High-Level Blueprint: Stealthy C2 with Cloudflare Workers

Disclaimer: The content in this post is provided solely for academic research, authorized red team engagements, and penetration testing purposes. All techniques discussed herein must be used only in controlled environments with explicit permission. Unauthorized use is illegal and unethical.

Introduction

In today’s digital landscape, red teams are exploring innovative ways to establish Command & Control (C2) channels that can bypass traditional network security measures. One promising approach involves repurposing serverless platforms—specifically Cloudflare Workers combined with Cloudflare D1—as a stealthy, low-cost C2 framework.

In our recent engagement, we designed a framework that leveraged Cloudflare’s trusted infrastructure to both exfiltrate data and execute remote commands. By routing communications through Cloudflare’s globally distributed network, our C2 traffic blended in with legitimate traffic, reducing the likelihood of detection by advanced endpoint detection and response (EDR) systems.

System Architecture Overview

Our C2 framework is composed of two main components:

• Backend – Cloudflare Worker with D1: The backend acts as the central command hub. It is built on Cloudflare Workers and uses Cloudflare D1 for persistence. We defined two obfuscated endpoints:
  • An Output Endpoint to store commands from the red team and receive execution results from targets.
  • A Polling Endpoint for compromised hosts to retrieve commands.
  Both endpoints use randomized, alphanumeric names and query parameters. This obfuscation minimizes static detection by security tools.
• Client – Reverse Shell: The reverse shell script is integrated into the malware payload running on the target system. It continuously polls the backend for commands, executes them on the host, and returns the actual output back to the server. The code employs advanced obfuscation techniques—such as dynamic string construction using mathematical operators—to hide sensitive details like URLs, endpoint paths, and identifiers.

Obfuscation Techniques

To reduce the risk of detection by signature-based scanners and behavior analysis systems, our implementation incorporates several layers of obfuscation:

• Mathematical Encoding: Instead of hardcoding critical strings, such as the base URL and endpoint names, these values are split into arrays of ASCII codes and dynamically reassembled using arithmetic functions. This method obscures static signatures and complicates reverse engineering.
• Randomized Naming: Commonly used terms (e.g., “command”, “target”) are replaced with randomized alphanumeric strings. For example, our query parameter might be labeled q8f2, while our endpoints are named /R3N4 and /S5K7. This randomization further hinders static analysis.
• Trusted Network Routing: All outbound communication is routed through Cloudflare’s network. Given that Cloudflare’s IP ranges are widely trusted, this makes the network traffic less likely to trigger alerts in security systems such as CrowdStrike.

High-Level Implementation Blueprint

The following pseudocode outlines our C2 system without revealing all technical details:

// Backend: Cloudflare Worker (TypeScript)
// (All identifiers, endpoints, and parameter names are randomized)
export interface Env { DB: D1Database; }
export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise {
    const url = new URL(request.url);
    const id = url.searchParams.get("q8f2") || "default";
    // Create obfuscated tables for commands and outputs.
    await env.DB.prepare(`CREATE TABLE IF NOT EXISTS "TABLE1" ( "q8f2" TEXT PRIMARY KEY, "COL1" TEXT );`).run();
    await env.DB.prepare(`CREATE TABLE IF NOT EXISTS "TABLE2" ( "q8f2" TEXT PRIMARY KEY, "COL2" TEXT );`).run();
    // Handle requests on two randomized endpoints:
    // 1. /R3N4: Stores commands (PUT), receives output (POST), and returns output (GET).
    // 2. /S5K7: Returns stored commands for polling (GET).
    // [Endpoint handling code here...]
  }
};
        

# Client: Reverse Shell (PowerShell pseudocode)
# Build strings dynamically from ASCII arrays using mathematical functions.
# Poll the obfuscated polling endpoint for commands.
while (true) {
    // Retrieve command from polling endpoint.
    // If a valid command is received:
    //    Execute the command on the target system.
    //    Capture and send back the actual output via the output endpoint.
    // Sleep for a randomized interval.
}
        

Integration into Malware

In a live engagement, the reverse shell script is embedded directly into the malware payload. Using techniques such as fileless execution and in-memory decryption, the payload is executed without leaving artifacts on disk. Moreover, because the network traffic is funneled through Cloudflare’s trusted infrastructure, it is less likely to be flagged by enterprise security tools.

This high-level blueprint offers a conceptual view of how a stealthy, cloud-based C2 system can be constructed while keeping critical implementation details confidential.

Conclusion

In this post, we explored a novel approach for building a stealthy C2 framework by repurposing Cloudflare Workers and D1. By leveraging advanced obfuscation techniques—including mathematical encoding, randomized naming, and dynamic string construction—we successfully designed a system for remote command execution and data exfiltration that minimizes detection risks. This blueprint serves as a foundation for further research and red team engagements, emphasizing the importance of innovative thinking in overcoming modern security challenges.

Thanks,
Anand