
Cloudflare Workers
Cloudflare's serverless platform whose legitimate traffic was exploited by UNC5221 as a BRICKSTORM command-and-control relay.
Last refreshed: 15 May 2026 · Appears in 2 active topics
How can you block BRICKSTORM malware if it hides behind Cloudflare's servers?
Timeline for Cloudflare Workers
Cut 1,100 employees on record revenue while citing 600% internal AI usage increase
AI: Jobs, Power & Money: Cloudflare cuts 1,100 on record revenue, cites AI surgeMentioned in: Upwork kills 25% of staff, declares team model dead
AI: Jobs, Power & MoneyMentioned in: PayPal phases 4,760 cuts to sidestep WARN Act
AI: Jobs, Power & MoneyBRICKSTORM dwell hits 393 days, Mandiant
Cybersecurity: Threats and DefencesHow did Chinese hackers use Cloudflare to hide their malware?
What is Cloudflare Workers and how does it differ from AWS Lambda?
How did hackers abuse Cloudflare Workers for command and control?
Background
UNC5221 abused Cloudflare Workers, Cloudflare's serverless computing platform, as a command-and-control relay for the BRICKSTORM backdoor, according to Mandiant's M-Trends 2026 report. Because Workers generates traffic from Cloudflare's legitimate IP ranges and uses standard HTTPS, network-based blocklists designed to filter known-malicious infrastructure see normal cloud platform traffic.
Cloudflare Workers is a serverless execution environment that runs JavaScript and WebAssembly at the network edge. Its legitimate uses include content delivery, API proxies, and dynamic web applications. Its abuse as a C2 relay exploits the same properties that make it valuable: globally distributed, TLS-encrypted, originating from an IP space that is virtually impossible to block without disrupting legitimate traffic.
For security operations teams, the abuse of Cloudflare Workers alongside Heroku in the same campaign illustrates why blocklist-based defences are increasingly insufficient against sophisticated state-linked actors. The defensive response requires endpoint-level visibility into BRICKSTORM's process behaviour, not network-level filtering of Cloudflare IP ranges. The parent company, Cloudflare, cut 1,100 jobs (20% of workforce) in May 2026 on record quarterly revenue, citing a 600% internal AI usage surge — the platform itself is unaffected.