At Buffclue Security, we’ve observed malicious activities, as reported by eSentire and Proofpoint, involving the misuse of TryCloudflare for establishing one-time tunnels. These tunnels facilitate the transfer of traffic from an attacker’s server to a local machine through Cloudflare’s infrastructure.
This technique has been utilized in distributing various malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.
The attack begins with a phishing email containing a ZIP archive. Within this archive is a URL shortcut file that redirects the recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server.
The shortcut file then triggers next-stage batch scripts that retrieve and execute additional Python payloads. Simultaneously, it displays a decoy PDF document hosted on the same WebDAV server to maintain the deception.
According to eSentire, “These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection.”
A critical part of the attackers’ strategy involved using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and employing the Early Bird APC queue injection technique to execute code stealthily and evade detection effectively.
At Buffclue Security, we’ve noted that Proofpoint reports phishing lures in English, French, Spanish, and German. These campaigns range from hundreds to tens of thousands of emails targeting organizations worldwide, with themes covering invoices, document requests, package deliveries, and taxes.
While the campaign is attributed to a cluster of related activity, it has not been linked to a specific threat actor or group. Proofpoint assesses it to be financially motivated.
The misuse of TryCloudflare for malicious purposes was first recorded last year when Sysdig uncovered a cryptojacking and proxyjacking campaign named LABRAT. This campaign exploited a now-patched critical flaw in GitLab to infiltrate targets and obscure command-and-control (C2) servers using Cloudflare tunnels.
Moreover, the use of WebDAV and Server Message Block (SMB) for payload staging and delivery highlights the need for enterprises to restrict access to external file-sharing services to known, allow-listed servers.
Proofpoint researchers Joe Wise and Selena Larson noted, “The use of Cloudflare tunnels provides threat actors with a way to use temporary infrastructure, allowing them to scale their operations and swiftly build and dismantle instances.
This makes it more challenging for defenders and traditional security measures that rely on static blocklists. Temporary Cloudflare instances provide attackers with a low-cost method to stage attacks using helper scripts, offering limited exposure for detection and takedown efforts.”
The Spamhaus Project has called on Cloudflare to review its anti-abuse policies due to cybercriminals exploiting its services to mask malicious actions and enhance their operational security through “living-off-trusted-services” (LoTS).
Spamhaus observed that “miscreants are moving their domains, already listed in the DBL, to Cloudflare to disguise the backend of their operations, whether it involves spamvertized domains, phishing, or worse.
