b406616254f44d5
- hash: cdcd71a62cd579b8aa01792769b99961cde2d34419e066c4a45943559e0c4029
- hash: cdd097329d2c539a3c67c278530d951964f593a4ffb90a31b0efad4c3e0ed5ba
- hash: d70b2ec135b1dc4d0be8e029574d9e686b29c0225022fc65d0af0811fdf88ce7
- hash: def421b838a43054ab8336ab4db6bf8f973e1bbabc2c38e278c3fa4ea459f961
- hash: df9ecde8058cb9756bde3de1a2a2727a3709f238885165b7feb747eb10de1502
- hash: e78ff6f51a3faecf4d20cd5b71b2396b7c2fec74af19122b1e1eee432c13b773
- hash: e8dab17006948378b94183226f8e2d345a6aeb6688be02e4ee578d4618d9fb43
- hash: f0f7276c54e6d6b41732d51fb1b61366aa49c6992a54d13ffd24aee572ffaf95
- hash: f626a8e8e1eb51a23b56b69060a76b9f566944c1b4df044b8b4b68861fb8a761
- hash: f6b403d719d770ffb6cc310e2f97889998224a563a1a629be5b7f8642b5f00ba
- hash: fcad11819fca303372182c881397e0b607c0da64ecda1cf9b2c87cf5f8f5957a
- url: https://agricultural-brooks-nevertheless-hawk.trycloudflare.com
- url: https://archived-hungary-paxil-tubes.trycloudflare.com
- url: https://bold-accepts-wide-te.trycloudflare.com
- url: https://bought-boulder-algeria-warned.trycloudflare.com
- url: https://catalogs-amounts-functions-chicago.trycloudflare.com
- url: https://cold-neon-springfield-asset.trycloudflare.com
- url: https://departments-emperor-maximize-synopsis.trycloudflare.com
- url: https://depot-arrange-zero-kai.trycloudflare.com
- url: https://diy-solution-warriors-workflow.trycloudflare.com
- url: https://dolls-pet-bon-shirts.trycloudflare.com
- url: https://eastern-instructional-ant-jungle.trycloudflare.com/cam.zip
- url: https://flexibility-hawaiian-ever-bon.trycloudflare.com
- url: https://flour-riding-merit-refers.trycloudflare.com
- url: https://fy-golf-fraction-bath.trycloudflare.com
- url: https://greensboro-even-suburban-str.trycloudflare.com
- url: https://hobbies-gratis-literally-dry.trycloudflare.com
- url: https://hose-jerusalem-sure-older.trycloudflare.com
- url: https://integration-previous-brilliant-true.trycloudflare.com
- url: https://lender-router-exclusively-fraction.trycloudflare.com
- url: https://menu-conviction-given-not.trycloudflare.com
- url: https://milton-smithsonian-raising-mind.trycloudflare.com
- url: https://now-refer-several-tariff.trycloudflare.com
- url: https://obtaining-removing-blocking-effectiveness.trycloudflare.com
- url: https://opportunities-choosing-non-torture.trycloudflare.com
- url: https://pop-incl-accountability-pharmacy.trycloudflare.com
- url: https://reensboro-even-suburban-str.trycloudflare.com
- url: https://shed-determination-conviction-herself.trycloudflare.com
- url: https://superb-rotation-gourmet-frequently.trycloudflare.com
- url: https://surprise-poly-longitude-populations.trycloudflare.com
- url: https://travel-sagem-distant-potential.trycloudflare.com
- url: https://uploaded-overall-seating-browser.trycloudflare.com
- url: https://vertical-pentium-b-dead.trycloudflare.com
- url: https://violin-amendment-stranger-job.trycloudflare.com
- url: https://vocabulary-bangladesh-designation-manhattan.trycloudflare.com
- url: https://whatever-hearings-transmission-daisy.trycloudflare.com
- url: https://wizard-individual-intervals-franklin.trycloudflare.com
- url: https://works-clubs-attendance-vi.trycloudflare.co
- url: https://works-clubs-attendance-vi.trycloudflare.com
- domain: nhvncpure.click
- domain: nhvncpure.sbs
- domain: nhvncpure.shop
- domain: 048304848392524.pdf.lnk.download
- domain: 06159364732024.pdf.lnk.download
- domain: 0618394720134.pdf.lnk.download
- domain: 08403844758424.pdf.lnk.download
- domain: agricultural-brooks-nevertheless-hawk.trycloudflare.com
- domain: archived-hungary-paxil-tubes.trycloudflare.com
- domain: bold-accepts-wide-te.trycloudflare.com
- domain: bought-boulder-algeria-warned.trycloudflare.com
- domain: catalogs-amounts-functions-chicago.trycloudflare.com
- domain: cold-neon-springfield-asset.trycloudflare.com
- domain: departments-emperor-maximize-synopsis.trycloudflare.com
