Cybersecurity researchers have uncovered a rise in the abuse of Cloudflare’s tunneling service, Cloudflared, by ransomware groups and advanced persistent threat (APT) actors. These attackers are using Cloudflared to create covert access points into compromised networks.
This technique enables persistent access while avoiding detection from traditional network security tools, which often flag unusual outbound connections.
Abuse of Trusted Infrastructure
Threat actors are increasingly turning to legitimate tools like Cloudflared to mask their activity. Because Cloudflared traffic is encrypted and appears normal, it can easily bypass security systems.
The service encapsulates data in secure protocols that only tunnel endpoints can decrypt, making external monitoring difficult. This allows attackers to operate as if they were inside the target network.
Ransomware Groups Adopt Cloudflared Tunnels
Cloudflared has become a popular method for maintaining command and control (C2) channels. It is now used by several known ransomware operators, including BlackSuit, Royal, Akira, Scattered Spider, and Medusa.
These groups typically install Cloudflared after an initial compromise, often through VPN exploits or Remote Desktop Protocol (RDP) attacks.
Cloudflared Abuse Lifecycle
Researchers at Sudo Rem have mapped a typical attack sequence known as the “Cloudflared Abuse Lifecycle.” It includes:
- Initial network compromise
- Deployment of Cloudflared tunnel
- Extraction of tunnel tokens
- Lateral movement within the network
These tunnels can remain active for long periods, providing persistent access even through system reboots or network changes.
Detection Challenges and Token Abuse
Cloudflared’s legitimate nature makes it difficult to detect. Attackers manipulate tunnel authentication tokens, which are Base64-encoded JSON objects containing three key elements:
{
"a": "account_id",
"t": "tunnel_id",
"s": "secret"
}
The account_id acts as a fingerprint that rarely changes, helping researchers identify malicious use. However, attackers are also using process disguises to evade detection.
Masquerading Tactics to Evade Detection
Medusa ransomware groups rename cloudflared.exe to trusted process names like svchost.exe or servicehost.exe. BlackSuit affiliates go further by disguising tunnel instances as popular software updaters, such as:
- WGUpdater.exe
- LogMeInUpdater.exe
- AdobeUpdater.exe
- MozillaUpdater.exe
- IntuitUpdater.exe
These names help attackers avoid suspicion from security tools and IT teams.
Persistent Access via System Services
To maintain persistence, attackers install Cloudflared as a system service. They use automated commands that ensure the tunnel starts whenever the system reboots or undergoes maintenance.
Hunter International has also used similar methods, although specific details about their implementation remain limited.
Growing Trend in Cyber Threat Landscape
The wide adoption of this method highlights a troubling shift toward using legitimate enterprise-grade tools for malicious purposes. Security teams must now distinguish between authorized administrative use and active threats within normal-looking traffic.
