In a new campaign, a Russia-backed advanced persistent threat (APT) group is seen abusing Cloudflare tunnels to deliver its proprietary GammaLoad malware.
The threat actor, tracked as BlueAlpha, was observed by the cybersecurity research firm Insikt Group to be exploiting this legitimate tunneling service for infections aimed at data exfiltration, credential theft, and persistent access to compromised networks.
“BlueAlpha uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure, evading traditional network detection mechanisms,” researchers at Insikt said in a note. “The group delivers malware through HTML smuggling, leveraging sophisticated techniques to bypass email security systems.”