- domain: depot-arrange-zero-kai.trycloudflare.com
- domain: diy-solution-warriors-workflow.trycloudflare.com
- domain: djksncb.duckdns.org
- domain: dolls-pet-bon-shirts.trycloudflare.com
- domain: eastern-instructional-ant-jungle.trycloudflare.com
- domain: flexibility-hawaiian-ever-bon.trycloudflare.com
- domain: flour-riding-merit-refers.trycloudflare.com
- domain: fy-golf-fraction-bath.trycloudflare.com
- domain: greensboro-even-suburban-str.trycloudflare.com
- domain: hobbies-gratis-literally-dry.trycloudflare.com
- domain: hose-jerusalem-sure-older.trycloudflare.com
- domain: hvncmomentpure.duckdns.org
- domain: integration-previous-brilliant-true.trycloudflare.com
- domain: ip145.ip-51-89-212.eu
- domain: lender-router-exclusively-fraction.trycloudflare.com
- domain: menu-conviction-given-not.trycloudflare.com
- domain: milton-smithsonian-raising-mind.trycloudflare.com
- domain: ncmomenthv.duckdns.org
- domain: nhvncpure.duckdns.org
- domain: nhvncpure.twilightparadox.com
- domain: nhvncpure1.strangled.net
- domain: nhvncpure2.mooo.com
- domain: nhvncpurekfl.duckdns.org
- domain: nhvncpureybs.duckdns.org
- domain: now-refer-several-tariff.trycloudflare.com
- domain: obtaining-removing-blocking-effectiveness.trycloudflare.com
- domain: opportunities-choosing-non-torture.trycloudflare.com
- domain: pop-incl-accountability-pharmacy.trycloudflare.com
- domain: reensboro-even-suburban-str.trycloudflare.com
- domain: shed-determination-conviction-herself.trycloudflare.com
- domain: superb-rotation-gourmet-frequently.trycloudflare.com
- domain: surprise-poly-longitude-populations.trycloudflare.com
- domain: travel-sagem-distant-potential.trycloudflare.com
- domain: uploaded-overall-seating-browser.trycloudflare.com
- domain: vertical-pentium-b-dead.trycloudflare.com
- domain: violin-amendment-stranger-job.trycloudflare.com
- domain: vocabulary-bangladesh-designation-manhattan.trycloudflare.com
- domain: whatever-hearings-transmission-daisy.trycloudflare.com
- domain: wizard-individual-intervals-franklin.trycloudflare.com
- domain: works-clubs-attendance-vi.trycloudflare.co
- domain: works-clubs-attendance-vi.trycloudflare.com
Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware
Description
The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.
AI-Powered Analysis
Technical Analysis
The SERPENTINE#CLOUD campaign is a sophisticated malware operation that abuses Cloudflare Tunnels to deliver stealthy, Python-based malware payloads to targeted systems. The attack initiates through malicious Windows shortcut (.lnk) files that are disguised as legitimate documents to entice victims into execution. These shortcuts fetch remote code hosted on Cloudflare subdomains, leveraging Cloudflare's infrastructure to provide anonymity and evade traditional detection mechanisms. The infection chain is multi-staged and complex, involving batch scripts, VBScript, and Python loaders that work together to execute memory injection techniques. The final payload is a shellcode loader that uses the Donut packer to embed a Portable Executable (PE) payload directly into memory, avoiding disk writes and reducing forensic footprints. This PE payload is a Remote Access Trojan (RAT), specifically linked to variants such as AsyncRAT and RevengeRAT, granting attackers full control over compromised hosts. The campaign has evolved from using simpler .url files to more complex .lnk files, indicating an adaptive threat actor improving stealth and delivery mechanisms. The use of obfuscation and memory injection techniques further complicates detection and analysis. The campaign primarily targets Western organizations, exploiting the trust and ubiquity of Cloudflare services to host malicious payloads and maintain operational security. No known exploits in the wild have been reported yet, but the campaign's medium severity rating reflects its potential impact and stealth capabilities.
