Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.
OPENCTI LABELS :
powershell,phishing,lnk,telegram,python,cloudflare,pyramid,pyramid c2,open directory,dmca,ms-search
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign