Proofpoint has identified an increase in malware delivery through abuse of TryCloudflare Tunnels for financial gains, delivering remote access trojans (RATs). The threat actors behind these campaigns have adjusted tactics to bypass detection, primarily targeting organizations with tax-themed messages. The use of Cloudflare provides attackers temporary infrastructure, making it difficult for defenders to identify and block threats. Notably, attackers use Python scripts for malware delivery, enabling installation on systems without Python pre-installed. Organizations should restrict Python access if unnecessary. While victims are required to interact multiple times for the attack to succeed, attackers continually evolve tactics to evade detection.
https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats