A campaign linked to a suspected Malaysian government operation has been using hidden command and control infrastructure for years, according to new findings from Oasis Security. Researchers said the activity points to a long running espionage effort that stayed active by masking backend systems and limiting exposure to public scanning tools.
The operation appears carefully maintained, with infrastructure designed to avoid visibility while supporting targeted surveillance activity. Oasis Security said the infrastructure contains links to government related networks in Malaysia and shows patterns commonly associated with state-backed online operations.
The report explains how the operators manage command and control servers in ways that reduce the chance of detection. Some systems respond differently depending on who connects to them, while others remain inaccessible unless contacted through specific paths or protocols. That setup made the servers difficult to identify through standard internet scans.
Researchers also found signs that the infrastructure has remained active for several years. Historical records and server behavior suggest the systems are regularly rotated, repurposed, and maintained instead of being abandoned after short campaigns.
While the exact targets were not fully disclosed, the activity appears focused on intelligence gathering. Oasis Security also noted overlaps with infrastructure patterns previously connected to regional cyber espionage activity. The company stopped short of publicly naming individual operators but said the evidence aligns with tactics seen in government sponsored surveillance campaigns.
At the same time, researchers reported that threat actors are abusing Cloudflare’s storage and content delivery services to host malicious payloads and phishing material. According to the report, attackers benefit from the trust attached to widely used cloud platforms because traffic from those providers is less likely to trigger alerts.
Files hosted through well known services can often pass through basic filtering checks, especially in companies where blocking providers like Cloudflare could interrupt normal operations. Researchers found several cases where malware archives and phishing pages were uploaded to cloud storage services and distributed through links that appeared legitimate to users.
The report also found that threat actors are moving away from maintaining permanent infrastructure. Many groups now use temporary storage buckets, CDN linked domains, and short term hosting services that can be replaced within minutes if removed. That approach lowers operating costs and allows campaigns to continue with minimal disruption.
For organizations monitoring suspicious traffic, trusted cloud platforms create a difficult problem. Harmful files become harder to spot when they are delivered through services employees use every day. Researchers said companies need stronger behavior-based monitoring and closer inspection of outbound connections instead of depending only on domain reputation checks.
Taken together, both reports point in the same direction in modern cyber operations. Espionage groups and financially motivated attackers are increasingly using infrastructure that mixes into normal internet traffic. Public cloud services, restricted access systems, and selectively exposed servers give operators more time to stay active before the activity is noticed.
(Photo by Heather Green on Unsplash)
