Potential Protocol Tunneling via Cloudflared

Cloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare’s edge. This tool can be abused by adversaries to create quick or named tunnels for command and control, data exfiltration, or ingress tool transfer while evading direct connection blocking. The adversary may utilize quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy command and control traffic. This activity began to be tracked around March 2026. Defenders should be aware of suspicious execution of cloudflared, especially from unusual locations, to detect potential misuse of this tool for malicious purposes.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. The attacker downloads the cloudflared.exe executable to the compromised system, potentially staging it in a temporary directory.
3. The attacker executes cloudflared.exe with the tunnel command and arguments such as --url http://127.0.0.1:80 to create a quick tunnel, forwarding local traffic through Cloudflare’s infrastructure.
4. The attacker configures a local service, such as a reverse proxy or command and control server, to listen on the specified localhost port (e.g., 80).
5. The attacker uses the Cloudflare tunnel to establish an encrypted connection to the local service, masking the origin of the traffic.
6. The attacker proxies command and control traffic through the Cloudflare tunnel, communicating with the compromised system without directly exposing its IP address.
7. Alternatively, the attacker exfiltrates sensitive data through the Cloudflare tunnel, routing it through Cloudflare’s edge network.
8. The attacker maintains persistence by establishing scheduled tasks or autorun registry keys to ensure the Cloudflare tunnel is re-established upon system reboot.

Impact

Successful exploitation allows adversaries to proxy command and control traffic, exfiltrate data, or facilitate ingress tool transfer while evading direct connection blocking. This can lead to data breaches, system compromise, and prolonged unauthorized access. While the total number of victims is unknown, organizations using Windows systems are at risk.

Recommendation

• Monitor process creation events for execution of cloudflared.exe with the tunnel argument to identify potential misuse of Cloudflare Tunnel (see rule: “Potential Protocol Tunneling via Cloudflared”).
• Correlate network connection logs with process execution events to identify outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames originating from cloudflared.exe.
• Implement a process allowlist to restrict execution of cloudflared.exe to authorized locations (e.g., C:\\Program Files\\Cloudflare\\).
• Monitor Windows Security Event Logs for suspicious logon or execution from the same context as cloudflared.exe processes.
• Block the domain trycloudflare.com at the DNS resolver to prevent connections to attacker-controlled Cloudflare tunnels (see IOCs).