Potential Impact
For European organizations, the SERPENTINE#CLOUD campaign poses significant risks, particularly to enterprises relying on Windows environments and those with employees who frequently handle document-based communications. The RAT payload enables attackers to gain persistent, remote control over infected systems, potentially leading to data exfiltration, espionage, lateral movement within networks, and disruption of critical services. The use of Cloudflare tunnels complicates attribution and response, as malicious traffic blends with legitimate cloud traffic, potentially bypassing perimeter defenses. The stealthy nature of memory injection and obfuscated scripts increases the likelihood of prolonged undetected presence, which can exacerbate damage and complicate incident response. Sectors such as finance, government, technology, and critical infrastructure in Europe are particularly vulnerable due to their strategic importance and the value of their data. Additionally, the campaign's focus on Western targets aligns with the presence of many multinational corporations and governmental bodies in Europe, increasing the probability of targeted attacks. The campaign's reliance on social engineering through disguised shortcut files also highlights the risk posed by insufficient user awareness and endpoint protection.
Mitigation Recommendations
To mitigate the SERPENTINE#CLOUD threat, European organizations should implement several targeted measures beyond generic advice: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting memory injection and script-based attacks, focusing on behavioral indicators rather than signature-based detection alone. 2) Enforce strict application whitelisting policies that restrict execution of .lnk files and scripts originating from email attachments or untrusted sources. 3) Implement network monitoring to identify anomalous outbound connections to Cloudflare subdomains, leveraging threat intelligence feeds to flag suspicious tunnel usage. 4) Conduct regular phishing awareness training emphasizing the risks of opening unexpected shortcut files and recognizing social engineering tactics. 5) Utilize PowerShell and script execution logging with centralized analysis to detect unusual script activity, especially involving batch, VBScript, and Python scripts. 6) Harden endpoint configurations by disabling or restricting Windows shortcut file execution where possible, and applying least privilege principles to limit the ability of malware to execute or escalate privileges. 7) Collaborate with Cloudflare and ISPs to monitor and potentially block malicious subdomains used for payload hosting. 8) Maintain up-to-date backups and incident response plans tailored to memory-resident malware scenarios to enable rapid recovery and containment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research"]
- Adversary
- null
- Pulse Id
- 6854faeabddec88ea8dace57
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashbb130f424ebd3b45a8f9d69efae863f4 | — | |
hash8e9d18b754aaf7aadb3bd2c20ab9f4aee409b73d | — | |
