AsyncRAT campaign exploits Cloudflare services to hide attacks

Security researchers have uncovered a sophisticated malware campaign where cybercriminals are exploiting Cloudflare's free-tier services and TryCloudflare tunneling domains to host malicious WebDAV servers, effectively concealing AsyncRAT attacks behind trusted infrastructure, according to Cyber Press.

The attack begins with phishing emails containing Dropbox links that distribute double-extension files (.pdf.url) to download multi-stage scripts from TryCloudflare domains while displaying a legitimate PDF to avoid suspicion. A distinctive tactic involves downloading official Python distributions to establish a full environment on victim systems for advanced code injection into the explorer.exe process. The malware ensures persistence through startup scripts and leverages WebDAV to maintain command-and-control connections, extensively using "living-off-the-land" techniques with native Windows tools like PowerShell to blend with normal operations.

By hiding behind Cloudflare's whitelisted domains, attackers create a significant blind spot for traditional security solutions, allowing reliable payload delivery undetected. Trend Micro's analysis highlights the urgent need for organizations to monitor WebDAV connections and scrutinize traffic patterns involving TryCloudflare domains to identify and mitigate this advanced threat.