112cc66323d5115ae18d80ce9e681c9f tier-suffering-contamination-cumulative[.]trycloudflare[.]com #CobaltStrike

技術者倫理～ Cloudflare Quick Tunnels (TryCloudflare)の429 Too Many Requestsを回避 · nyanshiba/corednsconf@3d27fa1 github.com/nyanshiba/coredns…

学タブで自分のPCをリモートデスクトップできるようにした件（阿呆） 拡張機能とURLのみのバージョンの２つ作ったんだが、 拡張機能の方はまだローカルアドレスでしか起動してくれない.. URLの方はtrycloudflareで今動いてる 学校に行ってる間だけ動かしたいであれば十分

EtherRAT brought blockchain-backed C2 into this intrusion. A malicious MSI masquerading as Sysinternals RAMMap deployed EtherRAT, which used EtherHiding to retrieve Ethereum-hosted C2 config updates before pivoting to TryCloudflare infrastructure. Full report: thedfirreport.com/2026/05/11… #DFIR #ThreatIntel #DigitalForensics

🚨 AI-generated phishing kits are evolving FAST. We analyzed a fully operational Microsoft 365 AiTM phishing framework using: ☁️ Cloudflare Tunnels 🛡️ Dual CAPTCHA gates 🎯 Targeted victim prefill 🔑 Real-time MFA interception 🤖 Strong LLM-generated code fingerprints Attack flow: Google Redirect → CAPTCHA → CAPTCHA → Fake Microsoft Login → Live Credential Relay Highlights: ⚡ MFA push approval interception 🌍 Victim fingerprinting via 4 IP intel services 🎭 Multi-brand impersonation (OneDrive, Adobe, Teams, SharePoint & more) 🔄 Dynamic OAuth-style URL obfuscation 💸 Zero-cost rotating infrastructure via TryCloudflare This wasn't a simple phishing page. It was a scalable AI-assisted phishing platform. Full technical analysis below 👇 buff.ly/92zzR4q #CyberSecurity #Phishing #AiTM #ThreatIntelligence #M365 #SOC #DFIR #Cloudflare #OSINT #MalwareAnalysis #Infosec #CyberThreats #LLM

Kimsuky 🇰🇷 deploys new Rust-based HelloDoor backdoor and VSCode tunneling, expanding PebbleDash arsenal with AI-assisted code development and legitimate remote access abuse. Korean-speaking APT group continues evolving tactics with multiple malware clusters targeting defense and government sectors across South Korea 🇰🇷, Brazil 🇧🇷, and Germany 🇩🇪: • HelloDoor: First Rust-coded PebbleDash variant uses Cloudflare Quick Tunnels for C2 (female-disorder-beta-metropolitan.trycloudflare[.]com), contains LLM-generated comments with emojis • httpMalice: Latest backdoor variant with ChaCha20 encryption, creates "CacheDB" service for persistence, gathers GPKI certificates from C:\GPKI directory • VSCode abuse: JSE droppers install legitimate Visual Studio Code CLI, establish "bizeugene" tunnels via GitHub auth to bypass traditional C2 detection • MemLoad V3: Downloads httpTroy payload reflectively, creates scheduled tasks "ChromeCheck"/"EdgeCheck" for persistence (T1053.005) • DWAgent deployment: Installs remote admin tool with pre-configured accounts for covert access Hunt for regsvr32.exe spawning from JSE files, scheduled tasks with "Check" naming patterns, and unexpected VSCode CLI processes in C:\Users\Public. Monitor for ChaCha20 encryption artifacts and connections to *.trycloudflare[.]com domains. #DFIR_Radar

