Cybercriminals have weaponized Cloudflare’s tunnel infrastructure to coordinate a sophisticated malware distribution campaign that exploits the platform’s trusted reputation to evade security controls across multiple continents. The attackers utilize Cloudflare Tunnel subdomains, particularly those ending in “*.trycloudflare[.]com,” to host and deliver malicious payloads without requiring domain registration or dedicated server infrastructure.
Threat actors exploit Cloudflare’s trusted tunnel infrastructure to distribute malware while evading traditional security detection mechanisms across global networks.
The infection chain demonstrates considerable complexity, beginning with malicious LNK files that download Windows Script Files from Cloudflare Tunnel subdomains. These WSF files function as VBScript-based loaders, executing batch files named “kiki.bat” from secondary Cloudflare domains. The batch scripts later display decoy PDF documents, conduct antivirus reconnaissance, and download Python payloads designed to execute remote access trojans directly in system memory.
Security researchers have identified AsyncRAT and Revenge RAT as primary payloads, delivered through Donut-packed executables that maintain persistence during avoidance of traditional detection mechanisms. The attackers employ multiple evasion techniques, including in-memory execution to circumvent endpoint security tools, staged payload delivery across disposable infrastructure, and legitimate-appearing scripts that reduce user suspicion during attack execution.
Telemetry data reveals a medium- to large-scale campaign affecting victims across the United States, United Kingdom, Germany, Singapore, and India, with Western countries representing a notable portion of infections. The campaign demonstrates no apparent sector-specific targeting, suggesting indiscriminate distribution within affected geographic regions.
Intelligence analysts report the operation remains highly active as of June 2025, though attribution remains undetermined. The abuse of Cloudflare’s infrastructure provides significant operational advantages for threat actors, eliminating requirements for domain registration, VPS rental, or persistent command-and-control infrastructure while reducing exposure to takedown efforts. The attacks exploit leaked credentials that result from widespread password reuse, enabling attackers to access legitimate tunnel services.
The platform’s encrypted transport capabilities complicate network analysis and improve operational security for attackers. Comments within malicious scripts suggest possible utilization of large language models for code generation, indicating increased sophistication in attack development. This campaign represents a concerning evolution in cybercriminal tactics, leveraging trusted cloud infrastructure to bypass conventional security measures while maintaining operational agility through disposable tunnel endpoints. Organizations must implement AI-driven insights to detect these sophisticated threats that exploit legitimate cloud services for malicious purposes.
