AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

The Forcepoint X-Labs research team recently identified another AsyncRAT malware campaign that leverages malicious payloads delivered through suspicious TryCloudflare quick tunnels and Python packages. This campaign bears similarities to the attack we discovered and analysed back in August. This blog serves as a continuation of our earlier findings, offering deeper insights into this evolving threat.

The use of TryCloudflare in this campaign reinforces our X-Labs prediction from the 2025 Future Insights series, which anticipated that legitimate infrastructure would be exploited in malicious campaigns.

This campaign begins with a phishing email containing a Dropbox URL. When the recipient clicks on the link, a ZIP file is downloaded. This file contains an internet shortcut file in a .URL format. Opening this file leads to downloading multiple malware payloads in the background while the user is deceived by a legitimate looking PDF opening.

Let’s examine these malicious files to understand them at a deeper level. 

Like we said, the URL downloads a ZIP file, which includes an internet shortcut file (.URL format). This file leads to a .lnk file, which then leads to a JavaScript file. This JS file links to a .BAT file which hosts malicious content that ultimately delivers another ZIP file. This new ZIP file houses the Python script used to execute the AsyncRAT malware.

^{Fig. 1 - AsyncRAT attack chain}

Here’s a look at the phishing email:

^{Fig. 2 - AsyncRAT phishing email}

The ‘Rechnung herunterladen’ button hides the Dropbox URL (hxxps[:]//dl[.]dropboxusercontent[.]com/scl/fi/7j2004fcny2crqxfl4qfj/R000193294-672PDF[.]zip) that downloads the first ZIP file. This zip files consists of the .URL file which is an internet shortcut file.

Stage 1: .URL analysis

On analysing the content of the file, we found that it is embedded with the TryCloudflare URL.

^{Fig. 3 - Internet shortcut file}

‘URL=file[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com@SSL/DavWWWRoot/DE’ can be seen in the code. The above link takes us to this directory which stores an .LNK file. 

^{Fig. 4 - .LNK file hosted on TryCloudflare subdomain}

Stage 2: .LNK analysis

^{Fig. 5 - .LNK file with path to JavaScript file}

When a user clicks the .LNK file, it triggers PowerShell to download a JavaScript file from the same TryCloudflare tunnel i.e. using another directory on the same site.

^{Fig. 6 - .BAT and JS file hosted on same TryCloudflare site}

Stage 3: .JS analysis

On deobfuscating the JavaScript file, we get the following code. We can see that this JS file is then downloading the BAT file from the same TryCloudflare tunnel.

^{Fig. 7 - Deobfuscated JS file with link to .BAT file}

Stage 4: BAT analysis

The .BAT file is heavily obfuscated and uses PowerShell to download a ZIP file that retrieves a Python package. The PowerShell "Invoke-WebRequest" command is utilized to download a large Python package containing malicious .py scripts.

Additionally, it downloads a legitimate-looking PDF file to mask its activities, displaying the fake invoice PDF to deceive the victim.

Also, this .BAT file shows all the steps used in the malware payload delivery process. They’re as follows:

1- Open the PDF file in the default browser

2- Set URLs and destination paths

3- Download the ZIP file

4- Extract the ZIP file

5- Check if python.exe is accessible

6- Navigate to the Python folder and run the Python scripts

7- Process all .bin files in the extracted folder

8- Download a.txt file

^{Fig. 8 - Heavily deobfuscated .BAT file}

^{Fig. 9 - Deobfuscated .BAT file}

^{Fig. 10 - Deobfuscated .BAT file (cont.)}

^{Fig. 11 - Fake PDF file used for distraction}

Stage 5: .PY analysis

The BAT file downloads a zip file (ma.zip) which consists of a large folder with multiple subfolders and .bin, .py and .exe files. However, most of these files are used for typical Python setup. These Python packages enable attackers to run the malicious Python code, even if Python is not installed locally.

In actuality, only the load.py file along with the 5 .BIN files are malicious.

^{Fig. 12 - All files in ma.zip file}

^{Fig. 13 - Actual malicious files}

The load.py file is base 64 encoded but after deobfuscating we get the full code. The python file’s main objective is to go through each of the bin file which stores Shell code, and each consist of different malware types.

We can see that the python file calls the ctypes library, which is a foreign function library for Python. It provides C-compatible data types and allows calling functions in DLLs or shared libraries.

