Russian Hackers Exploit Cloudflare to Spy on Ukraine

Russian state-backed hacker group Gamaredon has been caught abusing Cloudflare Tunnels in a stealthy cyber-espionage campaign targeting Ukrainian organisations. Also known as BlueAlpha, the group has a history of conducting attacks on behalf of Russia’s Federal Security Service (FSB).

Gamaredon has been using Cloudflare’s infrastructure to conceal its operations and deliver the custom malware GammaDrop. This payload, designed to avoid detection, establishes a foothold on victims’ systems before deploying the group’s backdoor tool, GammaLoad.

Cloudflare Tunnels, which obscure the location of servers, are being increasingly used by attackers for their ease of setup and free access. In response, Cloudflare said it swiftly disables malicious tunnels once identified and employs machine learning to detect and prevent abuse.

The attacks primarily rely on malicious email attachments to compromise systems. Researchers noted that GammaDrop is heavily obfuscated with junk code and random variables, complicating detection and analysis.

Gamaredon has been linked to past cyberattacks on Ukraine’s military and government entities, including during Ukraine’s recent counteroffensive. Experts believe the group’s malware exploits legitimate platforms like Cloudflare, Telegram, and Telegraph to mask its activities.

While specific targets of the latest campaign remain undisclosed, Gamaredon’s malware enables data theft, credential harvesting, and persistent access to networks. Security researchers warn that the group is likely to refine its evasion tactics further.

This incident underscores the risks of trusted platforms being co-opted for malicious purposes, as cybercriminals exploit legitimate tools to amplify their attacks while evading detection.