Hackers Abuse Cloudflare Storage to Exfiltrate Network Files

The recent Oasis Security report details a highly organized intrusion campaign that has compromised several Malaysian entities, including government‑linked networks. At its core is an Azure virtual machine (IP 20.17.161.118) that served as a staging ground for a suite of bespoke tools—Python scripts for WinRM‑based database queries, Laravel exploit chains, and a C# beacon for persistence. These utilities performed granular network enumeration, extracted MSSQL credentials, and harvested Active Directory data such as SAM, SYSTEM and NTDS dumps. The attackers’ disciplined development of purpose‑built code points to a well‑funded, possibly state‑aligned actor.

A striking element of the operation is the exploitation of Cloudflare‑hosted storage as an exfiltration channel. Scripts like `gen_photo_upload.py` uploaded compressed data directly to attacker‑controlled Cloudflare endpoints, blending malicious traffic with the massive legitimate flow that Cloudflare handles daily. This approach reduces the likelihood of triggering alerts in network‑based detection tools, which often whitelist popular cloud providers. Moreover, the scalability and reliability of Cloudflare’s edge network enable rapid, high‑volume data transfer without raising suspicion, presenting a new challenge for security teams that rely on traditional proxy or DNS logs.

The campaign underscores a broader industry shift toward leveraging trusted cloud ecosystems to mask illicit activity. Defenders must adapt by incorporating cloud‑traffic analytics, tightening access to remote‑code‑execution endpoints, and routinely scanning for orphaned web‑shells. Immediate remediation steps include removing identified PHP shells, rotating privileged credentials, and conducting deep forensic sweeps of Azure and Cloudflare logs for anomalous uploads. As attackers continue to embed private C2 frameworks within mainstream cloud services, organizations that invest in zero‑trust architectures and continuous monitoring will be better positioned to detect and contain such sophisticated threats.