Cloudflare Workers
Cloudflare's serverless platform whose legitimate traffic was exploited by UNC5221 as a BRICKSTORM command-and-control relay.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How can you block BRICKSTORM malware if it hides behind Cloudflare's servers?
Timeline for Cloudflare Workers
BRICKSTORM dwell hits 393 days, Mandiant
Cybersecurity: Threats and Defences- How did Chinese hackers use Cloudflare to hide their malware?
- UNC5221 used Cloudflare Workers as a command-and-control relay for the BRICKSTORM backdoor. Because Workers traffic originates from Cloudflare's trusted IP ranges, standard blocklist-based network defences cannot distinguish it from legitimate use.Source: Mandiant M-Trends 2026
Background
UNC5221 abused Cloudflare Workers, Cloudflare's serverless computing platform, as a command-and-control relay for the BRICKSTORM backdoor, according to Mandiant's M-Trends 2026 report. Because Workers generates traffic from Cloudflare's legitimate IP ranges and uses standard HTTPS, network-based blocklists designed to filter known-malicious infrastructure see normal Cloud platform traffic.
Cloudflare Workers is a serverless execution environment that runs JavaScript and WebAssembly at the network edge. Its legitimate uses include content delivery, API proxies and dynamic web applications. Its abuse as a C2 relay exploits the same properties that make it valuable: globally distributed, TLS-encrypted, originating from an IP space that is globally trusted and virtually impossible to block at the network layer without disrupting legitimate traffic.
For security operations and network defence teams, the abuse of Cloudflare Workers alongside Heroku in the same campaign illustrates why blocklist-based defences are increasingly insufficient against sophisticated state-linked actors. The defensive response requires endpoint-level visibility into BRICKSTORM's process behaviour and traffic patterns, not network-level filtering of Cloudflare IP ranges.