Cybercriminals and advanced persistent threat (APT) actors are abusing Cloudflare’s free tunneling service, “TryCloudflare,” to distribute remote access trojans (RATs) such as AsyncRAT, Xworm, and Remcos. This infrastructure, active since February 2024, leverages legitimate Cloudflare subdomains to evade detection while delivering multi-stage payloads. The Sekoia Threat Detection & Research team first documented this campaign, noting its use in phishing attacks targeting finance, healthcare, and government sectors globally1.
Infection Chain and Tactics
The attack begins with phishing emails disguised as invoices or delivery notifications, containing malicious HTML or .LNK attachments. These files trigger connections to Cloudflare-hosted WebDAV servers, which host obfuscated scripts (BAT or Python) that fetch RAT payloads. Attackers abuse Python’s bundling capability to ensure execution on systems without Python installed. The final stage involves injecting shellcode into processes like notepad.exe and establishing persistence via Windows Startup folders or scheduled tasks2.
Cloudflare’s tunneling service provides attackers with a critical advantage: its subdomains (e.g., malawi-light-pill-bolt[.]trycloudflare[.]com) often bypass firewall rules due to their association with a trusted provider. This tactic mirrors past abuses of legitimate services like Google Drive or Dropbox for malware distribution.
Indicators of Compromise (IoCs)
| Type | Example |
|---|---|
| C2 Domains | ncmomenthv[.]duckdns[.]org, xoowill56[.]duckdns[.]org |
| Cloudflare Hosts | ride-fatal-italic-information[.]trycloudflare[.]com |
| File Hashes (SHA256) | a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7 (LNK) |
Mitigation Strategies
Organizations should monitor outbound traffic to trycloudflare[.]com subdomains and restrict WebDAV/SMB protocols where unnecessary. Endpoint detection tools can flag unusual Python or PowerShell execution chains. Proofpoint’s 2024 report recommends blocking IoCs from threat intelligence feeds and training staff to identify phishing lures3.
For network defenders, logging and analyzing process injection events (e.g., notepad.exe spawning suspicious child processes) is critical. Cloudflare has not publicly commented on mitigations specific to this abuse, but their enterprise customers can request custom filtering rules for tunnel traffic.
Relevance to Security Teams
This campaign highlights the growing trend of attackers weaponizing legitimate infrastructure. Red teams can emulate these tactics to test detection capabilities for living-off-the-land binaries (LOLBins) and cloud service abuse. Blue teams should prioritize updating SIEM rules to detect the described TTPs, particularly the use of Python for post-exploitation.
The involvement of Russian APT groups like Gamaredon in similar campaigns underscores the need for geopolitical threat context in defensive strategies. Forcepoint’s analysis links some infrastructure to Ukrainian targets, suggesting possible nation-state alignment4.
Conclusion
The exploitation of Cloudflare Tunnels demonstrates how attackers continuously adapt to abuse trusted services. While Cloudflare provides essential security features, its free-tier offerings present an attractive vector for malware distribution. Organizations must balance the utility of such services with robust monitoring and access controls.
References
- “Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans,” GBHackers, 2024.
- “Threat Actor Abuses Cloudflare Tunnels to Deliver RATs,” Proofpoint, 2024.
- “AsyncRAT and Python Abuse via TryCloudflare,” Forcepoint, 2024.
- “Hackers Abuse Free TryCloudflare to Deliver Remote Access Malware,” BleepingComputer, 2024.