How Hackers Are Exploiting Cloudflare Services to Run Stealth Cyber‑Espionage Campaigns
Researchers say cyber‑espionage campaigns targeting Malaysian organizations are abusing Cloudflare services such as R2, Workers, Pages, and Tunnels to host phishing sites, deliver malware, and exfiltrate data while bl... Attackers use trusted cloud infrastructure for staging payloads, running credential‑harvesting p...
How are government-backed hackers exploiting Cloudflare’s services (such as R2 storage, Pages, Workers, and Tunnels) to conduct cyber‑espionAttackers increasingly hide phishing, malware delivery, and command‑and‑control infrastructure inside trusted cloud platforms.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: How are government-backed hackers exploiting Cloudflare’s services (such as R2 storage, Pages, Workers, and Tunnels) to conduct cyber‑espion. Article summary: Government-backed or government-aligned hackers are abusing Cloudflare because its services provide cheap, reputable, TLS-protected infrastructure that often looks like normal business web traffic. In the Malaysia-focuse. Topic tags: general, government, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "# Russian state hackers abuse Cloudflare services to spy on Ukrainian targets. A Russian state-sponsored hacker group, known as Gamaredon, has been targeting Ukrainian-speaking vic" source context "Russian state hackers abuse Cloudflare services to spy on ..." Reference image 2: visual subject "**Help
openai.com
Cyber‑espionage campaigns are increasingly hiding in plain sight—inside the same cloud platforms businesses rely on every day.
Recent security research shows attackers targeting Malaysian organizations using a combination of trusted cloud infrastructure and serverless services to run covert operations. By abusing Cloudflare tools such as R2 storage, Workers, Pages, and Tunnels, threat actors can host phishing pages, stage malware, and move stolen data through infrastructure that often appears indistinguishable from normal web traffic.
This tactic dramatically complicates detection because many organizations cannot simply block large cloud providers without disrupting legitimate business services.
The Malaysia Campaign: Hidden Infrastructure and Custom Tooling
Researchers identified a targeted intrusion campaign against multiple Malaysian organizations using attacker‑controlled infrastructure hosted on Microsoft Azure in the Malaysia West region. The operation included purpose‑built Python tools for network enumeration, database access, and data exfiltration tailored to individual targets.
Investigations uncovered a modular attack environment involving:
Custom scripts for reconnaissance and internal data collection
Dedicated infrastructure to support long‑term surveillance
Mechanisms to move stolen files out of compromised networks
Security analysis of the campaign suggests that cloud platforms—including Cloudflare services—were leveraged to conceal parts of the attack chain, helping adversaries blend malicious traffic into normal cloud communications.
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
What is the short answer to "How Hackers Are Exploiting Cloudflare Services to Run Stealth Cyber‑Espionage Campaigns"?
Researchers say cyber‑espionage campaigns targeting Malaysian organizations are abusing Cloudflare services such as R2, Workers, Pages, and Tunnels to host phishing sites, deliver malware, and exfiltrate data while bl...
What are the key points to validate first?
Researchers say cyber‑espionage campaigns targeting Malaysian organizations are abusing Cloudflare services such as R2, Workers, Pages, and Tunnels to host phishing sites, deliver malware, and exfiltrate data while bl... Attackers use trusted cloud infrastructure for staging payloads, running credential‑harvesting portals, and masking command‑and‑control systems.
What should I do next in practice?
The activity reflects a broader shift in cyber‑espionage: state‑aligned actors increasingly hide operations inside widely trusted cloud platforms instead of obvious malicious servers.
Cloudflare’s developer platform provides powerful features for legitimate applications. Those same features can also be misused to build stealthy attack infrastructure.
R2 Storage: Hosting Phishing Pages and Malware
Cloudflare R2, an object‑storage service, can be used to host files or static websites. Threat actors have used it to store phishing pages and malware payloads because the downloads originate from a trusted cloud domain.
Security researchers previously recorded a 61‑fold increase in traffic to phishing pages hosted on Cloudflare R2 during a six‑month period, illustrating how quickly attackers adopted the platform.
