ThreatFox IOC Database

You are viewing the ThreatFox database entry for domain rover-earlier-baseline-karen.trycloudflare.com.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1779725
IOC: rover-earlier-baseline-karen.trycloudflare.com
IOC Type :domain
Threat Type :payload_delivery
Malware: Venom RAT
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS13335 CLOUDFLARENET
Country:- US
First seen:2026-03-31 18:14:21 UTC
Last seen:never
UUID:894ee20e-2d2b-11f1-9af6-42010aa4000a
Reporter kirkderp
Reward 5 credits from ThreatFox
Tags:ClickFix Cloudflare-Tunnel SERPENTINE WebDav
Reference: https://www.derp.ca

Avatar
kirkderp
Ephemeral Cloudflare Tunnel domains used for ClickFix delivery chain. Tunnel 1: WSH lure hosting. Tunnel 2: WSF via WebDAV. Tunnel 3: batch files via WebDAV. Tunnel 4: payload zips + persistence via HTTPS. All tunnels created 2026-03-30. Delivers VenomRAT, AsyncRAT, XWorm, PureHVNC, and Brute Ratel C4. SERPENTINE#CLOUD operator.