March 25, 2026
The Unintentional Enabler: How Cloudflare Services are Abused for Credential Theft and Malware Distribution
The blog explains how threat actors increasingly abuse legitimate Cloudflare services like Workers and Tunnels to host phishing pages, distribute malware, and evade traditional security defenses by leveraging Cloudflare’s trusted infrastructure. It details how attackers use these tools to create convincing credential-harvesting sites and covert malware delivery mechanisms, including RAT deployment through obfuscated connections and WebDAV-based techniques.