* [Сloud Security](/cloud-security)* [Application Security](/application-security)* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)* [Threat Intelligence](/threat-intelligence)Russia’s ‘BlueAlpha’ APT Hides in Cloudflare Tunnels Russia’s ‘BlueAlpha’ APT Hides in Cloudflare Tunnels=========================================================================================================Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.  [Tara Seals, Managing Editor, News, Dark Reading](/author/tara-seals)December 5, 2024 2 Min Read  Source: Classic Image via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels&title=Russia’s%20’BlueAlpha’%20APT%20Hides%20in%20Cloudflare%20Tunnels)[](/cdn-cgi/l/email-protection#4d723e382f27282e39701f383e3e242c6b6e357f7a763e6d6b6e357f7a760f2138280c213d252c6b6e357f7a766d0c1d196d052429283e6d24236d0e212238292b212c3f286d1938232328213e6b2c203d762f2229347004687f7d392522382a2539687f7d392528687f7d2b222121223a24232a687f7d2b3f2220687f7d092c3f26687f7d1f282c2924232a687f7d20242a2539687f7d242339283f283e39687f7d34223863687d09687d0c687d09687d0c687f7d1f383e3e242c6b6e357f7a763e687f7d6b6e357f7a760f2138280c213d252c6b6e357f7a76687f7d0c1d19687f7d052429283e687f7d2423687f7d0e212238292b212c3f28687f7d1938232328213e687d09687d0c2539393d3e687e0c687f0b687f0b3a3a3a63292c3f263f282c2924232a632e2220687f0b2e21223829603e282e383f243934687f0b3f383e3e242c3e602f2138282c213d252c602c3d39602e212238292b212c3f28603938232328213e) NEWS BRIEFBlueAlpha, a Russian state-sponsored advanced persistent threat (APT) group, has recently evolved its malware delivery chain to abuse Cloudflare Tunnels — with the goal of ultimately infecting victims with its proprietary GammaDrop malware.Cloudflare Tunnels is, as its name suggests, a secure tunneling software. It can be used to connect resources to Cloudflare’s network without using a publicly routable IP address, with the goal of protecting Web servers and applications from distributed denial-of-service (DDoS) and other direct cyberattacks, by hiding their origins.Unfortunately, this obfuscation mechanism, like [other legitimate cloud tools](https://www.darkreading.com/cloud-security/cloudsorceror-public-cloud-cyberespionage-campaign), can also be used by the likes of BlueAlpha, which uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure from traditional network detection mechanisms, according to Recorded Future’s Insikt Group.’Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool,’ [according to an analysis](https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service) published this week from Insikt. ‘The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host.’The APT then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks.BlueAlpha, which shares DNA with other Russian threat groups like [Trident Ursa](https://www.darkreading.com/cyberattacks-data-breaches/nato-oil-refinery-russian-apt-blitz-against-ukraine), Gamaredon, Shuckworm, and Hive0051, first emerged in 2014, and has lately targeted Ukrainian organizations via spearphishing campaigns. The APT has used the custom VBScript malware GammaLoad since at least October 2023.To protect against such attacks, Insikt Group recommended several mitigations, including: * Beef up email security to block HTML smuggling techniques* Flag attachments with suspicious HTML events* Use application control policies to block malicious use of mshta.exe and untrusted .lnk files* Set up network rules to flag requests to trycloudflare.com subdomains Read more about:[News