Threat actor abuses Cloudflare tunnels to deliver remote access trojans

Original Article ↗ Hacker News Discussion ↗

Abuse of Cloudflare Tunnels / TryCloudflare

  • Core issue: attackers use Cloudflare’s tunnel service (especially anonymous trycloudflare.com) to hide malicious infrastructure and deliver RATs and other malware.
  • Tunnels obscure the real destination from users and corporate security controls, effectively punching through perimeter defenses.
  • Commenters note this pattern is common for “free quick tunnel” products; similar services (e.g., ngrok) tightened sign-up due to abuse.
  • Some see this as “inevitable” misuse of frictionless encrypted tunnels, not newsworthy in itself.

Cloudflare’s Abuse Handling and Moderation

  • Many comments claim Cloudflare routinely ignores or mishandles abuse reports, calling it a de facto “bulletproof” provider for DDoS-for-hire, phishing, and malware.
  • Others report mixed experiences: tedious but ultimately effective takedowns for some Cloudflare-hosted content, while other providers (e.g., certain VPS/registrars) allegedly behave worse.
  • Several note Cloudflare forwards abuse reports (with reporter details) to the customer and typically acts only under clear legal mandate, which some praise as due-process–oriented and others criticize as shirking responsibility.

Responsibility vs “Dumb Pipe” / KYC Debate

  • One camp: service providers have a duty to prevent their infrastructure becoming a safe haven for criminals, including proactive scanning, easier reporting, and acting on clear abuse.
  • Opposing camp: Cloudflare should behave like a “dumb pipe” (phone/electricity/ISP analogy), act only on court orders, and not broadly police content; over-moderation risks abuse and censorship.
  • KYC is proposed by some as necessary to keep repeat DDoS / malware operators out; others argue this would harm privacy, raise barriers to entry, and “optimize for corner cases.”

Mitigations: Blocking and Endpoint/OS Defenses

  • Practical advice: organizations can block *.trycloudflare.com, similar to blocking URL shorteners, shady TLDs, or TOR/VPN ranges; impact is often acceptable on corporate networks.
  • Others push back that Cloudflare is too ubiquitous to block wholesale without breaking large parts of the web.
  • Several argue network- and domain-based controls are “duct tape”; real fixes should be at OS/endpoint level (e.g., blocking arbitrary EXEs, .LNK/.VBS execution, better interaction design).

Shifting Threat Model and Infrastructure

  • Commenters observe that attackers now preferentially use mainstream infra (Cloudflare, AWS, GCP, etc.) and commercial VPNs rather than “sketchy” hosts or bare IPs.
  • Encrypted traffic and DoH/DoT make IP/domain reputation less useful; some welcome this as pushing security away from brittle perimeter filtering toward hardening software and endpoints.
  • Others worry it will justify heavier identity requirements (KYC-style internet) and more centralized control.