Ddos 
Infection chains distributing AsyncRAT | Image: Sekoia
In a detailed report by the Sekoia Threat Detection & Research (TDR) team, researchers have unveiled a sophisticated malware delivery infrastructure abusing Cloudflare tunnel services to deploy Remote Access Trojans (RATs), notably AsyncRAT. This infrastructure has been operational since at least February 2024 and continues to evolve, aided by complex infection chains designed to bypass detection tools and infiltrate corporate environments.
“The related infection chains… are particularly complex, with multiple steps involved and some variations observed from one campaign to another,” the researchers noted.
The attack begins with a phishing email — often disguised as an invoice or purchase order — containing a malicious Windows library file (.ms-library). While not commonly used in modern environments, this format can slip past filters due to its non-executable appearance.
“The attachment contained in the phishing email is an old ‘application/windows-library+xml’ file type… it may be considered as a safe file format compared to binary ones.”
The .ms-library file references a remote WebDav resource, which when opened, initiates a file download disguised as a PDF shortcut (LNK file).
Once the LNK is clicked, a cascade of scripts and payloads unfolds:
- LNK file downloads and executes a HTA file.
- The HTA (written in VBScript) launches a BAT script.
- The BAT script installs Python and executes another BAT stage.
- Finally, the malware injects into notepad.exe and establishes persistence.
“The BAT script’s main objective is to proceed with the next step that requires Python… which succeeded in triggering our rule ‘ISO LNK Infection Chain.’”
The attackers use a Python script to inject the next payload into multiple Notepad processes and establish persistence via the Windows Startup folder, dropping two .vbs files and another .bat.
The final payload — AsyncRAT — is base64-encoded and hidden inside a .jpg image, downloaded from a public website. This image is reflectively loaded using PowerShell, executing in memory to avoid disk detection.
“The next stage uses PowerShell to reflectively load a payload downloaded from a JPEG image… with the [System.Reflection.Assembly]::Load() call.”
C2 communication is established via dynamic DNS domains, often leveraging dyndns.org, and infrastructure hidden behind Cloudflare tunnels using TryCloudflare.
The malware chain is equipped with several evasion techniques:
- Development environment checks to avoid triggering in sandboxes
- Hidden folders via attrib.exe after Python setup
- Detection-aware LNK and HTA abuse
- Dynamic DNS for resilient C2 rotation
Sekoia’s detection stack employs rules such as:
- HTA Infection Chains
- Mshta Suspicious Child Process
- Dynamic DNS Contacted
- ISO LNK Infection Chain
- Hiding Files With Attrib.exe
These rules are part of their open-source Sigma ruleset.
“Almost all previously mentioned files are hosted in the attacker infrastructure, which is the suspicious URI using the ‘Cloudflare tunnel infrastructure’.”
This campaign demonstrates the increasing sophistication of multi-stage malware attacks. By chaining together phishing, obscure file formats, reflective PowerShell loaders, and legitimate services like Cloudflare and Telegram, attackers manage to evade both user suspicion and endpoint security.
The TDR team concludes that while the end goal is likely data theft, the primary focus should be on early detection — especially in environments where administrative scripting and dynamic DNS are common.
As attackers grow more creative in their use of legitimate infrastructure, defenders must adopt layered detection strategies and monitor for weak signals, such as unexpected .vbs or .jpg downloads triggering PowerShell.
Donate