A recent initiative is utilizing Cloudflare Tunnel subdomains to serve harmful payloads and distribute them through malevolent attachments incorporated in phishing emails.
This continuous operation has been labeled SERPENTINE#CLOUD by Securonix.
It exploits “the Cloudflare Tunnel framework and Python-derived loaders to present memory-injected payloads via a series of shortcut files and concealed patterns.”