Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign

Summary

A campaign attributed to a suspected Malaysian government operation has been leveraging hidden command-and-control infrastructure for years, employing sophisticated evasion techniques to avoid detection by public scanning tools. The attackers abuse Cloudflare's storage and CDN services to host malicious payloads and phishing material, exploiting the trust users place in legitimate cloud providers. Researchers found the operation maintains carefully rotated infrastructure focused on intelligence gathering with overlaps to regional state-sponsored cyber espionage patterns.

Full text

Security Cyber AttacksGovernment Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign Government Backed Hackers abused Cloudflare storage services in a Malaysian espionage campaign involving hidden C2 systems and data exfiltration. byWaqasMay 18, 20262 minute read A campaign linked to a suspected Malaysian government operation has been using hidden command and control infrastructure for years, according to new findings from Oasis Security. Researchers said the activity points to a long running espionage effort that stayed active by masking backend systems and limiting exposure to public scanning tools. The operation appears carefully maintained, with infrastructure designed to avoid visibility while supporting targeted surveillance activity. Oasis Security said the infrastructure contains links to government related networks in Malaysia and shows patterns commonly associated with state-backed online operations. The report explains how the operators manage command and control servers in ways that reduce the chance of detection. Some systems respond differently depending on who connects to them, while others remain inaccessible unless contacted through specific paths or protocols. That setup made the servers difficult to identify through standard internet scans. Researchers also found signs that the infrastructure has remained active for several years. Historical records and server behavior suggest the systems are regularly rotated, repurposed, and maintained instead of being abandoned after short campaigns. While the exact targets were not fully disclosed, the activity appears focused on intelligence gathering. Oasis Security also noted overlaps with infrastructure patterns previously connected to regional cyber espionage activity. The company stopped short of publicly naming individual operators but said the evidence aligns with tactics seen in government sponsored surveillance campaigns. At the same time, researchers reported that threat actors are abusing Cloudflare’s storage and content delivery services to host malicious payloads and phishing material. According to the report, attackers benefit from the trust attached to widely used cloud platforms because traffic from those providers is less likely to trigger alerts. Files hosted through well known services can often pass through basic filtering checks, especially in companies where blocking providers like Cloudflare could interrupt normal operations. Researchers found several cases where malware archives and phishing pages were uploaded to cloud storage services and distributed through links that appeared legitimate to users. One of the exfiltrated files transferred to attacker-controlled Cloudflare storage (Image via: Oasis Security) The report also found that threat actors are moving away from maintaining permanent infrastructure. Many groups now use temporary storage buckets, CDN linked domains, and short term hosting services that can be replaced within minutes if removed. That approach lowers operating costs and allows campaigns to continue with minimal disruption. For organizations monitoring suspicious traffic, trusted cloud platforms create a difficult problem. Harmful files become harder to spot when they are delivered through services employees use every day. Researchers said companies need stronger behavior-based monitoring and closer inspection of outbound connections instead of depending only on domain reputation checks. Taken together, both reports point in the same direction in modern cyber operations. Espionage groups and financially motivated attackers are increasingly using infrastructure that mixes into normal internet traffic. Public cloud services, restricted access systems, and selectively exposed servers give operators more time to stay active before the activity is noticed. (Photo by Heather Green on Unsplash) Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts CloudFlareCyber AttackCyber EspionageCybersecurityMalaysiaMalwareOasis SecurityPhishingPrivacySpying Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Malware Your Shipment Notification is Now a Malware Dropper Forcepoint X-Labs reports a surge in sophisticated email attacks using obfuscated JavaScript and steganography to deliver dangerous RATs and info-stealers like Formbook and Agent Tesla. Learn how to defend against the threat. byDeeba Ahmed Read More Security Malware NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar RAT onto developer systems. byDeeba Ahmed Security Malware Found in Two US Power Stations Infecting the Control System The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has reported that two… byWaqas Cyber Attacks Security Trump campaign website defaced with “site seizure” notice According to researchers, one probability is that the attackers used compromised credentials to sign into the Expression Engine used by the Trump campaign website. byWaqas

Indicators of Compromise

• mitre_attack — T1071.001
• mitre_attack — T1567.002
• mitre_attack — T1583.006

Entities