hashaece8fa3b8ea803e9ca9bf06b6fd147b54cd3a00207aad36871da424a9ca4748 | — | |
hash013cf008d024e83183c8ddc7ecefb266 | — | |
hash06480f1e6aa48daab019e8f1a6b834c9 | — | |
hash198553480cb100a5018aa08ebc599ff0 | — | |
hash3f9399b450f054528b439f0a75ffa1a6 | — | |
hash51d2b363ffbacbe2807ac36ba6f2ad26 | — | |
hash5289c94f1ae20f78d23b2c6c7cfd0276 | — | |
hash61b02d5a6fce25548108e1783913f74e | — | |
hash6d1db0e5f9fd207372fa3e0a9f3d08ab | — | |
hash70ae4d535a8330fd6992e6f88f4c25dd | — | |
hash7592231319e5b0748606b17bd65a8b08 | — | |
hash8bfc2e4c7ee611fc0f7b15006af299ab | — | |
hash9cde8a6bab01d52d2065d0f479e68548 | — | |
hash9cf6d945c93c5c5040e0775720f0916b | — | |
hashbc0d4b2844de0e9327bab2891ff32cf6 | — | |
hashc385ea81fa960ee586d9a53e6262fad0 | — | |
hashc4549537366f720536e4ac4ac3ed1be0 | — | |
hashd1b9ad51e6d8a9faf620ef3d69b069e5 | — | |
hasheb5c383734b18b21a9a24a717ce1b280 | — | |
hash037736cf63cf047f5165f0b6e0ab1d86d3d96512 | — | |
hash03e875c55f3b1c95dd7f0a370d1fc0a3d043b688 | — | |
hash27752e008f1aaa83b0b09f82632f47aeb05f51d9 | — | |
hash38fab408803fbe65079b66cb5ecbf6686efe9353 | — | |
hash76bdb98ac85ceca629357c469606eabf3f9ad49c | — | |
hash80c83fcd717bd03fa463a75684c5541fce9fff55 | — | |
hash8f1f544c57b26784e0d191c9678067a505b4f339 | — | |
hash965d653fee4acd9c3fa7258096782d9ee3246916 | — | |
hasha375e27ec85dd7b04ce44d4c02a0e5e162e484f0 | — | |
hasha4265b36ecc13e1c4ecd9a1eb33727cdb3354a45 | — | |
hashae271809c8f2bd86db95199dcf7081b42e7f61f5 | — | |
hashc1c2e51f52552c8a1e23d31d8d57662acb9bf6de | — | |
hashc735c2d22e2fe79a39111e76a9966d0720f023a1 | — | |
hashe0553dba46dba677e8b509acc7076ee8cf75b5f8 | — | |
hashe05ea2ddb8df7cd9006d3b3114270093356ac161 | — | |
hashf08195863426c9dae4f1fc89014e9ae49ae576fd | — | |
hashf6698a92f659dbae256a4726bd52c1e934d9cdce | — | |
hashfca3dc54787f1a9dd44750f12da4b25563db85e7 | — | |
hash0172ca7c07d1d52dc163090886d5f32a5dcf528506d19203e4c405495f51c60b | — | |
hash017fd2003f8eaa65ff85131322f5faec1e338511788328438020848edf3dfd8d | — | |
hash0484de293f2c125132caa585229a8702af00cb645aa27684c2ee6f9f4f3edb6f | — | |
hash049a576a5bc77af51065d28a711656bd93ff6bd5fe74d54064a66a802d14e438 | — | |
hash100970b2eb83e3a80cb463126845619a05c979d235b07eca4b1c2027772334ec | — | |
hash139b2b11b1c0d9697a78c1a9535a7a4e4f41d4833b247c1cddc91abe3bebe3e4 | — | |
hash13a8150b68a3fad30c48778b80baa7c97c1a813f37688cbe14b1d3f5ab69ac72 | — | |
hash1534d21ddd3a58b076ef49682e0cf7009abfb4248fa70426b5436c02caeaf82f | — | |
hash193218243c54d7903c65f5e7be9b865ddb286da9005c69e6e955e31ec3efa1a7 | — | |
hash1a15c4d654d88dc3f1943361cb69bb5dea90c758a6fe4e8b72e683ba9354c480 | — | |
hash1cacc0e005a506572b26d859579840188758c37377b19f33bbd084d7ef2956a8 | — | |
hash22de5ffc9bffe49c4713113ac171b95e016ed0f09065bfee1394a579174e8dd6 | — | |
hash32253d3ea50927d0fd79f5bfdd6ee93c46aa26126ce4360d9915fabd2e5f562f | — | |
hash35db935e80beda545577a5f7ff6de7c8a8b1376c363b0d5c704dc14ebc1d2f93 | — | |
hash36d05b8ca1b6e629bfccc2342db331eb88d21ebce773ca266f664cd606bc31b7 | — | |
hash36f02254bf8631e5e4cdb83ffb4621c85ab5e41fb20983c7b1e2b2292ef02d0a | — | |
hash3ad13c59cebdf654d2f04c26c4a0726f2e1bb3b1682bc9810a3b99fbd17d59c0 | — | |