Typical uses include:
Hosting credential‑harvesting pages that imitate Microsoft or cloud login portals
Storing malicious archives or loaders
Acting as a staging point for second‑stage malware
Cloudflare Pages enables static website hosting on globally distributed infrastructure. Attackers can deploy convincing phishing portals on this platform so victims see pages served through Cloudflare’s network instead of suspicious attacker domains.
Because many organizations trust Cloudflare infrastructure, blocking these domains outright can disrupt legitimate services.
Cloudflare Workers: Serverless Command and Control
Workers allow developers to run JavaScript code at Cloudflare’s network edge. Threat actors can abuse this capability to create flexible infrastructure such as:
Redirectors that route victims to phishing pages
Reverse proxies that intercept login credentials
Lightweight command‑and‑control (C2) services
Security research has shown that Workers can even be used to perform transparent phishing, acting as a proxy to a legitimate login page while silently capturing credentials entered by victims.
Cloudflare Tunnels: Hidden Access to Malicious Infrastructure
Cloudflare Tunnel exposes services behind firewalls through Cloudflare’s network without revealing the underlying server.
Threat actors have exploited this capability to:
Deliver malware through links embedded in phishing emails
Hide command‑and‑control servers from direct internet scanning
Security reports have documented campaigns delivering remote‑access trojans (RATs) through Cloudflare Tunnel infrastructure to conceal malicious traffic.
Why These Techniques Are Hard to Detect
Cloud‑based attack infrastructure provides several advantages for espionage operations.
First, traffic routed through trusted platforms like Cloudflare or Azure appears similar to legitimate SaaS or CDN communications. This makes it difficult for security tools to flag suspicious connections without generating large numbers of false positives.
Second, serverless services allow attackers to rapidly modify behavior without managing dedicated servers. Code running in platforms like Workers can change redirect logic, update payload locations, or rotate infrastructure instantly.
Finally, cloud services allow attackers to distribute operations across multiple providers, complicating attribution and forensic analysis.
Possible Threat Actors and Attribution Challenges
Public reporting on the Malaysian campaign describes activity consistent with state‑aligned espionage tradecraft, but attribution remains uncertain.
Some analysts point to similarities with operations conducted by APT41, a Chinese‑linked threat group known for cyber‑espionage campaigns targeting sectors such as healthcare, telecommunications, and technology across multiple countries.
APT41 and similar groups have previously used cloud infrastructure and content delivery networks to conceal command‑and‑control servers or operational infrastructure.
However, there is currently no confirmed attribution tying the Malaysian activity directly to APT41, Mustang Panda, or Amaranth‑Dragon. The campaign remains classified in public reporting as suspected state‑aligned espionage rather than a definitively attributed operation.
Why Malaysia Is Becoming a Target
Malaysia’s rapidly expanding digital economy has made the country an increasingly attractive target for cyber‑espionage.
Government and industry initiatives have accelerated investment in sectors such as artificial intelligence, big data, cloud computing, and data centers. Approved digital investments reached RM163.6 billion in 2024, and RM87.4 billion in 2025, reflecting the country’s growing role as a regional technology hub.
These developments create valuable intelligence targets, including:
Cloud credentials and enterprise identities
Intellectual property and software code
Data‑center infrastructure and supply chains
Government‑adjacent digital systems
For espionage groups, compromising organizations in these sectors can yield both economic intelligence and strategic geopolitical insights.
A Broader Shift Toward Cloud‑Based Attack Infrastructure
The Malaysia case illustrates a wider trend across modern cyber‑espionage campaigns: attackers are moving away from obviously malicious servers and toward trusted cloud infrastructure.
By embedding parts of their operations inside legitimate platforms—such as object storage, serverless computing, and CDN networks—threat actors gain several advantages:
Reputation inherited from trusted cloud providers
Encrypted traffic that blends into everyday web activity
Rapid infrastructure scaling and replacement
For defenders, this means reputation‑based blocking alone is no longer sufficient. Security teams increasingly rely on behavioral detection, monitoring of unusual cloud‑service usage, and deeper inspection of outbound data flows to detect these operations.
As cloud platforms continue to expand their capabilities, the same tools that power modern applications are also becoming part of the infrastructure for modern cyber‑espionage.
Comments
0 comments