Foxveil: New Malware Loader Hides in Plain Sight Using Cloudflare and Discord

A new and elusive malware loader has been discovered prowling the legitimate infrastructure of the web, abusing trusted services to sneak past enterprise defenses. In a new report, researchers at Cato CTRL have detailed the emergence of “Foxveil,” a previously undocumented threat that has been active since August 2025, using the reputation of Cloudflare, Netlify, and Discord to cloak its malicious activities.

The malware, named after “fox” strings found within its code, represents a modern evolution in initial access tactics, prioritizing stealth and legitimate cover over complex custom infrastructure.

Foxveil is designed to look like normal traffic. Instead of connecting to suspicious, unknown servers, it reaches out to platforms that organizations use every day. By hosting its payloads on Cloudflare Pages and Netlify, or hiding them in Discord attachments, the malware bypasses standard blocklists.

“Its operational advantage comes from blending into trusted cloud infrastructure while relying on in-memory shellcode execution and variant-specific injection and persistence techniques,” the report explains.

Once it establishes a foothold, it acts as a gatekeeper. “Foxveil behaves like a modern initial-stage loader: it establishes an initial foothold, frustrates analysis, and retrieves next-stage payloads from threat actor-controlled staging,” Cato CTRL researchers note.

To further complicate detection, Foxveil employs a clever trick to confuse security tools and analysts. The malware includes a routine that actively mutates specific keywords associated with hacking tools—such as “beacon” or “meterpreter”—rewriting them in memory to avoid static signature detection.

“We also observed a string-mutation routine that rewrites common analysis keywords, which can complicate static detection and reverse engineering,” the report states.

Following the discovery, Cato CTRL engaged in a responsible disclosure process, leading to the takedown of the malicious infrastructure. “Netlify confirmed that on January 19, 2026 that the reported Netlify-hosted URLs had been taken down,” and Cloudflare followed suit shortly after.

By hiding behind the veil of legitimate cloud services, attackers continue to force security teams to inspect trusted traffic with unprecedented scrutiny.

Related Posts:

• SideWinder APT Launches Operation SouthNet, Weaponizing Netlify and Pages.dev for Espionage
• Palo Alto Firewalls Under Attack: Critical Flaw Exploited to Deploy Cryptojacking Malware
• BackSwap Bank Trojan uses three new technologies to empty bank accounts