CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

Attackers have found a new way to quietly steal data from compromised networks, and this time, they are hiding behind a familiar face. Security researchers have uncovered a targeted intrusion campaign that used a Cloudflare-hosted storage endpoint to pull stolen files out of breached systems without raising alarms. The operation targeted multiple Malaysian government organizations […] The post Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks By Tushar Subhra Dutta May 19, 2026 Attackers have found a new way to quietly steal data from compromised networks, and this time, they are hiding behind a familiar face. Security researchers have uncovered a targeted intrusion campaign that used a Cloudflare-hosted storage endpoint to pull stolen files out of breached systems without raising alarms. The operation targeted multiple Malaysian government organizations and at least one private sector company, showing planning that goes well beyond what most opportunistic hackers typically demonstrate. What makes this campaign stand out is the sophistication behind it. The attacker did not rely on off-the-shelf tools. Instead, they built custom Python scripts tailored to each individual target, with each tool designed for a specific task inside the compromised environment. That kind of groundwork takes real skill and points to a threat actor who takes operational discipline seriously. Analysts from OASIS Security said in a report shared with Cyber Security News (CSN) that the attacker-controlled infrastructure is hosted on a Microsoft Azure virtual machine in the Malaysia West region. The discovery gave researchers a clear window into how the attacker operated, because the infrastructure contained a large collection of attack tools that had not yet been cleaned up. The campaign involved several moving parts, from database access and internal network mapping to live webshell deployment and credential theft. What tied it all together was the attacker’s use of a Cloudflare storage endpoint as the final destination for stolen files, designed to blend outbound traffic with normal cloud activity and evade network monitoring. The impact has been significant. Domain controller credentials were confirmed stolen, active webshells were found on at least one government server, and a chained exploit targeting a mobile network operator’s customer verification platform was also identified. These findings paint a picture of a well-resourced actor working methodically across multiple targets at once. Attackers Use Cloudflare Storage Endpoint One of the more inventive parts of this campaign was how the attacker moved stolen data out of compromised networks. A Python script named gen_photo_upload.py was built specifically to upload exfiltrated files to an external Cloudflare-hosted storage endpoint under attacker control. Since the Cloudflare is widely trusted, traffic heading toward it rarely triggers the same suspicion that connections to unfamiliar servers might. This technique is often called “living off trusted services,” and it is growing more common among advanced threat actors. By routing stolen data through a legitimate cloud provider, the attacker made outbound exfiltration look like routine web activity. For organizations that do not inspect outbound traffic to trusted domains closely, this channel can go undetected for a long time. The script was part of a broader modular toolkit, which captures the file transfer logic targeting the attacker-controlled Cloudflare endpoint. gen_photo_upload.py — exfiltrated file transfer to attacker-controlled Cloudflare storage (Source – OASIS Security) Each script in the collection served a specific role, forming a structured pipeline from initial access all the way through to data theft. Custom C2 Tools and Credential Theft Perhaps the most alarming finding was the discovery of previously unpublished source code for both a C# beacon generator and a Python-based command and control controller. The beacon, beacon.cs, and the controller, listener_http.py, are not based on any publicly available framework, placing this actor well beyond the profile of typical commodity attackers. The beacon communicates with the listener to form a private command channel between the attacker and any compromised hosts. Its presence on attacker infrastructure suggests it has been used in multiple operations. A self-developed framework like this takes significant expertise and resources to build and sustain. On the credential side, the attacker extracted Windows registry hive files from at least one domain controller, including the SAM, SECURITY, and SYSTEM files. An NTDS dump confirmed that Active Directory password hashes were also taken. With those credentials, the attacker holds the potential for persistent access across the entire affected network. The affected organizations should immediately remove active webshells, reset all domain-level passwords, and review attacker-left artifacts carefully to cut off any continued or future access. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 20.17.161.118 Attacker-controlled Microsoft Azure VM in Malaysia West region (AS8075) used as C2 and staging infrastructure File Name gen_photo_upload.py Python script used to exfiltrate files to attacker-controlled Cloudflare storage endpoint File Name analyze_[REDACTED].py Python script with embedded MSSQL credentials used to execute SQL queries against target internal server File Name asset_owner_check.py Python script for inspecting and staging asset ownership datasets via WinRM for collection File Name check_cophoto.py Python script for MSSQL-based photo record enumeration and column type validation File Name deploy.py Python script containing external RPC endpoint configuration for remote command execution File Name shell21.py Python script used to upload PHP webshell (health.php) to a Malaysian government portal File Name health.php PHP webshell confirmed active on target government server at time of analysis File Name laravel_rce.php PHP exploit script implementing a five-chain Laravel deserialization RCE attack File Name beacon.cs Source code for a previously undisclosed C# malware beacon generator File Name listener_http.py Source code for a previously undisclosed Python-based HTTP C2 controller File Name h[REDACTED]_targeted.txt Text file containing 126 target passwords used in attack operations File Name j[REDACTED]_dc_SAM Exfiltrated Windows registry SAM hive file from domain controller File Name j[REDACTED]_dc_SECURITY Exfiltrated Windows registry SECURITY hive file from domain controller File Name j[REDACTED]_dc_SYSTEM Exfiltrated Windows registry SYSTEM hive file from domain controller File Name j[REDACTED]_dc_dump.ntds NTDS dump output file confirming extraction of Active Directory credential hashes Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access Latest News Cyber Security News Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets Cyber Security News Microsoft to Retire Teams Together Mode to Enhance Performance Improvements Cyber Security News Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks Cyber Security News Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft Cyber Security News Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