{
	"id": "53a21f51-31b8-46c2-b0c7-933626def095",
	"created_at": "2026-04-06T00:12:09.912973Z",
	"updated_at": "2026-04-10T13:12:59.698483Z",
	"deleted_at": null,
	"sha1_hash": "46c1afe67212be654ae0ffffd1f4ec6999e0a661",
	"title": "BlackWater Malware Abuses Cloudflare Workers for C2 Communication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1065788,
	"plain_text": "BlackWater Malware Abuses Cloudflare Workers for C2\r\nCommunication\r\nBy Lawrence Abrams\r\nPublished: 2020-03-14 · Archived: 2026-04-05 17:40:38 UTC\r\nA new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as\r\nan interface to the malware's command and control (C2) server.\r\nCloudflare Workers are JavaScript programs that run directly on Cloudflare's edge so that they can interact with connections\r\nfrom remote web clients.  These Workers can be used to modify the output of a web site behind Cloudflare, disable\r\nCloudflare features, or even act as independent JavaScript programs running on the edge that displays output.\r\nFor example, a Cloudflare Worker can be created to search for text in a web server's output and replace words in it or to\r\nsimply output data back to a web client.\r\nhttps://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBlackWater uses Cloudflare Workers as a C2 interface\r\nRecently MalwareHunterTeam discovered a RAR file being distributed pretending to be information about the Coronavirus\r\n(COVID-19) called \"Important - COVID-19.rar\".\r\nIt is not known at this time how the file is being distributed, but it is most likely being done through phishing emails.\r\nInside this RAR file is a file called \"Important - COVID-19.docx.exe\" that uses a Word icon. Unfortunately, as Microsoft\r\nhides file extensions by default, many will simply see this file as a Word document rather than an executable and be more\r\nlikely to open it.\r\nExtracted file with extensions off and on\r\nWhen opened, the malware will extract a Word document to the %UserProfile%\\downloads folder called \"Important -\r\nCOVID-19.docx.docx\" and opens it in Word.\r\nThe opened document is a document containing information on the COVID-19 virus and is being used by the malware as a\r\ndecoy as it installs the rest of the malware and executes it on the computer.\r\nDecoy COVID-19 Information Document\r\nhttps://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/\r\nPage 3 of 5\n\nWhile victims are reading the COVID-19 document, the malware is also extracting the\r\n%UserProfile%\\AppData\\Local\\Library SQL\\bin\\version 5.0\\sqltuner.exe file.\r\nThis is where things get a bit interesting as the malware is then launched using a command line that causes the BlackWater\r\nmalware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.\r\nsqltuner.exe lively-dream-c871.m7.workers.dev\r\nIf visiting this site directly, users will be shown the following 'HellCat' image.\r\nCloudflare worker\r\nHead of SentinelLabs Vitali Kremez told BleepingComputer that this worker is a front end to a ReactJS Strapi App that acts\r\nas a command and control server.\r\nKremez stated that this C2 will respond with a JSON encoded string that may contain commands to execute when the\r\nmalware connects to it with the right authentication parameters.\r\nThe BlackWater malware is, by and large, a newer generation malware taking advantage of the ReactJS Strapi App for the\r\nbackend checking, leveraging Cloudflare workers resolvers and employing JSON-based parser inside its DLL passing the\r\nserver argument directly. The check-ins bear the \"blackwater\" marker as well passing either email @ black.water or @\r\nblack64.water depending on the architecture.\r\nThe malware appears to be novel and its JSON-based parser with the newer generation ReactJS backend server architecture\r\nis indicative of the active development amid the CoronaVirus outbreak.\r\nWhen we asked why they were using a Cloudflare Worker rather than connecting directly to the C2, Kremez felt it was to\r\nmake it harder to for security software to block IP traffic without blocking all of Cloudflare's Worker infrastructure.\r\n\"I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the\r\ntraffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space\r\nis banned) infrastructure while hiding the actual C2.\"\r\nWhile there is still plenty to learn about this new malware and how it operates, it does provide an interesting glimpse of how\r\nmalware developers are utilizing legitimate cloud infrastructure in novel ways.\r\nhttps://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/\r\nPage 4 of 5\n\nUsing Cloud Workers, traffic to malware command \u0026 control servers become harder to block and the malware operation can\r\nbe easily scaled as needed.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/\r\nhttps://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/"
	],
	"report_names": [
		"blackwater-malware-abuses-cloudflare-workers-for-c2-communication"
	],
	"threat_actors": [
		{
			"id": "a602818a-34da-445f-9bac-715cc9b47a3d",
			"created_at": "2025-07-12T02:04:58.190857Z",
			"updated_at": "2026-04-10T02:00:03.850831Z",
			"deleted_at": null,
			"main_name": "GOLD PUMPKIN",
			"aliases": [
				"HellCat"
			],
			"source_name": "Secureworks:GOLD PUMPKIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434329,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46c1afe67212be654ae0ffffd1f4ec6999e0a661.pdf",
		"text": "https://archive.orkl.eu/46c1afe67212be654ae0ffffd1f4ec6999e0a661.txt",
		"img": "https://archive.orkl.eu/46c1afe67212be654ae0ffffd1f4ec6999e0a661.jpg"
	}
}