{
  "website": "*.trycloudflare.com",
  "tags": [
    "Phishing",
    "Download"
  ],
  "service_provider": "Cloudflare",
  "phishing": "Attackers can use the try.cloudflare.com service to get a subdomain on *.trycloudflare.com. The service works similarly to Ngrok and allows attackers to expose a local web server to the internet. Attackers abuse this functionality to expose malicious servers on a *.trycloudflare.com subdomain.",
  "command_and_control": "None",
  "exfiltration": "None",
  "download": "Malicious tools can be stored on an attacker's local web server. The local web server is then exposed to the internet on a *.trycloudflare.com subdomain and when the tools are needed, the link is used to download the tools.",
  "sample_url": "https://www.hybrid-analysis.com/sample/9bffaa52ff450bad0bb52382766d03e77e84b25a200343a74581f3ecde48ab02/616f0ddce60c3a232b7b17cd",
  "created": "2021-11-13",
  "last_update": "2021-11-13",
  "credits": "Ryan Basden - @_rybaz",
  "detail_path": "/site/2a2e747279636c6f7564666c6172652e636f6d",
  "detail_slug": "2a2e747279636c6f7564666c6172652e636f6d",
  "detail_url": "https://lots-project.com/site/2a2e747279636c6f7564666c6172652e636f6d",
  "scraped_at": "2026-06-16T11:58:01Z"
}