top of page

State-Sponsored Hackers Exploit Cloudflare Infrastructure in Targeted Malaysian Cyber Espionage Operation

  • May 18
  • 2 min read

Key Findings


  • Suspected Malaysian government-backed operation maintained hidden command and control infrastructure for years using sophisticated obfuscation techniques

  • Threat actors abused Cloudflare storage and CDN services to host malware, phishing material, and exfiltrated data while leveraging the platform's trusted reputation

  • Infrastructure designed with selective access controls and adaptive response mechanisms to evade standard internet scanning and detection tools

  • Attackers increasingly shifting toward temporary, disposable hosting solutions that can be replaced within minutes to minimize disruption when discovered

  • Modern espionage campaigns blend seamlessly into normal internet traffic, making detection significantly more difficult for organizations relying on reputation-based filtering


Background


Oasis Security researchers uncovered a long-running espionage campaign with strong indicators of Malaysian government involvement. The operation distinguished itself through careful infrastructure management designed to maintain a low operational profile while supporting targeted surveillance activities. The campaign appears to have remained active for several years through systematic rotation, repurposing, and maintenance of backend systems rather than abandonment after short-term operations.


Hidden Command and Control Infrastructure


The operators deployed command and control servers using advanced evasion techniques. These systems respond differently depending on who attempts to connect, making them invisible to standard internet scans. Some servers remain completely inaccessible unless contacted through specific protocols or paths, effectively hiding them from passive reconnaissance efforts. Historical records and behavioral analysis indicate the infrastructure has been actively maintained and regularly updated rather than abandoned, suggesting a professionally managed operation.


Exploitation of Trusted Cloud Services


Threat actors capitalized on the trust organizations place in widely-used platforms like Cloudflare. By hosting malware archives and phishing pages through these legitimate services, attackers ensured their payloads would bypass basic filtering checks. Employees are unlikely to block traffic from Cloudflare since normal business operations depend on it, creating a significant blind spot in traditional security defenses. The researchers documented multiple instances where stolen data was transferred to attacker-controlled Cloudflare storage and distributed through links appearing legitimate to end users.


Shift Toward Disposable Infrastructure


Modern threat actors are abandoning permanent infrastructure in favor of temporary storage buckets, CDN-linked domains, and short-term hosting services. This approach reduces operational costs and allows campaigns to continue with minimal disruption when individual components are removed. Attackers can now replace their entire hosting infrastructure within minutes, making it increasingly difficult for defenders to maintain continuity in their investigations and disruption efforts.


Detection Challenges and Recommendations


Organizations face a significant detection problem when harmful files arrive through services employees use daily. Reputation-based domain checks alone prove insufficient against this evolved threat landscape. Researchers recommend companies implement stronger behavior-based monitoring and conduct closer inspection of outbound connections rather than relying solely on whether a domain appears trustworthy. The convergence of sophisticated espionage tactics with commodity cloud services means defenders must fundamentally reconsider their detection strategies.


Sources


  • https://hackread.com/government-backed-hackers-cloudflare-malaysia-espionage/

  • https://x.com/Dinosn/status/2056450352908472722

  • https://x.com/HackRead/status/2056377362728505606

  • https://news.backbox.org/2026/05/18/government-backed-hackers-abuse-cloudflare-in-malaysian-espionage-campaign/

  • https://www.socdefenders.ai/item/af71cb6f-3881-4148-8b43-c8e9c4294047

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page