It also uses the following functions for these respective purposes:

• kk.windll.kernel32.VirtualAlloc(): Used to reserve memory and commit memory, sets memory protections in chunks that are a minimum of one page
• kk.windll.kernel32.CreateThread.argtypes(): Creates a thread to execute within the virtual address space of the calling process.
• kk.windll.kernel32.RtlMoveMemory(): Copies the contents of a source memory block to a destination memory block, and supports overlapping source and destination memory blocks.
• kk.windll.kernel32.WaitForSingleObject(): checks the current state of the specified object. If the object's state is non-signalled, the calling thread enters the wait state until the object is signalled or the time-out interval elapses.

^{Fig. 14 - Obfuscated load.py file}

^{Fig. 15 - Deobfuscated load.py file}

Process injection will be done by injecting shellcode via Early Bird APC Queue. Early bird injection is a technique that involves creating a new process and injecting code into it before the main thread starts executing. One of the key benefits of this method over normal APC Queue code injection is that the malicious behaviour occurs early in the process initialization phase, increasing the possibility that some AV/EDR hooks will not detect. 

Payload.bin file injects VenomRat shellcode into legitimate notepad.exe process and xr.bin injects XWorm shell code, but all others inject AsyncRAT shell code into legitimate process explorer.exe.

^{Fig. 16 - Execution of load.py with an.bin}

^{Fig. 17 - Execution of load.py with pay.bin}

^{Fig. 18 - Execution of load.py with payload.bin}

^{Fig. 19 - Execution of load.py with ve.bin}

^{Fig. 20 - Execution of load.py with xr.bin.}

It communicates with the same C2 servers but operates over different port numbers, such as 62.60.190.141:3232 and 62.60.190.141:4056

Conclusion:

This AsyncRAT campaign has again showed how hackers can use legitimate infrastructures like Dropbox URLs and TryCloudflare to their advantage. Payloads are downloaded through Dropbox URLs and temporary TryCloudflare tunnel infrastructure, thereby tricking recipients into believing their legitimacy. 

The campaign employs a multi-step process to evade detection, starting with the execution of an LNK file, then running a JS file, followed by downloading a BAT file, eventually retrieving an obfuscated BAT file that extracts malicious Python scripts. While this runs in the background, the user is deceived by a fake invoice PDF. 

Looking ahead, we anticipate a rise in similar attacks leveraging low-cost infrastructure to deliver infostealers and Remote Access Trojans.

Protection statement:

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Malicious attachments associated with these attacks are identified and blocked.
• Stage 3 (Redirect) – Blocked URLs which downloads further payload
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) – C2 servers categorized under security category and blocked

NGFW protection statement  

• NGFW versions: all 
• Key aspects of the AsyncRAT remote access trojan are terminated by the Forcepoint NGFW when inspection and decryption is enabled: 
• LNK files are terminated with File-Binary_Windows-LNK-File-Transfer in the default inspection templates since dynup 1092 (last updated in 2018) 
• PowerShell user agent connections are terminated in the default inpection templates since dynup 1411 (last updated in 2021) 
• PowerShell connections can be terminated if ECA is enabled on the windows host

IOCs

Malicious URLs:

hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/

hxxps[.]//mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip

hxxp[:]//sufficiently-points-est-minimize[.]trycloudflare[.]com/ma[.]zip

C2s: 

62.60.190.141

62.60.190.196

Hashes:

• zip: 55724b766dd1fe8bf9dd4cb7094b83b88d57d945
• url: 4483561a49791a7cd684258e9f1623fe7dfba772
• lnk: 0aa1b8fba8d7bd19a0064edfdf86c027da253644
• js: 659ecdeb19b8e49be61fe41e8796d1215272b16e
• bat: cd61de9e4003ba568ae76f064935addb106a6d6d
• zip: 0221ec304905a758d9b47d6a631622b7dcf3c1f5
• py: 4747ee49bdf31351c025049d8c3b7fef831be77c
• bin: 8ef36a4865f4a73a4e8fe4b90e5eff4a7feb3647
• bin: ae1dece09c2b627d8d3fe1c1f758db9ca6d5820c
• bin: 8dc9071a46a019547c8355a155d9c3c3b154e7a2
• bin: 098c369c904e8c328df40062190aff009e02d369
• bin: ff6186eef1c17a2668c6013d38fecead4f507556