Logo
/
News/Government-Linked Espionage Campaign Used Cloudflare Storage
Back to News
May 18, 20262 min readincident
Share:

Government-Linked Espionage Campaign Used Cloudflare Storage

By Threat Intelligence Unit

Government-Linked Espionage Campaign Used Cloudflare Storage

Incident Overview

Hackread, GBHackers, and Cyber Security News reported on Oasis Security's investigation into a suspected government-linked espionage campaign targeting Malaysian organizations.

The investigation identified hidden command-and-control infrastructure hosted on Microsoft Azure, along with long-running attacker activity designed to avoid detection.

Attack Activity

The attackers used custom scripts and remote command execution tools to access internal systems and collect data.

The investigation observed the use of:

  • analyze_[REDACTED].py
  • gen_photo_upload.py
  • health.php
  • beacon.cs
  • listener_http.py

The campaign also involved abuse of exposed rpc.asp endpoints and Laravel-related exploitation activity.

Cloudflare-Based Exfiltration

The investigation found that attackers used Cloudflare-hosted storage services to transfer stolen files and host malicious content.

Using trusted cloud services helped attacker traffic blend into normal network activity and reduced the likelihood of detection.

Impact

In at least one case, the intrusion escalated to domain-level compromise.

The investigation identified exfiltrated Active Directory files, including:

  • NTDS dumps
  • SAM registry hives
  • SECURITY and SYSTEM files

These artifacts may allow attackers to extract credentials and maintain long-term access to compromised environments.

Recommendations

  • Monitor outbound traffic to cloud storage services
  • Investigate unusual PowerShell and WinRM activity
  • Hunt for webshells and unauthorized RPC access
  • Rotate privileged credentials after compromise
  • Apply behavior-based monitoring for suspicious activity

References

👉 Hackread coverage

👉 GBHackers coverage

👉 Cyber Security News coverage

Tags:malaysiacloudflarec2agatha