hash3b97a79ed920a508b4cd91240d0795713c559c36862c75ec6c9a41b4ec05d279 | — | |
hash3cf0e84ea719b026aa6ef04ee7396974aeb3ec3480823fd0bb1867043c6d2bf9 | — | |
hash3d3a6d7905ca1387f3ec7a637cb672d6b6efa0f8efdbf819f756a8e5f92bc960 | — | |
hash408a7c9b1afcc367a086c1386da621d532632e2b54c47f7061161105bd63a37e | — | |
hash427fa98fc638d1ec0d8c6863d9b2e7e58642287bef11404089b45024564b54f4 | — | |
hash45babdcbd661450b3643a14dc960daf7fafaea2876fee249a2a2417b15272a4b | — | |
hash5022cd6152998d31b55e5770a7b334068ce8264876c5d6017fd37beb28e585ca | — | |
hash521982a864b3b40b2627cf2067546accf346e2c97924a73dbc767907071c4029 | — | |
hash547250102b3b779cfeab6f9ff4b67ffd577d83d9e8027df90697b01e24256d67 | — | |
hash5710a67e4a3a633a8b3446a9e94b8cdd11b00e922a5585802a94bd91fa2a5d82 | — | |
hash5d932bfda0ffd31715700de2fd43fc89c0f1d89eeabac92081ebe2062da84152 | — | |
hash6134bac7a6215a158dfee2f6824b9e648de073eeb0499a325c8ef2ea43dab84c | — | |
hash6211e469524a4bd7d3fa9c59a11a2f5bc6eac34d839a5ba0ba8a616b82a098c8 | — | |
hash63ffc2b66e32111cd5be311ad499bd15da5d28edc05b7f3da43dfe77f3e2c7f8 | — | |
hash6912f9484886ec8b8837ac3e2e63397a9c4fd499407dbab92f730f0d6b4315fc | — | |
hash715cef51ffcfaec05a080a0e0db4d88bb5123e2ade4a1c72fd8c10f412310c1d | — | |
hash759d6929e4456668a93d92b2aea311d9b7590ebab4a4da3cd8602b8c0b8111d5 | — | |
hash7aa7406147e1365a78412ba44adecee8c5f5b8365c61a2bc4de3bc2c37c0e1dd | — | |
hash7b4931e498ce8b3a15bff5fdfd3a547397e85296462de3d2d322b4b3fe52f26c | — | |
hash8164643b2efdcfedafafb61919cf93c496375002f6ad806725c85a7c871c34ea | — | |
hash81c47e749e8a3376294de8593c2387a0642080303bb17d902babff1de561e743 | — | |
hash821f0956d3f52819c90035041c0f4c0ec644924af46222c5913e05de1c385b04 | — | |
hash850fb460f68ab1b5810f96db1ff16954cd1b590b921968fcbc3203135b40acc0 | — | |
hash9096d706d90598ba0dd6473a1cf0529ab7ab486e753b2ebf6b180d2bebf68990 | — | |
hash9dc84272d11e273b6b4defeabb7e3dd6ebe0e418fb96f9386dd7f1f695636384 | — | |
hasha6f04f0c7b2827f4c102b1b1e3978805a628db1ee83fb61e640ff215ba732262 | — | |
hashac6eb3435cec6058ffea590ac51507b3313a74ea07893b984f2d87be12e17027 | — | |
hashb57f591866a0d5a68b76382476087310a6f96c34b9449d070619df6b763e6a1d | — | |
hashc2c8f3a7a7b07fc4f62b943011ef4239ff938077fde2cc248b406616254f44d5 | — | |
hashcdcd71a62cd579b8aa01792769b99961cde2d34419e066c4a45943559e0c4029 | — | |
hashcdd097329d2c539a3c67c278530d951964f593a4ffb90a31b0efad4c3e0ed5ba | — | |
hashd70b2ec135b1dc4d0be8e029574d9e686b29c0225022fc65d0af0811fdf88ce7 | — | |
hashdef421b838a43054ab8336ab4db6bf8f973e1bbabc2c38e278c3fa4ea459f961 | — | |
hashdf9ecde8058cb9756bde3de1a2a2727a3709f238885165b7feb747eb10de1502 | — | |
hashe78ff6f51a3faecf4d20cd5b71b2396b7c2fec74af19122b1e1eee432c13b773 | — | |
hashe8dab17006948378b94183226f8e2d345a6aeb6688be02e4ee578d4618d9fb43 | — | |
hashf0f7276c54e6d6b41732d51fb1b61366aa49c6992a54d13ffd24aee572ffaf95 | — | |
hashf626a8e8e1eb51a23b56b69060a76b9f566944c1b4df044b8b4b68861fb8a761 | — | |
hashf6b403d719d770ffb6cc310e2f97889998224a563a1a629be5b7f8642b5f00ba | — | |
