State-Sponsored Hackers Exploit Cloudflare Infrastructure in Targeted Malaysian Cyber Espionage Operation
- May 18
- 2 min read
Key Findings
Suspected Malaysian government-backed operation maintained hidden command and control infrastructure for years using sophisticated obfuscation techniques
Threat actors abused Cloudflare storage and CDN services to host malware, phishing material, and exfiltrated data while leveraging the platform's trusted reputation
Infrastructure designed with selective access controls and adaptive response mechanisms to evade standard internet scanning and detection tools
Attackers increasingly shifting toward temporary, disposable hosting solutions that can be replaced within minutes to minimize disruption when discovered
Modern espionage campaigns blend seamlessly into normal internet traffic, making detection significantly more difficult for organizations relying on reputation-based filtering
Background
Oasis Security researchers uncovered a long-running espionage campaign with strong indicators of Malaysian government involvement. The operation distinguished itself through careful infrastructure management designed to maintain a low operational profile while supporting targeted surveillance activities. The campaign appears to have remained active for several years through systematic rotation, repurposing, and maintenance of backend systems rather than abandonment after short-term operations.
Hidden Command and Control Infrastructure
The operators deployed command and control servers using advanced evasion techniques. These systems respond differently depending on who attempts to connect, making them invisible to standard internet scans. Some servers remain completely inaccessible unless contacted through specific protocols or paths, effectively hiding them from passive reconnaissance efforts. Historical records and behavioral analysis indicate the infrastructure has been actively maintained and regularly updated rather than abandoned, suggesting a professionally managed operation.
Exploitation of Trusted Cloud Services
Threat actors capitalized on the trust organizations place in widely-used platforms like Cloudflare. By hosting malware archives and phishing pages through these legitimate services, attackers ensured their payloads would bypass basic filtering checks. Employees are unlikely to block traffic from Cloudflare since normal business operations depend on it, creating a significant blind spot in traditional security defenses. The researchers documented multiple instances where stolen data was transferred to attacker-controlled Cloudflare storage and distributed through links appearing legitimate to end users.
Shift Toward Disposable Infrastructure
Modern threat actors are abandoning permanent infrastructure in favor of temporary storage buckets, CDN-linked domains, and short-term hosting services. This approach reduces operational costs and allows campaigns to continue with minimal disruption when individual components are removed. Attackers can now replace their entire hosting infrastructure within minutes, making it increasingly difficult for defenders to maintain continuity in their investigations and disruption efforts.
Detection Challenges and Recommendations
Organizations face a significant detection problem when harmful files arrive through services employees use daily. Reputation-based domain checks alone prove insufficient against this evolved threat landscape. Researchers recommend companies implement stronger behavior-based monitoring and conduct closer inspection of outbound connections rather than relying solely on whether a domain appears trustworthy. The convergence of sophisticated espionage tactics with commodity cloud services means defenders must fundamentally reconsider their detection strategies.
Sources
https://hackread.com/government-backed-hackers-cloudflare-malaysia-espionage/
https://x.com/Dinosn/status/2056450352908472722
https://x.com/HackRead/status/2056377362728505606
https://news.backbox.org/2026/05/18/government-backed-hackers-abuse-cloudflare-in-malaysian-espionage-campaign/
https://www.socdefenders.ai/item/af71cb6f-3881-4148-8b43-c8e9c4294047

Comments