Attackers can use the try.cloudflare.com service to get a subdomain on *.trycloudflare.com. The service works similarly to Ngrok and allows attackers to expose a local web server to the internet. Attackers abuse this functionality to expose malicious servers on a *.trycloudflare.com subdomain.
Command and Control
None
Exfiltration
None
Download
Malicious tools can be stored on an attacker's local web server. The local web server is then exposed to the internet on a *.trycloudflare.com subdomain and when the tools are needed, the link is used to download the tools.