An active campaign abuses Cloudflare Workers and Cloudflare R2 storage to stage multi-layer malware delivered via WeTransfer links, using steganography to hide payloads inside JPEG files and WMI-spawned PowerShell to evade endpoint monitoring. The attack establishes persistence via a trojanized .NET Task Scheduler library. No CVE is assigned; this is a detection and policy challenge, not a vendor vulnerability. Organizations whose security controls rely on Cloudflare domain reputation or file-type inspection at the perimeter face the highest exposure.