{
	"id": "f71bb81e-d226-42b6-b0a9-9ee46c1b34a8",
	"created_at": "2026-04-06T00:14:21.184941Z",
	"updated_at": "2026-04-10T03:36:22.112392Z",
	"deleted_at": null,
	"sha1_hash": "c0eaabd469dbc22d219f959c55be0dbd68d1f798",
	"title": "Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 477351,
	"plain_text": "Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services\r\nBy Cyber Threat Intelligence\r\nPublished: 2022-05-09 · Archived: 2026-04-05 17:05:41 UTC\r\nCobalt Strike is a well-established red-teaming toolkit that was specifically designed to create feature-rich\r\nbackdoors in the matter of seconds. However, ever since its inception, the tool has been heavily abused by threat\r\nactors all over the world (e.g., Polaris/MustangPanda, APT32/OceanLotus, cybercriminals, etc.) The popularity of\r\nCobalt Strike is primarily due to how powerful its built-in payload generators are, its flexibility in deploying the\r\nBeacon to the target machine(s) - and most notably - its ability to disguise the payload traffic in the target network.\r\nOver the last year or so, more and more beacons relying on third-party services as their proxy are being found in\r\nthe wild. Since the use of these third-party CDNs can allow anonymized C2 and enhance its detection evasion,\r\nnumerous APTs have also begun using these services. In the following sections, we will go through some of the\r\ntechniques used by these threat actors to see how one could easily set up these misused configurations.\r\nServerless Functions\r\nOther techniques that threat groups have been employing also include the use of third-party services such as\r\nCloudflare Workers. With the use of serverless services, it is possible to setup what is essentially a free reverse\r\nproxy to a Cobalt Strike endpoint. When set up properly, these services can provide an additional layer of\r\nprotection, as looking up the domain will only yield the service’s IP instead of the origin server.\r\nhttps://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services\r\nPage 1 of 5\n\nSince these services are often set up with sub-domains that the threat actor could freely set up without purchasing\r\na real domain, they could also be set to a somewhat convincing fake domain. In this example, the C2 was set to\r\nroute.moffice365.workers.dev to make the traffic look somewhat related to Microsoft services.\r\nThe nature of these serverless functions makes it extremely difficult to attribute the origins of or identify the threat\r\nactors. Since the serverless code is only stored on Cloudflare, and its execution is done on Cloudflare’s servers,\r\nthere is not a feasible way to identify the C2 infrastructures.\r\nDomain Fronting via CDN\r\nhttps://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services\r\nPage 2 of 5\n\nDomain fronting is a technique that attempts to disguise the traffic by smuggling data to a well-known service or\r\ndomain. In other words, similar to the previous technique, domain fronting cannot be feasibly blocked without\r\ndisrupting services and or examining the inner request. HelpSystems, the company behind Cobalt Strike, had\r\nactually done a write-up of Cobalt Strike domain fronting using CloudFront in 2017[1].\r\nEssentially, certain websites employ CDNs like CloudFront to deliver assets on their websites. Under normal\r\ncircumstances, the Host header determines where the request should go - and this header is assigned by the\r\nwebsite. However, we can also abuse this “feature” and make our beacon visit a certain domain with a specified\r\nHost header that goes to our CDN instead of the standard CDN that the website uses. With HTTPS, this request\r\nwould be extremely difficult or impossible for the IT admin to block, as the request itself is encrypted, and on the\r\nsurface, it would look like the user is simply visiting a reputable site.\r\nDomain Fronting with a Non-existent Domain\r\nThe following technique, however, does something slightly different. Some time ago last year, we detected a\r\nrather peculiar looking Cobalt Strike payload where its C2 address was set to pypi.python.org . Obviously the\r\nactor couldn’t have possibly obtained the rights to the domain owned by the Python Foundation, and the chance of\r\nthem pwning the service is also little to none.\r\nhttps://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services\r\nPage 3 of 5\n\nSo what gives? It turns out the secret lies within the service that operates the sub-domain and the HTTP header\r\nspecified in the beacon. The Python Foundation uses Fastly for most of its services. Fastly uses the Host header\r\nspecified within the request to decide which service to redirect the request to internally. For example, if I were to\r\ncreate a service on Fastly named dl-python.org , and the Host header is set to dl-python.org in the beacon,\r\nFastly would then forward the request to the service named as such.\r\nNote the difference between this methodology against the previous domain fronting technique - the Host header\r\nmay give a false impression that the C2 is being pointed towards dl-python.org . In reality, it is being resolved\r\nas dl-python.org.global.prod.fastly.net when going through Fastly’s services. The service then internally\r\nforwards the request to my-c2domain.com as configured by the threat actor. This trick may lure threat\r\ninvestigators into investigating a completely different domain that may or may not be relevant to the incident.\r\nConclusion\r\nIn this post, we have covered three ways that threat actors can abuse Cobalt Strike’s flexibility in payload\r\ncommunication: misuse of serverless functions and various abuses of CDN domain fronting. The resilience of\r\nCobalt Strike is something that is beloved (or despised) by many because of this very reason. It is clear that the\r\nhttps://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services\r\nPage 4 of 5\n\nred-teaming toolkit is not going anywhere anytime soon as more and more creative strategies are discovered and\r\nemployed.\r\nReferences\r\n[1] Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting—Cobalt Strike Research\r\nand Development. ➔ link\r\n*Image courtesy of Pexels\r\nSource: https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services\r\nhttps://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services"
	],
	"report_names": [
		"hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434461,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0eaabd469dbc22d219f959c55be0dbd68d1f798.pdf",
		"text": "https://archive.orkl.eu/c0eaabd469dbc22d219f959c55be0dbd68d1f798.txt",
		"img": "https://archive.orkl.eu/c0eaabd469dbc22d219f959c55be0dbd68d1f798.jpg"
	}
}