Threat actors are actively abusing legitimate Cloudflare services, specifically Workers and Tunnels, to conduct adversary-in-the-middle (AiTM) phishing and distribute malware. By leveraging Cloudflare's trusted infrastructure and free tiers, attackers successfully bypass traditional security controls to deliver remote access trojans like Xeno RAT and XWorm RAT via obfuscated WebDAV connections.