Cloudflare Tunnels Turned Into a Covert Delivery Channel for AsyncRAT

Threat actors are exploiting Cloudflare’s free TryCloudflare tunneling service to quietly deploy AsyncRAT through phishing campaigns. By masking malicious infrastructure within legitimate cloud services, the attackers create a stealthy operation that evades conventional detection mechanisms.

Threat Analysis

The attack utilizes a "living-off-the-land" (LotL) approach, where legitimate tools and services are repurposed for malicious intent. The infection chain is designed to be stealthy, multi-staged, and highly deceptive.

The Infection Chain:

1. Phishing Delivery: Victims receive a phishing email containing a link (often hosted on Dropbox) to a ZIP archive. These archives are typically named to resemble business documents.
2. Deceptive Shortcut: The ZIP file contains an Internet Shortcut file (.url) that uses a double-extension trick (e.g., document.pdf.url).
3. WebDAV Connection: When the shortcut is opened, it connects to a malicious WebDAV server hosted via a TryCloudflare tunnel (typically on a *.trycloudflare.com domain).
4. Python Payload Execution: The malware downloads a legitimate, signed Python     environment directly from python.org to avoid detection by antivirus     software and runs  a malicious     Python script (ne.py) within this trusted environment.
5. Malware Injection: The script injects the final AsyncRAT payload into     the legitimate explorer.exe process.
6. Persistence: The malware ensures it remains on the system by placing batch files (e.g.,     ahke.bat, olsm.bat) in the Windows Startup folder, re-triggering the infection upon every login.

Indicators of Compromise (IoCs)

·      TryCloudflare WebDAV subdomains serving unexpected or executable content

·      Phishing emails with double-extension files(e.g., .pdf.url) that lead to remote shortcut execution.

·      Abnormal Python downloads from official sites followed by unusual script execution

·      Unexpected startup entries for batch scripts like ahke.bat or olsm.bat

Why This Is Dangerous

Successful infection by AsyncRAT grants attackers full remote control over the compromised system, allowing them to:

• Exfiltrate sensitive data and credentials.
• Log keystrokes and capture screenshots.
• Deploy additional malware (e.g., ransomware).
• Use the compromised machine as a pivot point for lateral movement within the network.

Recommendation

1. Educate users about phishing risks and double-extension disguises.
2. Block or monitor Try Cloudflare and other dynamic cloud tunnelling domains at the network boundary.
3. Enforce endpoint security with behavioural detection (e.g., monitoring process injection and unauthorized Python execution).
4. Audit startup scripts and remove any suspicious entries.
5. Revoke credentials and perform forensic analysis if suspicious WebDAV or RAT activity is observed.

Security Teams

• Do not rely solely on reputation-based filtering — incorporate behavioural and content inspection for web traffic.
• Monitor for anomalous outbound connections from endpoints to random subdomains under cloud services.
• Use endpoint detection and response (EDR) tools to alert on script execution  and persistence mechanisms.