hashfcad11819fca303372182c881397e0b607c0da64ecda1cf9b2c87cf5f8f5957a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://agricultural-brooks-nevertheless-hawk.trycloudflare.com | — | |
urlhttps://archived-hungary-paxil-tubes.trycloudflare.com | — | |
urlhttps://bold-accepts-wide-te.trycloudflare.com | — | |
urlhttps://bought-boulder-algeria-warned.trycloudflare.com | — | |
urlhttps://catalogs-amounts-functions-chicago.trycloudflare.com | — | |
urlhttps://cold-neon-springfield-asset.trycloudflare.com | — | |
urlhttps://departments-emperor-maximize-synopsis.trycloudflare.com | — | |
urlhttps://depot-arrange-zero-kai.trycloudflare.com | — | |
urlhttps://diy-solution-warriors-workflow.trycloudflare.com | — | |
urlhttps://dolls-pet-bon-shirts.trycloudflare.com | — | |
urlhttps://eastern-instructional-ant-jungle.trycloudflare.com/cam.zip | — | |
urlhttps://flexibility-hawaiian-ever-bon.trycloudflare.com | — | |
urlhttps://flour-riding-merit-refers.trycloudflare.com | — | |
urlhttps://fy-golf-fraction-bath.trycloudflare.com | — | |
urlhttps://greensboro-even-suburban-str.trycloudflare.com | — | |
urlhttps://hobbies-gratis-literally-dry.trycloudflare.com | — | |
urlhttps://hose-jerusalem-sure-older.trycloudflare.com | — | |
urlhttps://integration-previous-brilliant-true.trycloudflare.com | — | |
urlhttps://lender-router-exclusively-fraction.trycloudflare.com | — | |
urlhttps://menu-conviction-given-not.trycloudflare.com | — | |
urlhttps://milton-smithsonian-raising-mind.trycloudflare.com | — | |
urlhttps://now-refer-several-tariff.trycloudflare.com | — | |
urlhttps://obtaining-removing-blocking-effectiveness.trycloudflare.com | — | |
urlhttps://opportunities-choosing-non-torture.trycloudflare.com | — | |
urlhttps://pop-incl-accountability-pharmacy.trycloudflare.com | — | |
urlhttps://reensboro-even-suburban-str.trycloudflare.com | — | |
urlhttps://shed-determination-conviction-herself.trycloudflare.com | — | |
urlhttps://superb-rotation-gourmet-frequently.trycloudflare.com | — | |
urlhttps://surprise-poly-longitude-populations.trycloudflare.com | — | |
urlhttps://travel-sagem-distant-potential.trycloudflare.com | — | |
urlhttps://uploaded-overall-seating-browser.trycloudflare.com | — | |
urlhttps://vertical-pentium-b-dead.trycloudflare.com | — | |
urlhttps://violin-amendment-stranger-job.trycloudflare.com | — | |
urlhttps://vocabulary-bangladesh-designation-manhattan.trycloudflare.com | — | |
urlhttps://whatever-hearings-transmission-daisy.trycloudflare.com | — | |
urlhttps://wizard-individual-intervals-franklin.trycloudflare.com | — | |
urlhttps://works-clubs-attendance-vi.trycloudflare.co | — | |
urlhttps://works-clubs-attendance-vi.trycloudflare.com | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainnhvncpure.click | — | |
domainnhvncpure.sbs | — | |
domainnhvncpure.shop | — | |
domain048304848392524.pdf.lnk.download | — | |
domain06159364732024.pdf.lnk.download | — | |
domain0618394720134.pdf.lnk.download | — | |
domain08403844758424.pdf.lnk.download | — | |
domainagricultural-brooks-nevertheless-hawk.trycloudflare.com | — | |
domainarchived-hungary-paxil-tubes.trycloudflare.com | — | |
domainbold-accepts-wide-te.trycloudflare.com | — | |
