Tag: cloudflare

9 Attack Reports | 0 Vulnerabilities

Attack reports

FlowerStorm Phishing Kit Targeting Microsoft Credentials via Cloudflare-Backed Infrastructure

IOCs related to FlowerStorm phishing‑kit–driven campaign that delivers fake Microsoft authentication pages via compromised domains fronted by Cloudflare. The activity abuses legitimate cloud and CDN services for delivery while credential harvesting occurs on attacker‑controlled infrastructure, with…
cloudflare
iocs
2026-04-20
flowerstorm
Published: April 20, 2026
Downloadable IOCs: 0

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, an…
ransomware
lockbit
lateral movement
cloudflare
byovd
sharepoint
tunneling
tightvnc
velociraptor
2026-03-16
yuze
Published: March 16, 2026
Downloadable IOCs: 10

Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)

Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers us…
cloudflare
CVE-2025-26399
velociraptor
CVE-2025-40536
CVE-2025-40551
2026-02-09
elastic cloud
solarwinds
web help desk
Published: February 9, 2026
Linked vulnerabilities : CVE-2025-26399 (CVSS 9.8), CVE-2025-40536 (CVSS 8.1), CVE-2025-40551 (CVSS 9.8)
Downloadable IOCs: 5

Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response

Threat actors exploited Cloudflare's free-tier infrastructure and Python environments to deploy AsyncRAT, demonstrating advanced evasion techniques. The attack begins with phishing emails containing Dropbox links to malicious files. It uses legitimate Python downloads and sophisticated code injecti…
phishing
social engineering
python
persistence
asyncrat
webdav
cloudflare
code injection
cloud abuse
2026-01-12
Published: January 12, 2026
Downloadable IOCs: 27

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report t…
phishing
python
powershell
lnk
cloudflare
telegram
pyramid
pyramid c2
open directory
2025-04-04
dmca
ms-search
Published: April 4, 2025
Downloadable IOCs: 0

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…
powershell
lummac2
infostealer
trojan
wordpress
cloudflare
lummastealer
javascript injection
2025-03-20
Published: March 20, 2025
Downloadable IOCs: 4

"Breach Report" from UAC-0099 (CERT-UA#12463)

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted f…
powershell
CVE-2023-38831
cloudflare
winrar
lnk files
2024-12-18
lonepage program
Published: December 18, 2024
Downloadable IOCs: 25

Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connectio…
xworm
remcos
asyncrat
venomrat
guloader
rats
webdav
cloudflare
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 13

Bondnet Using High-Performance Bots For C2 Server

Security researchers at ASEC have discovered that a threat actor is using high-performance bots to turn compromised systems into their central server (C2) servers, using tools such as the Cloudflare tunneling client.
rdp
2024-06-17
cloudflare
bot net
hfs
bondnet
Published: June 17, 2024
Downloadable IOCs: 27
Click here to see more Attack Reports