“TryCloudflare” Abuse: AsyncRAT Exploits Free Tunnels to Build Stealthy WebDAV Network
Ddos 
AsyncRAT infection chain | Image: Trend Micro
A sophisticated campaign distributing the AsyncRAT Remote Access Trojan is turning a trusted internet service into a malware superhighway. A new report from Trend Micro details how threat actors are abusing Cloudflare’s free-tier services and TryCloudflare tunneling domains to host malicious WebDAV servers, effectively hiding their command-and-control infrastructure behind a veil of legitimacy.
This tactical shift allows attackers to bypass traditional security filters, which often whitelist traffic from trusted providers like Cloudflare, ensuring “reliable payload delivery” while leaving defenders in the dark.
The infection begins with a classic deception. Victims receive phishing emails containing Dropbox links that lead to a malicious archive, typically named to resemble an invoice (e.g., Rechnung zu Auftrag…pdf.zip).
Inside, the attackers use a “double-extension” trick: “The downloaded ZIP file contains the … Internet Shortcut file, which links to a WebDAV resource hosted on various servers within Cloudflare’s free-tier service”.
The file might look like a PDF, but it’s actually a shortcut (.url) that triggers a multi-stage infection process when clicked. To lower suspicion, the malware even “opens a legitimate PDF document to deceive the victim into believing a normal PDF file was accessed”.
Once the initial shortcut is executed, the malware doesn’t just download a binary; it builds an entire environment. The report highlights a unique aspect of this campaign: the use of legitimate Python downloads.
“The attack uses legitimate Python downloads from official sources, establishing a complete Python environment on victim systems”.
By downloading a valid, signed version of Python (version 3.14.0 in observed cases) directly from python.org, the attackers can execute complex scripts without raising alarms associated with unknown binaries. This environment is then used to run the ne.py script, which injects the AsyncRAT payload directly into the trusted explorer.exe process.
The malware ensures it sticks around by planting batch files in the user’s Startup folder. Scripts named ahke.bat and olsm.bat are downloaded and set to run automatically.
“Placing a file in the Startup folder ensures that it will be automatically executed when the user logs into Windows”.
These scripts are designed to re-trigger the infection chain every time the machine reboots, ensuring the attackers maintain their foothold.
The abuse of TryCloudflare tunnels represents a growing challenge for security teams. “This attack highlights the ongoing trend of abusing cloud tunneling and legitimate hosting services to deliver and execute malware,” the report concludes.
Organizations are urged to look beyond simple domain reputation checks and adopt multi-layered defenses that can detect the behavioral signs of this “living-off-the-land” activity.
Related Posts:
- Government Hit by Multi-Malware Cyberattack via Cloudflare Service
- Microsoft’s June 2025 Patch Tuesday: 2 Zero-Days, 69 Vulnerabilities Patched!
- AsyncRAT Rises Again: Malware Abuses Legitimate Services for Stealthy Delivery
- Evasive Phishing Campaign Delivers AsyncRAT and Infostealer
- Beware of Fake Downloads: AsyncRAT Spreads via Popular Software Cracks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
