Cybersecurity companies have noted a rise in the misuse of Cloudflare's TryCloudflare free service for malware distribution. Documented by eSentire and Proofpoint, attackers use TryCloudflare to establish a one-time tunnel that relays traffic from an attacker-controlled server to a local machine via Cloudflare’s infrastructure. This technique delivers various malware families, including AsyncRAT, GuLoader, and XWorm. The initial access involves phishing emails with a ZIP archive containing a URL shortcut file leading to a Windows shortcut file on a TryCloudflare-proxied WebDAV server. This file executes batch scripts that retrieve and run additional Python payloads while displaying a decoy PDF document.
The phishing lures are multilingual, targeting organizations worldwide with themes like invoices and tax documents. Although the campaign has not been linked to a specific threat actor, it is believed to be financially motivated. The misuse of TryCloudflare was first noted last year in a cryptojacking campaign exploiting a GitLab flaw. The temporary nature of Cloudflare instances provides attackers a flexible, low-cost method to stage attacks, making static blocklists ineffective. The Spamhaus Project has urged Cloudflare to review its anti-abuse policies as cybercriminals exploit its services to hide their malicious activities.
