Researchers reported renewed SERPENTINE#CLOUD activity using Cloudflare Tunnel-hosted WebDAV delivery chains, with campaigns targeting both a previously compromised organization and German-speaking small businesses. In one intrusion attempt, Huntress said the actor returned just weeks after remediation of a six-month breach and used a ClickFix lure to trigger rundll32.exe loading davclnt.dll and fetching content from an ephemeral Cloudflare tunnel; defenders stopped the attack before payloads reached disk. Breakglass separately observed German-language lures disguised as legal documents, where a malicious .lnk file opened a legitimate invoice PDF as a decoy while staging scripts and downloading a clean Python runtime from python.org.
Across both investigations, the operator reused a stable toolchain built around Python loaders and Donut shellcode while varying payloads and delivery details to evade detection. Huntress linked the latest attempt to prior activity through reused GUIDs, encryption material, loader templates, staging paths, DuckDNS infrastructure, and command-and-control consolidation to two AT&T residential IPs in Chicago; the payload set included VenomRAT, AsyncRAT, XWorm/Violet, PureHVNC, and a Brute Ratel C4 wrapper. Breakglass found a custom Donut variant using a non-standard big-endian Chaskey-CTR counter and dual deployment of dcRAT and XenoRAT v1.8.7 into separate explorer.exe processes via Early Bird APC injection, with a live XenoRAT server at 176.96.136[.]182; researchers said the actor continues to rotate infrastructure quickly while preserving recognizable patterns such as WsgiDAV behind Cloudflare Quick Tunnels and a WebDAV share named Music.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
Analysis of the April 2026 activity tied it to the same operator through reused GUIDs, encryption material, loader templates, staging paths, DuckDNS infrastructure, and recurring WsgiDAV/Cloudflare Tunnel patterns. Researchers also assessed that the actor had consolidated command-and-control infrastructure to two AT&T residential IPs in Chicago, likely after earlier infrastructure was sinkholed by HYAS.
During the renewed intrusion attempt, Huntress interrupted the attack at stage 0 when rundll32.exe loaded davclnt.dll to retrieve content over WebDAV from a Cloudflare tunnel. The intervention prevented any payloads from reaching disk.
About five weeks after remediation of the earlier intrusion, Huntress identified a renewed intrusion attempt against the same organization. The actor used ClickFix-style social engineering and ephemeral Cloudflare tunnels while retaining the same core tooling and malware families seen previously.
Breakglass found the payloads in the German wave were protected with a modified Donut shellcode framework using a non-standard big-endian Chaskey-CTR counter increment. This anti-analysis change prevented standard Donut decryptors from working and required manual reverse engineering to recover the embedded .NET malware.
Breakglass Intelligence documented a third SERPENTINE#CLOUD wave targeting German-speaking small businesses using German-language legal-document lures and Cloudflare Tunnel-hosted WebDAV delivery. The chain used a malicious LNK, a clean Python runtime from python.org, and a Python loader to inject dcRAT and XenoRAT into separate explorer.exe processes.
Breakglass Intelligence reported a coordinated campaign abusing Cloudflare Tunnels and an open WsgiDAV directory to deliver five RAT families—XWorm, AsyncRAT, DcRAT, Violet, and PureHVNC—through a staged loader chain ending in Donut-packed in-memory .NET execution. The report linked the activity to a single operator via shared tunnel characteristics and C2 infrastructure converging on two AT&T IPs, and noted artifacts suggesting monthly build rotation dating back to at least September 2025.
Derp published an analysis of the SERPENTINE#CLOUD staging pipeline, describing seven campaign waves over roughly 176 days in which operators repeatedly delivered RATs through batch stagers, Python loaders, Donut shellcode, and .NET handoff. The report said the actor kept core RAT payloads relatively stable while evolving the outer delivery stack through five encryption generations, changing injection methods, adding Kramer-obfuscated Python bytecode, persistence scripts, fallback servers, and anti-forensic features.
Before the renewed activity seen in 2026, the same organization had already suffered a roughly six-month compromise attributed to the SERPENTINE#CLOUD operator. Huntress later used this earlier intrusion as the baseline for linking the return attack to the same actor.
Derp reported that the operator's underlying toolchain had remained stable since at least July 2025, including recurring use of Python loaders, Donut shellcode, and related staging patterns. This establishes the earliest known baseline for the campaign's core tradecraft.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
derp.ca
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourcederp.ca
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.