Breakglass Intelligence reported multiple active malware operations abusing Cloudflare infrastructure, WebDAV shares, and legitimate Python runtimes to deliver remote-access trojans and stealers through multi-stage infection chains. In the SERPENTINE#CLOUD activity, attackers used invoice-themed lures aimed primarily at German-speaking businesses, including spoofed DATEV documents delivered via trycloudflare.com tunnels exposing WsgiDAV servers. Victims were led through LNK, WSH, WSF, BAT, and URL shortcut stages before portable Python environments, shellcode loaders, and process injection into explorer.exe launched malware including AsyncRAT, XWorm, DcRat, VenomRAT, Violet v5, PureHVNC, PureCrypter, and the custom PhilliVio RAT. Researchers tied the campaign to at least 27 Cloudflare tunnel domains, persistent C2 infrastructure across multiple countries, and repeated operator OPSEC failures such as leaked builder hostnames and reusable metadata.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
On March 30, 2026, Breakglass observed a new SERPENTINE#CLOUD wave simultaneously deploying AsyncRAT, VenomRAT, and the newly identified custom RAT PhilliVio through four active trycloudflare.com tunnels. The campaign remained live that day, showing continued daily infrastructure rotation and persistent targeting activity.
On March 12, 2026, Breakglass published technical analysis of an active campaign in which ACRStealer delivered SectopRAT through layered Python obfuscation, a 21-second sandbox-evasion delay, a CLR-based AMSI bypass, and fiber-based shellcode execution. The malware chain targeted browser credentials, application secrets, and cryptocurrency wallets.
On March 10, 2026, Breakglass confirmed that the primary SectopRAT server at 94[.]26[.]106[.]216:9000 was live and answering unauthenticated requests on the /wbinjget and /wmglb endpoints. This validated that the ACRStealer-to-SectopRAT campaign infrastructure was actively operational.
In the March 2026 SERPENTINE#CLOUD investigation, Breakglass identified command-and-control servers at 178.16.55[.]160 and 43.157.1[.]71 and linked multiple RAT families to a single operator. The report also noted an OPSEC failure in LNK metadata exposing the builder hostname "vincent-pc" and a reusable SID fingerprint.
By early March 2026, researchers documented an active SERPENTINE#CLOUD wave using fake DATEV invoice lures delivered through dual trycloudflare.com tunnels exposing WsgiDAV shares. The infection chain deployed XWorm, DcRat, and PureCrypter, and established persistence through Startup, Registry Run, and scheduled task mechanisms.
Breakglass mapped seven ACRStealer C2 servers and four SectopRAT C2 servers that were active beginning on February 20, 2026. The infrastructure supported a multi-stage campaign delivering SectopRAT via ACRStealer using Cloudflare, MediaFire, and a renamed Python interpreter.
Breakglass reported that the financially motivated SERPENTINE#CLOUD phishing and RAT-delivery campaign had been operating continuously since at least November 2025, primarily targeting German-speaking businesses and also showing confirmed UK targeting. The cluster used Cloudflare Quick Tunnels, exposed WsgiDAV servers, and multiple RAT families across repeated waves.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
intel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.