Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks

Attackers have found a new way to quietly steal data from compromised networks, and this time, they are hiding behind a familiar face.

Security researchers have uncovered a targeted intrusion campaign that used a Cloudflare-hosted storage endpoint to pull stolen files out of breached systems without raising alarms.

The operation targeted multiple Malaysian government organizations and at least one private sector company, showing planning that goes well beyond what most opportunistic hackers typically demonstrate.

What makes this campaign stand out is the sophistication behind it. The attacker did not rely on off-the-shelf tools.

Instead, they built custom Python scripts tailored to each individual target, with each tool designed for a specific task inside the compromised environment.

That kind of groundwork takes real skill and points to a threat actor who takes operational discipline seriously.

Analysts from OASIS Security said in a report shared with Cyber Security News (CSN) that the attacker-controlled infrastructure is hosted on a Microsoft Azure virtual machine in the Malaysia West region.

The discovery gave researchers a clear window into how the attacker operated, because the infrastructure contained a large collection of attack tools that had not yet been cleaned up.

The campaign involved several moving parts, from database access and internal network mapping to live webshell deployment and credential theft.

What tied it all together was the attacker’s use of a Cloudflare storage endpoint as the final destination for stolen files, designed to blend outbound traffic with normal cloud activity and evade network monitoring.

The impact has been significant. Domain controller credentials were confirmed stolen, active webshells were found on at least one government server, and a chained exploit targeting a mobile network operator’s customer verification platform was also identified.

These findings paint a picture of a well-resourced actor working methodically across multiple targets at once.

Attackers Use Cloudflare Storage Endpoint

One of the more inventive parts of this campaign was how the attacker moved stolen data out of compromised networks.

A Python script named gen_photo_upload.py was built specifically to upload exfiltrated files to an external Cloudflare-hosted storage endpoint under attacker control.

Since the Cloudflare is widely trusted, traffic heading toward it rarely triggers the same suspicion that connections to unfamiliar servers might.

This technique is often called “living off trusted services,” and it is growing more common among advanced threat actors.

By routing stolen data through a legitimate cloud provider, the attacker made outbound exfiltration look like routine web activity.

For organizations that do not inspect outbound traffic to trusted domains closely, this channel can go undetected for a long time.

The script was part of a broader modular toolkit, which captures the file transfer logic targeting the attacker-controlled Cloudflare endpoint.

Each script in the collection served a specific role, forming a structured pipeline from initial access all the way through to data theft.

Perhaps the most alarming finding was the discovery of previously unpublished source code for both a C# beacon generator and a Python-based command and control controller.

The beacon, beacon.cs, and the controller, listener_http.py, are not based on any publicly available framework, placing this actor well beyond the profile of typical commodity attackers.

The beacon communicates with the listener to form a private command channel between the attacker and any compromised hosts. Its presence on attacker infrastructure suggests it has been used in multiple operations.

A self-developed framework like this takes significant expertise and resources to build and sustain.

On the credential side, the attacker extracted Windows registry hive files from at least one domain controller, including the SAM, SECURITY, and SYSTEM files.

An NTDS dump confirmed that Active Directory password hashes were also taken. With those credentials, the attacker holds the potential for persistent access across the entire affected network.

The affected organizations should immediately remove active webshells, reset all domain-level passwords, and review attacker-left artifacts carefully to cut off any continued or future access.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	20.17.161.118	Attacker-controlled Microsoft Azure VM in Malaysia West region (AS8075) used as C2 and staging infrastructure
File Name	gen_photo_upload.py	Python script used to exfiltrate files to attacker-controlled Cloudflare storage endpoint
File Name	analyze_[REDACTED].py	Python script with embedded MSSQL credentials used to execute SQL queries against target internal server
File Name	asset_owner_check.py	Python script for inspecting and staging asset ownership datasets via WinRM for collection
File Name	check_cophoto.py	Python script for MSSQL-based photo record enumeration and column type validation
File Name	deploy.py	Python script containing external RPC endpoint configuration for remote command execution
File Name	shell21.py	Python script used to upload PHP webshell (health.php) to a Malaysian government portal
File Name	health.php	PHP webshell confirmed active on target government server at time of analysis
File Name	laravel_rce.php	PHP exploit script implementing a five-chain Laravel deserialization RCE attack
File Name	beacon.cs	Source code for a previously undisclosed C# malware beacon generator
File Name	listener_http.py	Source code for a previously undisclosed Python-based HTTP C2 controller
File Name	h[REDACTED]_targeted.txt	Text file containing 126 target passwords used in attack operations
File Name	j[REDACTED]_dc_SAM	Exfiltrated Windows registry SAM hive file from domain controller
File Name	j[REDACTED]_dc_SECURITY	Exfiltrated Windows registry SECURITY hive file from domain controller
File Name	j[REDACTED]_dc_SYSTEM	Exfiltrated Windows registry SYSTEM hive file from domain controller
File Name	j[REDACTED]_dc_dump.ntds	NTDS dump output file confirming extraction of Active Directory credential hashes

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.