Government-Linked Espionage Campaign Used Cloudflare Storage
By Threat Intelligence Unit

Incident Overview
Hackread, GBHackers, and Cyber Security News reported on Oasis Security's investigation into a suspected government-linked espionage campaign targeting Malaysian organizations.
The investigation identified hidden command-and-control infrastructure hosted on Microsoft Azure, along with long-running attacker activity designed to avoid detection.
Attack Activity
The attackers used custom scripts and remote command execution tools to access internal systems and collect data.
The investigation observed the use of:
analyze_[REDACTED].pygen_photo_upload.pyhealth.phpbeacon.cslistener_http.py
The campaign also involved abuse of exposed rpc.asp endpoints and Laravel-related exploitation activity.
Cloudflare-Based Exfiltration
The investigation found that attackers used Cloudflare-hosted storage services to transfer stolen files and host malicious content.
Using trusted cloud services helped attacker traffic blend into normal network activity and reduced the likelihood of detection.
Impact
In at least one case, the intrusion escalated to domain-level compromise.
The investigation identified exfiltrated Active Directory files, including:
- NTDS dumps
- SAM registry hives
- SECURITY and SYSTEM files
These artifacts may allow attackers to extract credentials and maintain long-term access to compromised environments.
Recommendations
- Monitor outbound traffic to cloud storage services
- Investigate unusual PowerShell and WinRM activity
- Hunt for webshells and unauthorized RPC access
- Rotate privileged credentials after compromise
- Apply behavior-based monitoring for suspicious activity