Attackers used Cloudflare-hosted storage to steal files from Malaysian networks
7 min. read 
Published on
Attackers used a Cloudflare-hosted storage endpoint to exfiltrate files from compromised Malaysian networks, according to new research from OASIS Security.
The campaign targeted multiple Malaysian government organizations and a Malaysian mobile virtual network operator’s customer identity verification platform. Researchers also found custom attack tools, active webshell deployment, domain controller credential theft, and previously undisclosed command-and-control components.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The activity stands out because the attacker did not rely only on common public tools. OASIS found purpose-built Python scripts created for specific targets and specific tasks, including database access, internal network enumeration, remote command execution, and file exfiltration.
What OASIS Security found
OASIS identified attacker-controlled infrastructure hosted on a Microsoft Azure virtual machine in the Malaysia West region. The server contained a large collection of tools and artifacts connected to the intrusion activity.
The infrastructure included Python scripts for target-specific operations, PHP webshell deployment tools, a Laravel remote code execution exploit chain, and source code for private C2 components.
Researchers said the findings point to a structured, multi-target intrusion operation rather than a simple opportunistic attack.
| Item | Details |
|---|---|
| Main target region | Malaysia |
| Targets described | Government organizations and a mobile network operator-related platform |
| Attacker infrastructure | Microsoft Azure VM in Malaysia West |
| Known IP address | 20.17.161.118 |
| Exfiltration method | Upload of stolen files to attacker-controlled Cloudflare-hosted storage |
| Key risk | Credential theft, persistence, lateral movement, and data exfiltration |
How the Cloudflare storage endpoint was used
One of the key tools found by OASIS was a Python script named gen_photo_upload.py. Researchers said the script handled file uploads to an external Cloudflare-hosted storage endpoint controlled by the attacker.
This type of technique can help attackers blend malicious traffic into normal cloud activity. Many companies already allow outbound traffic to major cloud and web service providers, so exfiltration through trusted services can attract less attention than traffic to unknown infrastructure.
MITRE ATT&CK tracks this general behavior as exfiltration to cloud storage. Attackers may use legitimate cloud storage services to move stolen data out of a network instead of sending it through their primary command-and-control channel.
Custom scripts show a targeted operation
The tooling identified by OASIS suggests the attacker understood the environments being targeted. Several scripts were built for specific domains, internal workflows, and data sources.
Some scripts interacted with Microsoft SQL Server databases, while others used WinRM sessions, prepared datasets for collection, or executed commands through exposed RPC-style endpoints.
That level of customization matters. It suggests the attacker had already gathered information about the targets and built tools to match their internal systems.
analyze_[REDACTED].pyused embedded MSSQL credentials to query an internal database server.asset_owner_check.pyinspected and prepared asset ownership datasets for collection.check_cophoto.pyqueried photo-related database records.deploy.pycontained an external RPC endpoint for remote command execution.gen_photo_upload.pyhandled file exfiltration to Cloudflare-hosted storage.
Credential theft reached domain controller level
The most serious impact involved credential extraction from a domain controller tied to a Malaysian government administrative entity.
OASIS found references to exfiltrated Windows registry hive files, including SAM, SECURITY, and SYSTEM. Researchers also found an NTDS dump output, which confirms that Active Directory password hashes were extracted.
Domain-level credential theft can create long-term risk. Attackers may use stolen hashes to move laterally, access additional systems, or regain access after defenders remove the initial intrusion point.
| Artifact | Why it matters |
|---|---|
| SAM hive | Can contain local account password hash material. |
| SECURITY hive | Can contain LSA secrets and other sensitive security data. |
| SYSTEM hive | Can help decrypt other extracted Windows secrets. |
| NTDS dump | Can expose Active Directory password hashes from a domain controller. |
Webshell deployment gave attackers persistence
OASIS also found evidence of webshell deployment against a Malaysian government-associated portal. A script named shell21.py contained code to upload a PHP webshell named health.php.
