The Unintentional Enabler: How Cloudflare Services are Abused for Credential Theft and Malware Distribution

Cofense Intelligence describes a growing campaign trend in which attackers abuse Cloudflare services—especially Workers and TryCloudflare Tunnels—to host convincing AiTM and credential-phishing pages and to deliver malware (e.g., Xeno RAT, XWorm) via URL shortcuts, WSF/batch chains and WebDAV. These tactics leverage Cloudflare’s reputation, free tiers, and tunneling to evade SEGs and sandboxing, enabling fast campaign rotation, persistent remote access, and broad impact; the report includes examples, IOCs, and recommendations for intelligence-driven defenses.