Breakglass Intelligence reported an active cybercrime campaign abusing Cloudflare Quick Tunnels and WsgiDAV open directories to deliver multi-stage malware to victims in the UK and German-speaking regions. Lure files masquerading as invoices and scanned PDFs launched infection chains through WSH/WSF, BAT, ZIP, and Python stages, ultimately deploying multiple obfuscated Python RAT and stealer payloads and, in some cases, a native x64 DLL. Researchers tied the activity to the same operator behind Operation Nutten Tunnel, citing shared tunnel infrastructure, overlapping hosts, identical build artifacts, the same embedded Administrator SID, and consistent targeting patterns.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
Later on April 3, 2026, Breakglass published its Operation Klein Changes report, documenting six recovered WSF droppers from January to April and linking the activity to the same actor behind Crest Snake and Nutten Tunnel through shared infrastructure and artifacts.
On April 3, 2026, Breakglass disclosed the previously unreported Operation Crest Snake campaign, describing eight Cloudflare Quick Tunnels, WsgiDAV open directories, multi-stage malware delivery, and links to the earlier Nutten Tunnel activity.
Breakglass reported that the most recent recovered campaign on April 2, 2026 eliminated the DLL component entirely and used a Python-only execution chain. This marked another evolution in the actor's tooling and delivery approach.
By early April 2026, the actor had moved to a more sophisticated Python-based infection chain, delivering multiple obfuscated Python RAT and stealer payloads and using persistence under user-profile paths.
A live Cloudflare Quick Tunnel named chubby-resident-airlines-converter was identified hosting April BAT stagers used in the campaign's delivery chain. This reflected continued infrastructure rotation and active staging in early April.
On March 30, 2026, Breakglass disclosed the active SERPENTINE#CLOUD phishing and RAT-delivery campaign, linking at least 27 Cloudflare Quick Tunnels and exposed WsgiDAV servers to financially motivated targeting of primarily German-speaking businesses. The report highlighted a live March 30 wave using four trycloudflare.com tunnels to deliver AsyncRAT, VenomRAT, and the newly identified custom RAT PhilliVio, along with infrastructure and OPSEC links across the campaign.
By late March 2026, the operator had evolved from simpler BAT downloaders to DLL sideloading as part of the multi-stage delivery chain. Breakglass later analyzed a related DLL, jopfgl.dll, that decrypted and loaded shellcode in memory.
On March 6, 2026, Breakglass reported a SERPENTINE#CLOUD campaign targeting German-speaking victims with fake DATEV invoice lures delivered via two Cloudflare trycloudflare.com tunnels exposing WsgiDAV shares. The infection chain used WSH/WSF/BAT staging, a downloaded Python runtime, in-memory execution of XWorm, DcRat, and PureCrypter payloads, and OPSEC artifacts that supported correlation to the broader SERPENTINE#CLOUD cluster.
Researchers recovered Windows Script File droppers tied to the Klein Changes activity dating back to January 14, 2026, showing the campaign was active by mid-January with an early two-stage BAT-based downloader chain.
Breakglass assessed the operator behind Operations Nutten Tunnel, Crest Snake, and Klein Changes had been active since at least September 2025, using Cloudflare Quick Tunnels and WsgiDAV-hosted infrastructure to target UK and German-speaking victims.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
intel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.