Breakglass Intelligence linked several live and historical campaigns to a persistent financially motivated actor abusing Cloudflare Quick Tunnels and misconfigured WsgiDAV WebDAV servers to stage invoice-themed malware against German-speaking organizations and later UK targets. Across operations tracked as Nutten Tunnel, WsgiDev Tunnel, Crest Snake, and Charger Van, victims were lured with PDF-like .LNK files that launched multi-stage chains through WSH, JScript, batch scripts, and embedded Python runtimes. Researchers tied the activity together through shared infrastructure, recurring script chains, identical LNK construction, reused metadata including the hostname vps-756346 and a Windows SID, and common tooling such as KISS Loader, XOR or AES-encrypted payloads, and anonymously writable WebDAV staging servers.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Breakglass documented a persistent actor using Cloudflare Quick Tunnels and WsgiDAV infrastructure to deliver invoice-themed malware to German and UK businesses, including a newly analyzed charger-van-feb-circuit tunnel exposing a full chain ending in a Python-based KISS Loader and Donut shellcode injection into explorer.exe. The report also identified the older highland-trend-src-distinct staging tunnel and confirmed seven live tunnels linked by shared tooling as of 2026-04-05.
Researchers linked a new multi-tunnel Cloudflare Quick Tunnel campaign, dubbed Crest Snake, to the same operator behind Operation Nutten Tunnel through shared infrastructure, LNK construction patterns, WsgiDAV setup, and a reused Windows SID. The campaign expanded targeting from German-speaking users to UK victims and delivered five Python-based RATs plus a custom DLL using Early Bird APC injection.
Breakglass reported a live malware staging campaign on a trycloudflare.com tunnel using WsgiDAV 4.3.3 and anonymous read-write WebDAV access. The analysis added details on Startup-folder persistence via CryptoLoader.lnk and exposed OPSEC failures including VPS hostname vps-756346 and use of the Administrator account.
Researchers uncovered a previously unreported six-stage malware delivery chain hosted on a Cloudflare Quick Tunnel with an anonymously writable WsgiDAV server, targeting German-speaking users with a fake financial PDF shortcut lure. The chain progressed through WSH, JScript, batch, Python loader, and shellcode stages, ending with injection into explorer.exe.
A later reconstruction tied the actor's operations to activity running from 2026-01-14 through 2026-04-02, showing daily payload changes, tunnel rotation every 3 to 7 days, and experimentation with delivery methods.
Breakglass later identified payload archives in the previously unreported highland-trend-src-distinct tunnel dating back to 2025-11-28, making them the oldest known artifacts associated with this operator.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
intel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.