SERPENTINE#CLOUD is an active, financially motivated cybercrime campaign and initial access broker activity operating continuously since at least November 2025 and still active as of 2026-03-30. It has been observed conducting multi-wave phishing and remote-access-trojan delivery operations, primarily targeting German-speaking businesses with invoice-themed lures, with confirmed secondary targeting of UK organizations. Reported victimology includes German SMBs, accounting firms, DATEV users, Deutsche Telekom-themed recipients, and invoice-processing businesses. The campaign abuses Cloudflare Quick Tunnels under trycloudflare.com and exposed WsgiDAV WebDAV servers to stage payloads, rotating tunnel infrastructure frequently while maintaining role separation for lure delivery, script loaders, batch downloaders, and ZIP payload hosting. Across observed waves, reporting identified at least 27 Cloudflare tunnel domains and multiple persistent C2 servers. Confirmed infrastructure included 91.219.238.140, 178.16.55.160, 43.157.1.71, 12.202.180.133, and a Violet v5 C2 at 12.202.180.105, as well as DuckDNS-based C2 domains resolving to AT&T Chicago IP space. Observed malware families include AsyncRAT, XWorm, Remcos, DcRat, VenomRAT, Violet v5, PureHVNC, PureCrypter, and a custom RAT identified as PhilliVio. The March 30, 2026 wave simultaneously deployed AsyncRAT, a second AsyncRAT variant, VenomRAT, and PhilliVio via four live trycloudflare.com tunnels. The campaign’s infection chains consistently used lure files such as LNK, WSH, or URL shortcuts, followed by WSF or BAT loaders, ZIP archives containing portable Python runtimes, Python-based injectors, and shellcode or payload injection into explorer.exe. Persistence mechanisms included Startup folder BAT or LNK files, Registry Run keys, scheduled tasks, hidden directories, and DLL self-copying. The Python loader tooling evolved across multiple generations, including Donut shellcode loaders with AMSI and WLDP bypasses, later AES-CBC and Kramer-style obfuscation, and a polymorphic Python injector referred to as zmorf.py or mubi.py that randomized XOR function names at runtime. One wave used bitsadmin to retrieve and execute dd.wsf from a Cloudflare tunnel; another used regsvr32 to load a DLL from a WebDAV UNC path, copy itself to %LOCALAPPDATA%\Microsoft\WinHTTP\wdigest.dll, decrypt a data file, and execute a second-stage payload. A documented AutoIt-based persistence layer maintained three parallel persistence chains named EcoOptimize, WealthWise, and UrbanEco. All three used a renamed, signed AutoIt3.exe binary named Singer.pif together with obfuscated compiled AutoIt scripts and scheduled tasks to respawn payloads from %LocalAppData%. EcoOptimize and WealthWise delivered Remcos v7.0.1 Pro configured for banking fraud, including targeted screenshots every five seconds when window titles matched keyword lists heavily weighted toward Canadian banks, while UrbanEco delivered PureHVNC through a multi-stage AutoIt-to-.NET crypter chain using process hollowing into RegAsm.exe. Reporting states the nhvncpure PureHVNC backend exactly matched infrastructure previously extracted from PureLogs, indicating shared backend infrastructure across different tools and loader chains. The deployed RATs provided capabilities including remote shell access, keylogging, credential theft, webcam capture, hidden VNC access, clipboard hijacking, DDoS, screenshot capture, and long-term backdoor persistence. Reporting also highlighted repeated operator OPSEC failures, including leaked build hostnames in LNK metadata such as vincent-pc, desktop-bul6k1u, and ec2amaz-vjnf8l9. The hostname DESKTOP-BUL6K1U appeared both in LNK metadata and as the RDP certificate common name on C2 server 178.16.55.160, directly linking payload building and C2 operations. No nation-state attribution is stated in the provided content. Known aliases directly provided in the content are limited to the stylized name serpentine#cloud / SERPENTINE#CLOUD. Known sub-groups directly named in the reporting are the persistence chains EcoOptimize, WealthWise, and UrbanEco.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
40 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
71 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Financially motivated phishing and RAT delivery cluster abusing Cloudflare Quick Tunnels and WsgiDAV WebDAV servers to deliver multi-stage malware, often deploying multiple RAT families simultaneously against primarily German-speaking businesses and some UK targets.
A campaign/operator maintaining multi-chain Windows persistence via AutoIt BYOI (renamed AutoIt3.exe + obfuscated .a3x scripts) and scheduled tasks, delivering banking-fraud focused Remcos (targeted screenshots/keylogging) and PureHVNC for interactive access; shows single-operator control via highly similar Remcos configs and shared certificates/infra across deployments.
Phishing-driven intrusion activity leveraging Cloudflare Tunnels as infrastructure to deliver/deploy Python-based malware.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.