Cybercriminals regularly abuse free services to host malware or to set up command-and-control (C2) infrastructure because they know connections to such services won’t raise suspicion inside networks. Such is the case with TryCloudflare.com, which was recently abused in a widespread campaign to deliver remote access trojans (RATs).

TryCloudflare is a tunneling feature that enables users to proxy traffic through Cloudflare’s content delivery network. The recent campaigns, independently observed this year and reported this week by researchers from security firms Proofpoint and eSentire, involved phishing emails that resulted in the download of multiple malware families, including XWorm, VenomRAT, PureLogs Stealer, AsyncRAT, GuLoader and Remcos.

“Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally,” researchers from Proofpoint wrote in their report. “In addition to English, researchers observed French, Spanish, and German language lures. […] Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries and taxes.”