#threatreport #LowCompleteness Checkmarx Jenkins Plugin Backdoored in New TeamPCP Supply Chain Attack | 11-05-2026 Source: socradar.io/blog/checkmarx-j… Key details below ↓ 🧑‍💻Actors/Campaigns: Teampcp Mini_shai-hulud 💀Threats: Supply_chain_technique, Shai-hulud, Credential_stealing_technique, Canisterworm, 🎯Victims: Checkmarx, Jenkins users, Software development 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1041, T1078.004, T1083, T1119, T1195.001, T1195.002, T1491, T1552, T1552.001, ... 🧨IOCs: - Domain: 1 💽Software: Jenkins, OpenVSX, Kubernetes, Trivy, litellm, Docker, trycloudflare #threatreport: The TeamPCP threat actor has reemerged with a new supply chain attack targeting the Checkmarx Jenkins plugin. This incident involves the defacement and compromise of the Checkmarx Jenkins AST plugin repository on GitHub, where TeamPCP altered the repository name and description to mock Checkmarx for lapses in security practices. The backdoored version, identified as 2026.5.09, was made available to Jenkins users during the exposure window, allowing any Jenkins instance that downloaded this version to implement a compromised plugin. The malware associated with this campaign is referred to as "Dune-themed," with various repository names on the compromised GitHub account reflecting the theme. Previous interactions of TeamPCP with Checkmarx infrastructure included deploying a credential-stealing payload through other GitHub actions, highlighting a continuing exploitation of vulnerabilities within Checkmarx's systems. This recent re-entry suggests potential shortcomings in previous remediation efforts, as indicated by TeamPCP’s taunt regarding Checkmarx's failure to rotate secrets effectively. This incident poses significant risks to Jenkins users, as the compromised plugin can access sensitive information from development pipelines, such as environment variables, tokens, and secrets visible to the Jenkins runner. TeamPCP's typical modus operandi includes extensive reconnaissance for credential harvesting, whereby they scan for SSH keys and other sensitive data, ultimately exfiltrating this information in encrypted archives. Organizations using the affected Checkmarx Jenkins plugin version are advised to treat their environments as potentially compromised. Immediate steps include auditing Jenkins plugin versions, rotating all secrets accessible from affected instances, and reviewing build logs for anomalous outbound connections. Longer-term mitigations involve enforcing least-privilege access for Jenkins credentials and adopting short-lived authentication credentials. Monitoring for unusual traffic from build agents and applying stringent security measures to CI/CD environments akin to production systems is crucial for preventing future incidents.

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware. The intrusion featured EtherRAT, Ethereum-based EtherHiding C2 configuration, TryCloudflare tunnels, GoTo Resolve, Rclone exfiltration to Wasabi, and a newer malware framework named TukTuk. TukTuk stood out for its resilient C2 design, using SaaS and cloud platforms such as ClickHouse and Supabase, with support for Ably, Dropbox, GitHub Issues, direct HTTP, Slack, and Arweave-based dead-drop configuration retrieval. Detection opportunities included! ➡️ Full report is linked in the replies. #ThreatIntel #ThreatHunting #DigitalForensics

Here, take the IOC: hxxps://drew-interracial-building-yesterday.trycloudflare[.]com/uka/Scan_0649302482930.pdf.txt TryCloudflare-ception.

You'll have to use other means to detect this, such as svchost.exe WebClient making connections to trycloudflare[.]com as RemoteUrl, or rundll32.exe with a trycloudflare[.]com in the ProcessCommandLine. Would be nice if MDE logged these for T1036.007.

We all know that #WebDAV campaign that uses #TryCloudflare domains to deliver malicious payloads. There's one that has a .PDF.ZIP (ZIP archive) which holds a .PDF.URL file inside (tricking the user into thinking it's a PDF). These FileCreated events aren't logged by MDE.

previous-everywhere-achieving-bobby[.]trycloudflare[.]com/IGhhbmR5IG9ubGluZSB,0b29sIHRvIGVuY29kZSBvciBkZWNvZGUgeW91/ #phishing

authorities-vessel-denver-indie[.]trycloudflare[.]com/ssadoc/ @SocialSecurity @CISACyber @CISAgov

