Cyber Espionage Campaign Targets Malaysian Organizations via Cloudflare Storage
Severity: High (Score: 72.5)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: attackers, cloudflare, storage, exfiltrate, files, compromised, networks
Severity indicators: rat
Summary
A sophisticated cyber espionage campaign has been uncovered, targeting multiple Malaysian government organizations. Attackers exploited a Cloudflare-hosted storage endpoint to exfiltrate sensitive files from compromised networks. The operation utilized an Azure virtual machine (IP: 20.17.161.118) to orchestrate attacks, employing custom tools for stealthy data extraction. The campaign's structured attack chain indicates a high level of planning and execution. Security researchers have confirmed that the attackers were able to pull files without triggering alarms, raising concerns about the effectiveness of current security measures. The full scope of the data stolen is still being assessed, but the operation has significant implications for national security. Current status indicates ongoing investigations by cybersecurity teams to mitigate the threat. Key Points: • Attackers exploited Cloudflare storage to exfiltrate data from Malaysian networks. • An Azure virtual machine was central to orchestrating the cyber espionage campaign. • The operation targeted multiple government-linked organizations, indicating a high level of planning.
Detailed Analysis
**Impact** Multiple Malaysian organizations, including government-linked networks, are affected by this cyber espionage campaign. The operation involves exfiltration of sensitive network files, potentially compromising confidential government data and operational security. The scope includes several targeted entities within Malaysia’s public sector, with unknown total data volume stolen. **Technical Details** The attackers used a sophisticated attack chain involving custom tools and cloud infrastructure, specifically leveraging an Azure virtual machine (IP: 20.17.161.118) to coordinate the campaign. Data exfiltration was conducted via a Cloudflare-hosted storage endpoint, allowing stolen files to be extracted stealthily from compromised networks. No CVEs or specific malware names were disclosed in the reports. **Recommended Response** Prioritize monitoring outbound traffic for unusual connections to Cloudflare storage endpoints and the identified Azure VM IP address (20.17.161.118). Implement network segmentation and restrict access to cloud storage services to limit data exfiltration paths. Deploy detection rules for custom tooling behaviors and review logs for anomalous file transfers. No patching guidance is available from the current information.
Source articles (2)
- Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks — Cybersecuritynews · 2026-05-19
Attackers have found a new way to quietly steal data from compromised networks, and this time, they are hiding behind a familiar face. Security researchers have uncovered a targeted intrusion campaign… - Hackers Abuse Cloudflare Storage to Exfiltrate Network Files — Gbhackers · 2026-05-18
A sophisticated cyber espionage campaign targeting multiple Malaysian organizations has been uncovered, revealing a highly structured attack chain that blends custom tooling, cloud infrastructure, and…
Timeline
- 2026-05-18 — Cyber espionage campaign uncovered: Security researchers revealed a targeted intrusion campaign affecting Malaysian government organizations via Cloudflare storage.
- 2026-05-19 — Details of attack methods disclosed: Researchers confirmed the use of an Azure VM and Cloudflare storage for stealthy data exfiltration.
Related entities
- Data Breach (Attack Type)
- Government (Industry)
- 20.17.161.118 (Ipv4)
- T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
- Azure (Company)
- Cloudflare (Company)