At the time of the analysis, researchers said the webshell was active on the target server. That gave the attacker a persistent remote command execution path.
The attacker directory also contained several related webshell variants and execution logs, which suggests the tools had gone through repeated development and reuse.
Private C2 tools raise the threat level
The attacker infrastructure contained source code for a C# beacon generator called beacon.cs and a Python HTTP C2 controller named listener_http.py.
OASIS said these tools did not appear to come from a publicly known or commercial framework. The pairing suggests the attacker maintained a private command-and-control framework.
Private tooling does not automatically prove attribution to a named group, but it does raise the threat level. It shows the actor had enough capability to build and manage custom infrastructure instead of relying only on commodity malware.
Key indicators of compromise
Security teams should treat the indicators from the OASIS report as starting points for investigation, not as a complete list of affected systems.
| Type | Indicator | Purpose |
|---|---|---|
| IP address | 20.17.161.118 | Azure-hosted attacker infrastructure |
| File name | gen_photo_upload.py | Exfiltration to Cloudflare-hosted storage |
| File name | shell21.py | PHP webshell upload logic |
| File name | health.php | Webshell confirmed active during analysis |
| File name | laravel_rce.php | Laravel deserialization RCE exploit chain |
| File name | beacon.cs | Private C# beacon generator |
| File name | listener_http.py | Python-based HTTP C2 controller |
| File type | NTDS dump | Active Directory credential hash extraction |
How organizations should respond
Organizations that may have been affected should first remove active webshells and isolate suspicious servers. They should also review internet-facing portals, exposed RPC endpoints, Laravel applications, and systems that connect to internal databases.
Credential recovery should come next. If attackers obtained domain controller material, defenders should assume domain credentials may be compromised and plan a full domain-level password reset.
Network teams should also inspect outbound traffic to cloud storage services. Blocking all trusted cloud traffic may not work in many businesses, but logging, inspection, allowlists, and anomaly detection can help identify suspicious file transfers.
- Check logs for connections to
20.17.161.118and unknown Cloudflare-hosted storage endpoints. - Search servers for files named
health.php,shell21.py,gen_photo_upload.py,beacon.cs, andlistener_http.py. - Remove webshells and isolate affected public-facing servers.
- Review Laravel applications for exposed APP_KEY values and unsafe deserialization risks.
- Rotate domain administrator credentials and service account passwords.
- Reset credentials tied to databases, WinRM access, and internal automation tools.
- Audit domain controllers for NTDS access, registry hive access, and unusual backup activity.
- Monitor cloud storage uploads for unusual file types, sizes, timing, and destinations.
Why trusted cloud services create detection gaps
Attackers increasingly use legitimate cloud providers and web services because this traffic often looks normal. Security tools may flag unknown infrastructure quickly, but traffic to trusted providers can pass through with fewer checks.
This campaign shows why organizations need stronger egress monitoring. Defenders should not rely only on domain reputation. They also need to understand which users, servers, and applications normally send data to cloud services.
The most important lesson is simple: trusted infrastructure can still carry attacker-controlled traffic. Companies should monitor behavior, not just destinations.
FAQ
Attackers used an attacker-controlled Cloudflare-hosted storage endpoint to receive files exfiltrated from compromised networks. OASIS identified a Python script named gen_photo_upload.py that handled this upload process.
No public report says Cloudflare was breached. The attacker used a Cloudflare-hosted storage endpoint under attacker control, which is different from compromising Cloudflare itself.
OASIS reported targeting of multiple Malaysian government organizations and a Malaysian mobile virtual network operator’s customer identity verification platform. The report redacted specific victim names.
An NTDS dump can expose Active Directory password hashes from a domain controller. This can give attackers a path to lateral movement, persistence, and broader access across the affected network.
Defenders should monitor outbound uploads to cloud storage services, inspect unusual file transfers, restrict egress from sensitive servers, review webshell indicators, and alert on unexpected access to domain controller credential stores.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages