Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign

State‑backed cyber‑espionage is evolving beyond traditional botnets, leveraging the legitimacy of major cloud platforms to blend malicious traffic with normal user activity. By routing command‑and‑control (C2) communications through Cloudflare’s content‑delivery network, attackers exploit the provider’s reputation and the difficulty of inspecting encrypted traffic. This tactic not only shields the infrastructure from standard internet scans but also allows malicious files to slip past basic security filters that whitelist popular services. The Malaysian‑linked operation highlighted by Oasis Security exemplifies how nation‑state actors can sustain long‑running campaigns while remaining under the radar.

The shift toward temporary storage buckets, CDN‑linked domains, and short‑lived hosting services reflects a cost‑effective, agile approach to cyber operations. Rather than maintaining permanent servers that attract attention, threat groups spin up cloud resources that can be terminated and recreated within minutes if detected. This “hit‑and‑run” methodology reduces operational footprints and forces defenders to chase a moving target. Enterprises that rely solely on domain reputation or static blocklists risk missing these fleeting indicators, as the malicious URLs often appear to originate from trusted providers.

To counter this emerging threat, security teams must adopt behavior‑based monitoring that scrutinizes outbound connections, file downloads, and anomalous data flows regardless of the hosting provider. Deploying deep packet inspection, sandboxing of downloaded content, and user‑entity behavior analytics can surface suspicious activity hidden behind Cloudflare’s infrastructure. Additionally, organizations should engage with cloud service providers to establish rapid takedown processes for abused assets. By enhancing visibility into cloud‑based traffic, businesses can mitigate the risk posed by sophisticated espionage campaigns that exploit the very services designed to accelerate digital transformation.