What starting position does this attack require?

The first step is Pipe to attacker-controlled endpoint (T1041) — a exfiltration primitive. Assumed environment: target operates a high-traffic site fronted by Cloudflare.

What is the final impact of this kill-chain?

The final step lands on Deploy attacker Cloudflare Worker (CDN-WORKER-COMPROMISE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Cloudflare account compromise → Worker rewrite → mass cred theft

Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Exfiltration

Pipe to attacker-controlled endpoint

T1041 · Exfiltration Over C2 Channel

Defense Evasion

Remove Worker before detection

T1070 · Indicator Removal

Impact

Worker injects JS into responses

W-XSS-STORED · Stored XSS

Initial Access

Phish Cloudflare admin credential / token

PH-AITM-EVILGINX · AITM Phishing — Evilginx / Modlishka

Collection

Capture form posts (logins, payments)

T1056 · Input Capture

Initial Access

Deploy attacker Cloudflare Worker

CDN-WORKER-COMPROMISE · Cloudflare Worker / Edge Function Compromise

§ Context

Assumed environment: target operates a high-traffic site fronted by Cloudflare. Cloudflare account has no hardware-key MFA / API token has Worker scope.

§ Steps

01
Pipe to attacker-controlled endpointExfiltration
T1041— Exfiltration Over C2 Channel
02
Remove Worker before detectionDefense Evasion
T1070— Indicator Removal
03
Worker injects JS into responsesImpact
W-XSS-STORED— Stored XSS
04
Phish Cloudflare admin credential / tokenInitial Access
PH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
05
Capture form posts (logins, payments)Collection
T1056— Input Capture
06
Deploy attacker Cloudflare WorkerInitial Access
CDN-WORKER-COMPROMISE— Cloudflare Worker / Edge Function Compromise

§ References

§ Frequently asked

What is the "Cloudflare account compromise → Worker rewrite → mass cred theft" attack path?: Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Pipe to attacker-controlled endpoint (T1041) — a exfiltration primitive. Assumed environment: target operates a high-traffic site fronted by Cloudflare.
What is the final impact of this kill-chain?: The final step lands on Deploy attacker Cloudflare Worker (CDN-WORKER-COMPROMISE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Cloudflare account compromise → Worker rewrite → mass cred theft

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

MITM unencrypted RTP → call eavesdropping