Attackers have found a new way to quietly steal data from compromised networks, and this time, they are hiding behind a familiar face.
Security researchers have uncovered a targeted intrusion campaign that used a Cloudflare-hosted storage endpoint to pull stolen files out of breached systems without raising alarms.
The operation targeted multiple Malaysian government organizations and at least one private sector company, showing planning that goes well beyond what most opportunistic hackers typically demonstrate.
What makes this campaign stand out is the sophistication behind it. The attacker did not rely on off-the-shelf tools.
Instead, they built custom Python scripts tailored to each individual target, with each tool designed for a specific task inside the compromised environment.
That kind of groundwork takes real skill and points to a threat actor who takes operational discipline seriously.
Analysts from OASIS Security said in a report shared with Cyber Security News (CSN) that the attacker-controlled infrastructure is hosted on a Microsoft Azure virtual machine in the Malaysia West region.
The discovery gave researchers a clear window into how the attacker operated, because the infrastructure contained a large collection of attack tools that had not yet been cleaned up.
The campaign involved several moving parts, from database access and internal network mapping to live webshell deployment and credential theft.
What tied it all together was the attacker’s use of a Cloudflare storage endpoint as the final destination for stolen files, designed to blend outbound traffic with normal cloud activity and evade network monitoring.
The impact has been significant. Domain controller credentials were confirmed stolen, active webshells were found on at least one government server, and a chained exploit targeting a mobile network operator’s customer verification platform was also identified.
These findings paint a picture of a well-resourced actor working methodically across multiple targets at once.
Attackers Use Cloudflare Storage Endpoint
One of the more inventive parts of this campaign was how the attacker moved stolen data out of compromised networks.
A Python script named gen_photo_upload.py was built specifically to upload exfiltrated files to an external Cloudflare-hosted storage endpoint under attacker control.
Since the Cloudflare is widely trusted, traffic heading toward it rarely triggers the same suspicion that connections to unfamiliar servers might.
This technique is often called “living off trusted services,” and it is growing more common among advanced threat actors.
By routing stolen data through a legitimate cloud provider, the attacker made outbound exfiltration look like routine web activity.
For organizations that do not inspect outbound traffic to trusted domains closely, this channel can go undetected for a long time.
The script was part of a broader modular toolkit, which captures the file transfer logic targeting the attacker-controlled Cloudflare endpoint.
gen_photo_upload.py — exfiltrated file transfer to attacker-controlled Cloudflare storage (Source – OASIS Security)
Each script in the collection served a specific role, forming a structured pipeline from initial access all the way through to data theft.
Custom C2 Tools and Credential Theft
Perhaps the most alarming finding was the discovery of previously unpublished source code for both a C# beacon generator and a Python-based command and control controller.
The beacon, beacon.cs, and the controller, listener_http.py, are not based on any publicly available framework, placing this actor well beyond the profile of typical commodity attackers.
The beacon communicates with the listener to form a private command channel between the attacker and any compromised hosts. Its presence on attacker infrastructure suggests it has been used in multiple operations.
A self-developed framework like this takes significant expertise and resources to build and sustain.
On the credential side, the attacker extracted Windows registry hive files from at least one domain controller, including the SAM, SECURITY, and SYSTEM files.
An NTDS dump confirmed that Active Directory password hashes were also taken. With those credentials, the attacker holds the potential for persistent access across the entire affected network.
The affected organizations should immediately remove active webshells, reset all domain-level passwords, and review attacker-left artifacts carefully to cut off any continued or future access.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIP Address20.17.161.118Attacker-controlled Microsoft Azure VM in Malaysia West region (AS8075) used as C2 and staging infrastructureFile Namegen_photo_upload.pyPython script used to exfiltrate files to attacker-controlled Cloudflare storage endpointFile Nameanalyze_[REDACTED].pyPython script with embedded MSSQL credentials used to execute SQL queries against target internal serverFile Nameasset_owner_check.pyPython script for inspecting and staging asset ownership datasets via WinRM for collectionFile Namecheck_cophoto.pyPython script for MSSQL-based photo record enumeration and column type validationFile Namedeploy.pyPython script containing external RPC endpoint configuration for remote command executionFile Nameshell21.pyPython script used to upload PHP webshell (health.php) to a Malaysian government portalFile Namehealth.phpPHP webshell confirmed active on target government server at time of analysisFile Namelaravel_rce.phpPHP exploit script implementing a five-chain Laravel deserialization RCE attackFile Namebeacon.csSource code for a previously undisclosed C# malware beacon generatorFile Namelistener_http.pySource code for a previously undisclosed Python-based HTTP C2 controllerFile Nameh[REDACTED]_targeted.txtText file containing 126 target passwords used in attack operationsFile Namej[REDACTED]_dc_SAMExfiltrated Windows registry SAM hive file from domain controllerFile Namej[REDACTED]_dc_SECURITYExfiltrated Windows registry SECURITY hive file from domain controllerFile Namej[REDACTED]_dc_SYSTEMExfiltrated Windows registry SYSTEM hive file from domain controllerFile Namej[REDACTED]_dc_dump.ntdsNTDS dump output file confirming extraction of Active Directory credential hashes
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks appeared first on Cyber Security News.
