Cybersecurity researchers have identified a growing trend among ransomware affiliates and advanced persistent threat actors who are leveraging Cloudflare’s legitimate tunneling service, Cloudflared, to establish covert access channels into compromised networks.
This sophisticated technique allows attackers to maintain persistent access while evading traditional network security controls that typically flag suspicious outbound connections.
The abuse of trusted infrastructure services represents a concerning evolution in attacker tradecraft, as malicious actors increasingly adopt legitimate tools to blend their activities with normal network traffic.
.png
)
The exploitation of Cloudflared tunnels has emerged as a preferred persistence mechanism due to the service’s inherent design, which encapsulates data in additional protocols that only the tunnel endpoints can decrypt.
This creates a secure communication channel that appears as legitimate traffic to security monitoring systems, effectively providing attackers with what amounts to local network access from remote locations.
.webp)
The technique has gained particular traction among ransomware operators who require reliable command and control channels that can survive network disruptions and security interventions.
Sudo rem analysts have identified that prominent ransomware groups including BlackSuit, Royal, Akira, Scattered Spider, and Medusa have all incorporated Cloudflared tunnels into their operational playbooks.
These groups deploy malicious Cloudflared instances following initial network compromise through various vectors such as VPN exploitation or remote desktop protocol attacks.
The researchers have documented what they term the “Cloudflared Abuse Lifecycle,” which progresses from initial compromise through tunnel deployment, token extraction, and ultimately lateral movement throughout the target network.
.webp)
The impact of this attack vector extends beyond traditional ransomware operations, as the technique provides adversaries with a robust method for establishing beachheads within enterprise networks.
Once deployed, these tunnels can remain active for extended periods, providing attackers with persistent access that survives system reboots and network changes.
The legitimate nature of Cloudflared traffic makes detection particularly challenging for security teams who must differentiate between authorized administrative use and malicious exploitation.
Hunter International has also been observed employing similar techniques, though intelligence regarding this group’s specific implementation remains limited according to security researchers.
The widespread adoption of this technique across multiple threat actor groups indicates a concerning trend toward the weaponization of enterprise-grade tunneling solutions.
Detection Evasion Through Token Manipulation and Service Disguise
The technical sophistication of Cloudflared abuse lies primarily in how attackers manipulate the service’s authentication tokens and disguise their presence on compromised systems.
Cloudflared tunnel tokens are Base64 encoded JSON structures containing three critical parameters: the account identifier, tunnel identifier, and secret key.
The token structure follows this format:-
{
"a":"account_id",
"t":"tunnel_id",
"s":"secret"
}Attackers have discovered that the account_id parameter serves as a persistent fingerprint that rarely changes across multiple deployments, creating an inadvertent indicator of compromise that security researchers can leverage for threat hunting.
However, adversaries have simultaneously developed sophisticated evasion techniques centered around process masquerading and service manipulation.
Medusa ransomware operators have been observed renaming the cloudflared.exe executable to system process names such as svchost.exe and servicehost.exe to avoid detection.
BlackSuit affiliates employ even more elaborate disguises, renaming their tunnel instances to mimic legitimate update services including WGUpdater.exe, LogMeInUpdater.exe, AdobeUpdater.exe, MozillaUpdater.exe, and IntuitUpdater.exe.
This naming convention abuse exploits the tendency of security tools and administrators to overlook processes that appear to belong to trusted software vendors.
The deployment process typically involves attackers installing Cloudflared as a system service using commands that automatically execute the tunnel upon system startup, ensuring persistence across reboots and maintenance cycles.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
