I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.

TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.

0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...