stealthy c2 using cloudflare workers

disclaimer: this post is for educational and authorized red teaming purposes only. unauthorized use is unethical and illegal.

introduction

this blueprint shows how to build a stealthy c2 using cloudflare workers + d1 — blending into trusted infra and dodging detection.

system architecture overview

• backend – cloudflare worker & d1: randomized endpoints for polling & exfil; obfuscated table/query names
• client – reverse shell: polls backend, executes cmds, sends output; heavily obfuscated strings & routing

obfuscation techniques

• mathematical encoding: ascii arrays + arithmetic logic to dynamically build strings
• randomized naming: vars like command → q8f2; endpoints like /R3N4, /S5K7
• trusted routing: all traffic routed through cloudflare ip ranges — less likely to trigger alerts

high-level implementation blueprint

// backend: cloudflare worker (typescript)
export interface Env { DB: D1Database; }
export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise {
    const url = new URL(request.url);
    const id = url.searchParams.get("q8f2") || "default";
    await env.DB.prepare(`CREATE TABLE IF NOT EXISTS "TABLE1" ( "q8f2" TEXT PRIMARY KEY, "COL1" TEXT );`).run();
    await env.DB.prepare(`CREATE TABLE IF NOT EXISTS "TABLE2" ( "q8f2" TEXT PRIMARY KEY, "COL2" TEXT );`).run();
    // endpoints: /R3N4 and /S5K7
  }
};

# client: reverse shell (powershell pseudocode)
while (true) {
  // poll obfuscated endpoint
  // if cmd: execute, return output
  // sleep random interval
}

integration into malware

reverse shell is embedded into payload; fileless execution + memory-only logic; obfuscated strings + trusted routing = low detection.

conclusion

this method shows how cloudflare infra + obfuscation = stealthy, low-cost c2 for modern red teaming. creative tooling > traditional infra.