Attackers Exfiltrate Files via Cloudflare Storage Endpoints
Attackers are employing a novel data exfiltration technique, leveraging Cloudflare Storage Endpoints to covertly steal files from compromised networks. This method, detailed in Analysts from OASIS...
Attackers are employing a novel data exfiltration technique, leveraging Cloudflare Storage Endpoints to covertly steal files from compromised networks. This method, detailed in Analysts from OASIS Security said in a report shared with Cyber Security News (CSN) that the attacker-controlled infrastructure is hosted on a Microsoft Azure virtual machine in the Malaysia West region.
The discovery gave researchers a clear window into how the attacker operated, because the infrastructure contained a large collection of attack tools that had not yet been cleaned up.
The campaign involved several moving parts, from database access and internal network mapping to live webshell deployment and credential theft.
What tied it all together was the attacker’s use of a Cloudflare storage endpoint as the final destination for stolen files, designed to blend outbound traffic with normal cloud activity and evade network monitoring.
The impact has been significant. Domain controller credentials were confirmed stolen, active webshells were found on at least one government server, and a chained exploit targeting a mobile network operator’s customer verification platform was also identified.
These findings paint a picture of a well-resourced actor working methodically across multiple targets at once.
Attackers Use Cloudflare Storage Endpoint
One of the more inventive parts of this campaign was how the attacker moved stolen data out of compromised networks.
A Python script named gen_photo_upload.py was built specifically to upload exfiltrated files to an external Cloudflare-hosted storage endpoint under attacker control.
Since the Cloudflare is widely trusted, traffic heading toward it rarely triggers the same suspicion that connections to unfamiliar servers might.
This technique is often called “living off trusted services,” and it is growing more common among advanced threat actors.
By routing stolen data through a legitimate cloud provider, the attacker made outbound exfiltration look like routine web activity.
For organizations that do not inspect outbound traffic to trusted domains closely, this channel can go undetected for a long time.
The script was part of a broader modular toolkit, which captures the file transfer logic targeting the attacker-controlled Cloudflare endpoint.
Each script in the collection served a specific role, forming a structured pipeline from initial access all the way through to data theft.
Custom C2 Tools and Credential Theft
Perhaps the most alarming finding was the discovery of previously unpublished source code for both a C# beacon generator and a Python-based command and control controller.
The beacon, beacon.cs, and the controller, listener_http.py, are not based on any publicly available framework, placing this actor well beyond the profile of typical commodity attackers.
The beacon communicates with the listener to form a private command channel between the attacker and any compromised hosts. Its presence on attacker infrastructure suggests it has been used in multiple operations.
A self-developed framework like this takes significant expertise and resources to build and sustain.
On the credential side, the attacker extracted Windows registry hive files from at least one domain controller, including the SAM, SECURITY, and SYSTEM files.
An NTDS dump confirmed that Active Directory password hashes were also taken. With those credentials, the attacker holds the potential for persistent access across the entire affected network.
The affected organizations should immediately remove active webshells, reset all domain-level passwords, and review attacker-left artifacts carefully to cut off any continued or future access.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 20.17.161.118 | Attacker-controlled Microsoft Azure VM in Malaysia West region (AS8075) used as C2 and staging infrastructure |
| File Name | gen_photo_upload.py | Python script used to exfiltrate files to attacker-controlled Cloudflare storage endpoint |
| File Name | analyze_[REDACTED].py | Python script with embedded MSSQL credentials used to execute SQL queries against target internal server |
| File Name | asset_owner_check.py | Python script for inspecting and staging asset ownership datasets via WinRM for collection |
| File Name | check_cophoto.py | Python script for MSSQL-based photo record enumeration and column type validation |
| File Name | deploy.py | Python script containing external RPC endpoint configuration for remote command execution |
| File Name | shell21.py | Python script used to upload PHP webshell (health.php) to a Malaysian government portal |
| File Name | health.php | PHP webshell confirmed active on target government server at time of analysis |
| File Name | laravel_rce.php | PHP exploit script implementing a five-chain Laravel deserialization RCE attack |
| File Name | beacon.cs | Source code for a previously undisclosed C# malware beacon generator |
| File Name | listener_http.py | Source code for a previously undisclosed Python-based HTTP C2 controller |
| File Name | h[REDACTED]_targeted.txt | Text file containing 126 target passwords used in attack operations |
| File Name | j[REDACTED]_dc_SAM | Exfiltrated Windows registry SAM hive file from domain controller |
| File Name | j[REDACTED]_dc_SECURITY | Exfiltrated Windows registry SECURITY hive file from domain controller |
| File Name | j[REDACTED]_dc_SYSTEM | Exfiltrated Windows registry SYSTEM hive file from domain controller |
| File Name | j[REDACTED]_dc_dump.ntds | NTDS dump output file confirming extraction of Active Directory credential hashes |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.