domainbought-boulder-algeria-warned.trycloudflare.com | — | |
domaincatalogs-amounts-functions-chicago.trycloudflare.com | — | |
domaincold-neon-springfield-asset.trycloudflare.com | — | |
domaindepartments-emperor-maximize-synopsis.trycloudflare.com | — | |
domaindepot-arrange-zero-kai.trycloudflare.com | — | |
domaindiy-solution-warriors-workflow.trycloudflare.com | — | |
domaindjksncb.duckdns.org | — | |
domaindolls-pet-bon-shirts.trycloudflare.com | — | |
domaineastern-instructional-ant-jungle.trycloudflare.com | — | |
domainflexibility-hawaiian-ever-bon.trycloudflare.com | — | |
domainflour-riding-merit-refers.trycloudflare.com | — | |
domainfy-golf-fraction-bath.trycloudflare.com | — | |
domaingreensboro-even-suburban-str.trycloudflare.com | — | |
domainhobbies-gratis-literally-dry.trycloudflare.com | — | |
domainhose-jerusalem-sure-older.trycloudflare.com | — | |
domainhvncmomentpure.duckdns.org | — | |
domainintegration-previous-brilliant-true.trycloudflare.com | — | |
domainip145.ip-51-89-212.eu | — | |
domainlender-router-exclusively-fraction.trycloudflare.com | — | |
domainmenu-conviction-given-not.trycloudflare.com | — | |
domainmilton-smithsonian-raising-mind.trycloudflare.com | — | |
domainncmomenthv.duckdns.org | — | |
domainnhvncpure.duckdns.org | — | |
domainnhvncpure.twilightparadox.com | — | |
domainnhvncpure1.strangled.net | — | |
domainnhvncpure2.mooo.com | — | |
domainnhvncpurekfl.duckdns.org | — | |
domainnhvncpureybs.duckdns.org | — | |
domainnow-refer-several-tariff.trycloudflare.com | — | |
domainobtaining-removing-blocking-effectiveness.trycloudflare.com | — | |
domainopportunities-choosing-non-torture.trycloudflare.com | — | |
domainpop-incl-accountability-pharmacy.trycloudflare.com | — | |
domainreensboro-even-suburban-str.trycloudflare.com | — | |
domainshed-determination-conviction-herself.trycloudflare.com | — | |
domainsuperb-rotation-gourmet-frequently.trycloudflare.com | — | |
domainsurprise-poly-longitude-populations.trycloudflare.com | — | |
domaintravel-sagem-distant-potential.trycloudflare.com | — | |
domainuploaded-overall-seating-browser.trycloudflare.com | — | |
domainvertical-pentium-b-dead.trycloudflare.com | — | |
domainviolin-amendment-stranger-job.trycloudflare.com | — | |
domainvocabulary-bangladesh-designation-manhattan.trycloudflare.com | — | |
domainwhatever-hearings-transmission-daisy.trycloudflare.com | — | |
domainwizard-individual-intervals-franklin.trycloudflare.com | — | |
domainworks-clubs-attendance-vi.trycloudflare.co | — | |
domainworks-clubs-attendance-vi.trycloudflare.com | — |
Threat ID: 68551c777ff74dad36a1efe9
Added to database: 6/20/2025, 8:31:51 AM
Last enriched: 6/20/2025, 8:47:23 AM
Last updated: 8/12/2025, 5:47:57 AM
Views: 29
Related Threats
ThreatFox IOCs for 2025-08-14
MediumOn Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware
MediumA Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
MediumPhantomCard: New NFC-driven Android malware emerging in Brazil
MediumThreatFox IOCs for 2025-08-13
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.