ET HUNTING Executable File Hosted via Cloudflare Services (* .r2 .dev)

SID: 2068666Rev: 11 views
Sourceet/open
CreatedApril 9, 2026
UpdatedApril 9, 2026
Classificationmisc-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Executable File Hosted via Cloudflare Services (* .r2 .dev)"; flow:established,to_server; http.host; content:".r2.dev"; fast_pattern; endswith; http.uri; content:"."; pcre:"/^(?:wsf|js|jse|vbs|vbe|bat|cmd|ps1|hta|lnk|url|scr|msi|cpl|sh|bash|zsh|py|pl|rb|php|jar|app|command|pkg|dmg|run|bin|tar|tgz|zip)(?:$|[?#&])/Ri"; reference:url,cofense.com/blog/how-cloudflare-services-are-abused-for-credential-theft-and-malware-distribution; reference:url,developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/; classtype:misc-activity; sid:2068666; rev:1; metadata:attack_target Client_Endpoint, created_at 2026_04_09, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2026_04_09;)

References

urlcofense.com/blog/how-cloudflare-services-are-abused-for-credential-theft-and-malware-distribution
urldevelopers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/

Metadata

attack targetClient_Endpoint
created at2026_04_09
deploymentPerimeter
confidenceHigh
signature severityInformational
updated at2026_04_09

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!