🚨 Fake SSA pages delivering RMM payload Sites like authorities-vessel-denver-indie.trycloudflare[.]com/ssadoc/ carroll-anne-mime-realty[.]trycloudflare[.]com/dashboard/This/SSA.html adventure-ham-knew-styles[.]trycloudflare[.]com/links/dashboard/Pc/SSA/abo/statementt.html febstatement777.s3.us-east-1.amazonaws[.]com/statement.html febstatement5248.s3.us-east-1.amazonaws[.]com/statement.html impersonate Social Security Administration and drop RemotePC Host Setup (RMM tool). Likely used for remote access / takeover #phishing #malware #SSA #RMM @500mk500 @skocherhan

'stager.exe' seen from Italy @abuse_ch bazaar.abuse.ch/sample/19841… URL: hxxps://defence-communist-albums-desert(.)trycloudflare(.)com/api/beacon

'UMPDC.dll' @abuse_ch bazaar.abuse.ch/sample/12d8b… Domain: intelligent-std-lending-dark(.)trycloudflare(.)com

#threatreport #HighCompleteness SERPENTINE#CLOUD returns: ClickFix lure drops five RATs | 04-04-2026 Source: derp.ca/research/serpentine-… Key details below ↓ 🧑‍💻Actors/Campaigns: Serpentine_cloud 💀Threats: Clickfix_technique, Purelogs, Brc4_tool, Venomrat, Asyncrat, Xworm_rat, Purehvnc_tool, Dcrat, Dll_injection_technique, Sparkle_tool, Donut, Apc_injection_technique, Confuserex_tool, Donut_loader, Process_hacker_tool, Hvnc_tool, Ngrok_tool, Violet_rat, Purecryptor, Remcos_rat, 🌐Geo: Netherlands, Hungary, Budapest 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 1 🤖LLM extracted TTPs:` T1027, T1036, T1036.007, T1036.008, T1041, T1047, T1055, T1055.004, T1059.003, T1059.005, ... 🧨IOCs: - File: 12 - Domain: 17 - Hash: 12 - Registry: 1 - Path: 2 - IP: 5 💽Software: trycloudflare, curl, Windows Defender 🔢Algorithms: pbkdf2, sha256, aes, aes-256-cbc, deflate, fnv-1a, base64, rc4, aes-cbc, zip, xor, cbc 🔠Functions: eval 🗂️Win API: VirtualAllocEx, WriteProcessMemory, QueueUserAPC, ResumeThread, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, LineDDA, EnumSystemGeoID, SetTimer, InitializeProcThreadAttributeList, ... 📜Programming Languages: python, jscript, autoit 💻Platforms: x64, intel #threatreport: The recent cyber threat activity associated with SERPENTINE#CLOUD has been identified once again, with the attack completing successfully five weeks post-remediation. This resurgence employs ClickFix social engineering tactics, utilizing ephemeral Cloudflare tunnels to deliver multiple Remote Access Trojans (RATs) targeting the same organization. Notably, the attack was caught at an early stage by Huntress, preventing the payload from executing. Five families of malware are involved: VenomRAT, AsyncRAT, XWorm/Violet (now upgraded to version 5), PureHVNC, and a new entrant, Brute Ratel C4 (BRc4). The obfuscated payloads employ Early Bird asynchronous procedure call (APC) queue injection techniques with a unique process parent ID spoofing tactic, allowing the payload to inject into benign system processes such as notepad.exe. This approach prevents detection by circumventing standard process monitoring tools. The C2 infrastructure has streamlined to four endpoints that resolve to DuckDNS domains, housed in two IPs located within the same AT&T residential subnet in Chicago. Historical analysis indicates that the operator has pivoted their infrastructure from three countries to this single subnet while maintaining operational continuity through consistent tool reuse and obfuscation techniques. The malware architecture notably employs a Python-based loader pipeline with Kramer obfuscator adaptability, along with direct syscalls and processes mitigated to block third-party DLL injections. The kill chain begins with a WSH lure that triggers a download of successive batch files and payloads, all executed within embedded Python environments which enable the cloaking of malicious activity. Notably, PureHVNC has evolved, utilizing AES and XOR for payload encryption alongside TLS 1.0 for secure C2 communications. Furthermore, specific characteristics of the RATs reveal their capabilities: VenomRAT v3.6 employs advanced memory patches for bypassing detection, AsyncRAT maintains lighter functionality without process killing or AMSI evasion, and XWorm/Violet v5 has minimized in size while expanding its operational scope to include credential theft and reverse shells.

#threatreport #HighCompleteness Inside TeamPCP’s Shell Arsenal | 02-04-2026 Source: theravenfile.com/2026/04/02/… Key details below ↓ 🧑‍💻Actors/Campaigns: Teampcp 💀Threats: Supply_chain_technique, Typosquatting_technique, Credential_harvesting_technique, Dual_loader, Canisterworm, Credential_dumping_technique, Frpc_tool, Trufflehog_tool, Adaptixc2_tool, Havoc, Steganography_technique, Multiverze, 🎯Victims: Cloud platforms, Open source developer tools, Ci cd pipelines, Cloud native environments, Software supply chain, Artificial intelligence software, Telecommunications 🏭Industry: Financial 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 12 🧨IOCs: - Hash: 23 - Domain: 9 - File: 6 - IP: 7 - Url: 1 💽Software: TRIVY, LITELLM, Docker, Kubernetes, Curl, k8s, trycloudflare, 8s en, udo) t, penssl rs, ... 🔢Algorithms: md5, rsa-4096, base64, aes-256-cbc, aes-256, aes, pbkdf2 📜Programming Languages: python 💻Platforms: amd64, arm #threatreport: TeamPCP, a threat actor group, carried out a series of significant supply chain attacks against multiple GitHub projects in March 2026, targeting cloud platforms and automated development environments, including CI/CD pipelines and Docker Hub. Their attacks employed various techniques such as imposter commits, tag poisoning, and fileless payload execution, compromising numerous repositories along the way. The group notably compromised the Trivy Scanner, Checkmarx, LiteLLM, and Telnyx. The attack on Trivy involved the use of ten distinct shells, each tailored for specific operations. The primary behavior of one shell included scanning memory of running processes to extract sensitive data such as GitHub Personal Access Tokens (PATs) focused on credential theft. This particular shell was lightweight, enabling rapid execution in CI/CD contexts, and leveraged direct HTTP POST requests to a domain that resembled Aqua Security's legitimate domain. Another shell was designed to prepare environments for Kubernetes, checking for the presence of the kubectl tool before pulling and executing a remote Python controller script. This approach facilitated credential harvesting within the Kubernetes ecosystem and reinforced the coordinated exploitation of cloud-native technologies. Subsequent shells executed various Python scripts directly in memory to avoid leaving traces on disk, using established tools like curl and Python to enhance stealth. In similar exploits targeting Checkmarx and LiteLLM, TeamPCP leveraged compromised versions of the LiteLLM Python package, leading to credential harvesting and data exfiltration via malicious payloads called litellm_init.pth. The harvesting mechanism included scanning for sensitive tokens and encrypting the stolen data before sending it to attacker-controlled endpoints, further ingraining persistence and stealth in their tactic. Tracking the evolution of TeamPCP's techniques revealed that their operations intensified from December 2025 through the March attacks. One key type of shell identified was a core propagation tool capable of transforming compromised cloud hosts into nodes for a broader botnet, employing tunneling tools for ongoing access and potentially deploying additional malicious scripts. TeamPCP's modus operandi underscores their focus on self-propagation strategies through npm worms, aggressive credential harvesting from CI/CD environments, and sophisticated data exfiltration techniques. The group utilized encrypted files for exfiltration, masked as legitimate data, and employed advanced backdoor designs to maintain persistence in compromised environments. Their reliance on tools such as TruffleHog for validating stolen credentials, habitual target checking of memory spaces, and heavy use of Kubernetes throughout their operations emphasizes the need for vigilant monitoring of supply chain vulnerabilities and response mechanisms within organizations utilizing similar tools.