Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

Hunt.io researchers observed a new wave of attacks by a Russian‑speaking operator using Cloudflare Pages/Workers phishing pages (DMCA-themed) that invoke the search-ms protocol to fetch a malicious LNK (disguised as a PDF). Execution of the LNK runs a PowerShell loader (kozlina2.ps1) which downloads a ZIP containing python.exe and a Python loader (kursor.py) that establishes persistence and communicates with Pyramid C2; the PowerShell script also reports infected hosts' external IPs to a hardcoded Telegram bot. The report documents the abused infrastructure (open directories on Railnet IPs, numerous workers.dev/pages.dev domains), file hashes, IPs, and behavioral details to support detection and response.