In a significant finding, Forcepoint’s X-Labs research team has uncovered a new malware campaign that uses AsyncRAT, a notorious remote access trojan (RAT), along with Python scripting and TryCloudflare tunnels to deliver malicious payloads with enhanced stealth.
This campaign highlights an evolving trend of adversaries exploiting legitimate infrastructure to cloak their attacks, reinforcing predictions from recent cybersecurity insights.
AsyncRAT, known for its asynchronous communication capabilities, enables attackers to control compromised systems, exfiltrate sensitive data, and execute commands undetected.
In this campaign, adversaries utilize phishing emails, TryCloudflare URLs, and a series of chained obfuscated scripts to bypass security mechanisms and deliver their payload via Python-based modules.
The infection chain begins with a phishing email containing a Dropbox URL, which downloads a ZIP file.
This ZIP file includes an internet shortcut file (.URL) that redirects to a malicious TryCloudflare-hosted link.
The attack progresses through various stages:
load.py
) executes malicious shellcode contained in accompanying .BIN files. The Python script (load.py
) is at the heart of the campaign’s payload delivery mechanism.
It leverages the ctypes
library for functions like memory allocation, process creation, and code injection.
The attackers employ the “Early Bird APC Queue” injection technique, a sophisticated method that allows malicious code execution during the initialization phase of legitimate processes, thereby evading detection by traditional endpoint security solutions.
The payload communicates with its command-and-control (C2) servers at IP addresses such as 62.60.190.141
, operating over non-standard ports like 3232 and 4056.
These C2 channels facilitate data exfiltration and remote command execution, completing the attacker’s control over the infected host.
This campaign demonstrates how malicious actors weaponize legitimate platforms like Dropbox and TryCloudflare to create low-cost, high-efficacy attack chains.
By employing multiple layers of obfuscation, legitimate-looking files, and trusted infrastructure, the attackers effectively bypass traditional defenses.
ForcePoint research underscores the importance of multi-layered defenses and proactive threat intelligence.
As attacks leveraging low-cost, open infrastructure grow in sophistication, organizations must adopt advanced detection and mitigation techniques to stay ahead of emerging threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…