Researchers discover widespread abuse of free popular VPN alternative for malware delivery

Watch out for this malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

New research has disclosed an alarming increase in the abuse of TryCloudflare Tunnels for financially-motivatedmalwaredelivery.

Initial observations of the attacks in February 2024 by cybersecurity firmProofpointwere followed by an increase in cases, signifying an emerging trend.

The primary payload observed in these campaigns is XWorm, a notorious remote access trojan (RAT), but AsyncRAT, VenomRAT, GuLoader and Remcos have also been observed.

TryCloudflare Tunnels hijacked

Threat actors are leveraging temporary Cloudflare instances to execute attacks using helper scripts, which Proofpoint says is complicating traditional security measures by making it challenging to both detect and prevent the threats.

Proofpoint tracking revealed cybercriminals are exploiting the TryCloudflare feature to establish one-time tunnels, acting similarly to VPNs or SSH protocols. Typically, attacks involve messages containing URLs or attachments leading to an internet shortcut file.

Unknowing victims clicking on the link will connect to an external file share and download an LNK or VBS file, which executes a BAT or CMD file. The malicious files ultimately download a Python installer package and scripts that install the malware.

Recently, more than 1,500 messages were seen to have targeted a range of sectors, including finance, manufacturing and technology.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Although the attacks have not been attributed to a specific threat actor, research continues to be underway.

The company also offered some guidance as to how businesses can prevent these types of attacks. By restricting Python usage where unnecessary and safeguarding against external file-sharing services, Proofpoint says that organizations stand a much better chance of avoiding the malware.

More from TechRadar Pro

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case