Cyber Security News

AsyncRAT Abusing Python and TryCloudflare For Stealthy Malware Delivery

In a significant finding, Forcepoint’s X-Labs research team has uncovered a new malware campaign that uses AsyncRAT, a notorious remote access trojan (RAT), along with Python scripting and TryCloudflare tunnels to deliver malicious payloads with enhanced stealth.

This campaign highlights an evolving trend of adversaries exploiting legitimate infrastructure to cloak their attacks, reinforcing predictions from recent cybersecurity insights.

AsyncRAT, known for its asynchronous communication capabilities, enables attackers to control compromised systems, exfiltrate sensitive data, and execute commands undetected.

In this campaign, adversaries utilize phishing emails, TryCloudflare URLs, and a series of chained obfuscated scripts to bypass security mechanisms and deliver their payload via Python-based modules.

AsyncRAT phishing email

Decoding Complexity

The infection chain begins with a phishing email containing a Dropbox URL, which downloads a ZIP file.

This ZIP file includes an internet shortcut file (.URL) that redirects to a malicious TryCloudflare-hosted link.

Actual malicious files

The attack progresses through various stages:

  1. URL File: The .URL shortcut leads to an .LNK file hosted on a TryCloudflare directory.
  2. LNK & JavaScript: The .LNK file triggers PowerShell scripts to download a highly obfuscated JavaScript (.JS) file.
  3. Batch File: The .BAT file uses PowerShell commands to download another ZIP file containing a Python script and other components.
  4. Python Script: The extracted Python script (load.py) executes malicious shellcode contained in accompanying .BIN files.

Python’s Role and Early Bird Injection

The Python script (load.py) is at the heart of the campaign’s payload delivery mechanism.

It leverages the ctypes library for functions like memory allocation, process creation, and code injection.

The attackers employ the “Early Bird APC Queue” injection technique, a sophisticated method that allows malicious code execution during the initialization phase of legitimate processes, thereby evading detection by traditional endpoint security solutions.

The payload communicates with its command-and-control (C2) servers at IP addresses such as 62.60.190.141, operating over non-standard ports like 3232 and 4056.

These C2 channels facilitate data exfiltration and remote command execution, completing the attacker’s control over the infected host.

This campaign demonstrates how malicious actors weaponize legitimate platforms like Dropbox and TryCloudflare to create low-cost, high-efficacy attack chains.

By employing multiple layers of obfuscation, legitimate-looking files, and trusted infrastructure, the attackers effectively bypass traditional defenses.

ForcePoint research underscores the importance of multi-layered defenses and proactive threat intelligence.

As attacks leveraging low-cost, open infrastructure grow in sophistication, organizations must adopt advanced detection and mitigation techniques to stay ahead of emerging threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Exploiting Exposed Jupyter Notebooks to Deploy Cryptominers

Cado Security Labs has identified a sophisticated cryptomining campaign exploiting misconfigured Jupyter Notebooks, targeting both…

1 day ago

AWS SNS Exploited for Data Exfiltration and Phishing Attacks

Amazon Web Services' Simple Notification Service (AWS SNS) is a versatile cloud-based pub/sub service that…

1 day ago

Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware

A recent alert from the Akamai Security Intelligence and Response Team (SIRT) has highlighted the…

1 day ago

Cisco Warns of Critical IOS XR Vulnerability Enabling DoS Attacks

Cisco has issued a security advisory warning of a vulnerability in its IOS XR Software…

1 day ago

DeepSeek R1 Jailbreaked to Create Malware, Including Keyloggers and Ransomware

The increasing popularity of generative artificial intelligence (GenAI) tools, such as OpenAI’s ChatGPT and Google’s…

1 day ago

New Context Compliance Exploit Jailbreaks Major AI Models

Microsoft researchers have uncovered a surprisingly straightforward method that can bypass safety guardrails in most…

1 day ago