Cache side-channel attacks pose a significant threat to the data security of multi-tenant public clouds. However, currently proposed defenses either lack transparency (requiring user involvement) or incur a significant performance penalty. This paper is motivated by our insightful observation for the behavior of cache side-channel attackers who employ rdtsc/rdtscp instructions for timing purposes. We have discerned a behavior pattern that enables comprehensive identification of potential attackers. Building upon this observation, we introduce TF -timer, which operates on the core principle of inspecting cache side-channel attacks using the pre-identified behavior pattern while obscuring the return values of rdtsc/rdtscp instructions. Our proposed technique preserves the properties of rdtsc/rdtscp, only blurring the attacker's timing to minimize the impact on other applications. We have implemented the prototype of TF-timer at the hypervisor layer. It is completely transparent to users and requires no hardware modifications. Our evaluation results demonstrate that TF -timer efficiently and precisely miti-gates cache side-channel attacks that exploit rdtsc/rdtscp for timing, with performance penalties within 1 %.