Briefs](/keyword/news-briefs) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels&title=Russia’s%20’BlueAlpha’%20APT%20Hides%20in%20Cloudflare%20Tunnels)[](/cdn-cgi/l/email-protection#9fa0eceafdf5fafceba2cdeaececf6feb9bce7ada8a4ecbfb9bce7ada8a4ddf3eafadef3eff7feb9bce7ada8a4bfdecfcbbfd7f6fbfaecbff6f1bfdcf3f0eafbf9f3feedfabfcbeaf1f1faf3ecb9fef2efa4fdf0fbe6a2d6baadafebf7f0eaf8f7ebbaadafebf7fabaadaff9f0f3f3f0e8f6f1f8baadaff9edf0f2baadafdbfeedf4baadafcdfafefbf6f1f8baadaff2f6f8f7ebbaadaff6f1ebfaedfaecebbaadafe6f0eab1baafdbbaafdebaafdbbaafdebaadafcdeaececf6feb9bce7ada8a4ecbaadafb9bce7ada8a4ddf3eafadef3eff7feb9bce7ada8a4baadafdecfcbbaadafd7f6fbfaecbaadaff6f1baadafdcf3f0eafbf9f3feedfabaadafcbeaf1f1faf3ecbaafdbbaafdef7ebebefecbaacdebaadd9baadd9e8e8e8b1fbfeedf4edfafefbf6f1f8b1fcf0f2baadd9fcf3f0eafbb2ecfafceaedf6ebe6baadd9edeaececf6feecb2fdf3eafafef3eff7feb2feefebb2fcf3f0eafbf9f3feedfab2ebeaf1f1faf3ec) About the Author—————- [Tara Seals, Managing Editor, News, Dark Reading](/author/tara-seals)
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast. [See more from Tara Seals, Managing Editor, News, Dark Reading](/author/tara-seals) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Events* [Cybersecurity Outlook 2025](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7201&ch=SBX&cid=_session_16.500326&_mc=_session_16.500326)Dec 5, 2024[More Events](/events) ### Editor’s Choice[American and Chinese flags on computer keyboard keys ](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat)[Cyberattacks -& Data Breaches](/cyberattacks-data-breaches) [CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat)[CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Dec 4, 2024 4 Min Read [Digital illustration of a winged horse with two horns on its head ](/endpoint-security/pegasus-spyware-infections-ios-android-devices)[Endpoint Security](/endpoint-security) [Pegasus Spyware Infections Proliferate Across iOS, Android Devices](/endpoint-security/pegasus-spyware-infections-ios-android-devices)[Pegasus Spyware Infections Proliferate Across iOS, Android Devices](/endpoint-security/pegasus-spyware-infections-ios-android-devices) by[Elizabeth Montalbano, Contributing Writer](/author/elizabeth-montalbano) Dec 4, 2024 3 Min Read [PRESS RELEASE ](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies)[Endpoint Security](/endpoint-security) [Wyden and Schmitt Call for Investigation of Pentagon’s Phone Systems](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies)[Wyden and Schmitt Call for Investigation of Pentagon’s Phone Systems](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies) Dec 4, 2024 2 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)Jul 31, 2024* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)May 29, 2024[More Reports](/resources?types=Report) White Papers* [The Future of Cybersecurity is Passwordless and Keyless](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7445&ch=SBX&cid=_whitepaper_14.500005843&_mc=_whitepaper_14.500005843)* [The Definitive Guide to Container Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo249&ch=SBX&cid=_whitepaper_14.500005836&_mc=_whitepaper_14.500005836)* [The State of Cloud Native Security Report 2024](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo245&ch=SBX&cid=_whitepaper_14.500005832&_mc=_whitepaper_14.500005832)* [Purple AI Datasheet](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu27&ch=SBX&cid=_whitepaper_14.500005774&_mc=_whitepaper_14.500005774)* [5 Essential Insights into Generative AI for Security Leaders](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu26&ch=SBX&cid=_whitepaper_14.500005772&_mc=_whitepaper_14.500005772)[More Whitepapers](/resources?types=Whitepaper) Events* [Cybersecurity Outlook 2025](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7201&ch=SBX&cid=_session_16.500326&_mc=_session_16.500326)Dec 5, 2024[More Events](/events)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 51 – Information
NAICS: 924 – Administration Of Environmental Quality Programs
Shuckworm
ACTINIUM
Associated Indicators: