Attackers can use the try.cloudflare.com service to get a subdomain on *.trycloudflare.com. The service works similarly to Ngrok and allows attackers to expose a local web server to the internet. Attackers abuse this functionality to expose malicious servers on a *.trycloudflare.com subdomain.
Command and Control
Malicious tools can be stored on an attacker's local web server. The local web server is then exposed to the internet on a *.trycloudflare.com subdomain and when the tools are needed, the link is used to download the tools.