A new malware campaign has been discovered deploying AsyncRAT, a sophisticated remote access trojan, through Python payloads and TryCloudflare tunnels. According to Forcepoint X-Labs researcher Jyotika Singh, AsyncRAT utilizes async/await patterns for efficient, covert system control and data exfiltration.

The attack chain begins with a phishing email containing a Dropbox URL that downloads a ZIP archive. This archive includes an internet shortcut file leading to a Windows LNK file, while displaying a decoy PDF to victims. The campaign leverages TryCloudflare, a legitimate Cloudflare service, to retrieve the malicious LNK file through a dedicated subdomain.

The infection sequence proceeds through multiple stages:
– PowerShell execution of JavaScript code
– Deployment of a batch script
– Download of additional ZIP archives containing Python payloads
– Installation of multiple malware variants including AsyncRAT, Venom RAT, and XWorm

This campaign coincides with an increase in sophisticated phishing attacks utilizing:
– Phishing-as-a-Service (PhaaS) toolkits
– Compromised vendor accounts
– Government domain exploitation
– Tax agency impersonation
– Spoofed Microsoft ADFS login pages
– Cloudflare Workers
– Advanced evasion techniques using zero-width joiners

The attackers effectively abuse legitimate services like Dropbox and Cloudflare to appear trustworthy, highlighting the evolving sophistication of modern cyber threats. Recent research also reveals potential exploitation of Zendesk’s infrastructure for similar malicious purposes, demonstrating the expanding scope of phishing attack vectors.