VERY IMPORTANT

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connections and download malicious components like LNK, VBS, BAT, CMD, and Python scripts leading to malware installation. While the tactics remain consistent, the threat actor modifies parts of the attack chain to enhance sophistication and evade defenses. The use of Cloudflare tunnels provides a flexible and low-cost method for staging attacks, making detection and takedown efforts more challenging.