AsyncRAT Campaign Continues to Evade Endpoint Detection

Halcyon has identified new technical information and indicators of compromise for a wide-ranging phishing campaign that enables threat actors to bypass traditional security controls and delay detection. This campaign, tracked by several industry groups since 2024, has enabled remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across thousands of targeted organizations.  

The likely new or rebranded cybercriminal group behind this campaign leverages legitimate services like TryCloudflare to host and deliver highly evasive malware like AsyncRAT and other Remote Access Trojans. This malware has extensive features that allow threat actors to remotely control an infected network across the full attack lifecycle, from initial access to data exfiltration.  

Halcyon Data Exfiltration Protection detected this campaign at the initial access stage. This activity evaded all other endpoint protection (EPP) and endpoint detection and response (EDR) tools deployed on the targeted networks, reinforcing the need for layered defenses capable of detecting behavioral anomalies in addition to static indicators or reputation-based blocking.

Key Findings

• Global, Sector-Agnostic Targeting: Since early 2024, unattributed threat actors have targeted thousands of organizations across multiple sectors without industry preference.

• Widely Available Malware: Uses AsyncRAT, XWorm, VenomRAT, Remcos, and other readily available Remote Access Trojans commonly used in financially motivated cybercrime.

• Difficult to Detect: Python scripts, obfuscated batch scripts, trusted cloud services, and dynamic infrastructure allow for bypassing traditional security controls and delay detection. Organizations without layered detection and response capabilities—or those relying solely on signature-based tools—are particularly vulnerable.

How to Defend and Mitigate  

• Train employees to recognize phishing lures that abuse cloud-hosted files;

• Blocking and monitoring TryCloudflare tunnels to all unnecessary accounts;

• Implementing advanced email filtering and sandboxing;

• Monitoring for Python execution from unexpected directories;

• Deploying endpoint detection and response tools; and,

• Deploying a dedicated anti-ransomware solution like Halcyon to harden endpoint defenses against advanced attacker techniques designed to blind, unhook, or bypass traditional endpoint protection or endpoint detection and response tools.  

Campaign Overview

Since at least early 2024, unidentified, likely cybercriminal threat actors have conducted a malware campaign that employs a multi-step process to evade detection, combining phishing, abuse of legitimate cloud infrastructure, and Python scripting to deploy malware like AsyncRAT.

According to Forcepoint’s August 2024 and January 2025 reporting, the campaign begins with a phishing lure that links to a Dropbox-hosted ZIP file. Inside, an internet shortcut .URL file leads victims through a complex, multi-stage execution chain involving: downloading a malicious .LNK file via a TryCloudflare quick tunnel; execution of a heavily obfuscated batch script; and retrieval and execution of Python scripts that are used to deploy AsyncRAT and other Remote Access Trojans.

This tradecraft allows the malware to bypass traditional perimeter defenses, particularly by using Cloudflare’s temporary tunnels to serve payloads from seemingly legitimate infrastructure. These tunnels provide attackers with ephemeral and unregistered subdomains that appear trustworthy to perimeter controls, making it difficult to pre-block or blacklist.  

Because the infrastructure is spun up dynamically via legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic enables threat actors to deliver payloads without relying on compromised servers or bulletproof hosting, increasing both the scale and stealth of the campaign.

Threat Actors

Attribution

The campaign is most likely the work of a cybercriminal malware crew or initial access broker using off-the-shelf tooling for financial gain, data theft, and potentially as a precursor to ransomware deployment. Despite extensive technical analysis, no named threat actor has been attributed to this campaign.

The broad, indiscriminate targeting of organizations across industries and regions, combined with the use of Remote Access Trojans with extensive features and opportunistic phishing lures, indicates a crimeware distribution operation focused on scalability and monetization.  

Such groups often serve as upstream access brokers, selling footholds to other actors or deploying additional payloads such as ransomware in subsequent stages. This reinforces the need for organizations to treat seemingly low-tier Remote Access Trojan activity as an early warning sign of potentially more severe follow-on attacks.

Overlap with Other Threat Actors

While the campaign shares some tactics with other actors like TA2541, we assess this is likely a new or rebranded cybercriminal group, potentially operating as an initial access broker. No other industry groups have tied the current activity to known threat actors.  

The overlap in infrastructure and delivery techniques between this cluster and other well-documented campaigns suggests that threat actors are learning from or repurposing each other’s methods, but without additional unique identifiers such as code reuse, command and control (C2) behavior, or victimology patterns, attribution remains speculative.  

Until more conclusive technical or operational evidence emerges, this campaign should be treated as a distinct threat cluster with the potential to escalate in sophistication or affiliate with other criminal or ransomware groups as its capabilities evolve.

Defense and Mitigation

Blocking and Monitoring  

Block access to TryCloudflare tunnels by preventing outbound connections to *.trycloudflare.com at both the DNS and firewall levels. Use domain-based filtering, proxy controls, or firewall rules to deny any attempts to resolve or connect to Cloudflare Tunnel subdomains unless explicitly authorized. In addition to outright blocking, implement network monitoring to detect any attempted or successful use of these tunnels, as such activity is often associated with initial access or malware delivery. Alert on unusual traffic patterns involving dynamic subdomains or temporary HTTPS services, and correlate with user activity to identify potentially compromised endpoints. Consider integrating these detections with your SIEM or SOAR platform to automate investigation and response workflows.

Filtering and Sandboxing

Implement advanced email filtering and sandboxing to detect phishing emails containing file types commonly abused in initial access, such as .URL, .LNK, .JS, and .BAT payloads. These filters should be configured to scan embedded URLs, decode obfuscated content, and trigger dynamic analysis in secure sandboxes. Additionally, integrate threat intelligence feeds to proactively block known malicious domains or IPs observed delivering these payloads. Where possible, disable the automatic execution of shortcut and script files received via email or downloaded from the internet.

Python Scripting

Monitor for Python execution from unexpected directories, especially those bundling external modules, as this is a key tactic in many modern malware loaders. Threat actors often deploy self-contained Python environments in non-standard folders (e.g., C:\Users\Public, AppData\Local\Temp, or disguised directories like C:\ProgramData\AdobeUpdate) to evade detection. Security teams should baseline normal Python usage within their environment and set alerts for Python processes launched outside of sanctioned software environments or development tools. Log and inspect invocations of python.exe, py.exe, or portable Python executables, particularly when they are accompanied by network connections, script unpacking, or module import activity. Where feasible, implement application allowlisting or restrict Python execution to trusted paths.

Deploy EDR (Endpoint Detection and Response)  

These tools are capable of detecting process injection, code injection, and memory-resident RATs like AsyncRAT. These solutions should provide behavioral detection that identifies suspicious parent-child process relationships, API hooking attempts, and shellcode execution in legitimate processes such as explorer.exe or notepad.exe. Look for EDR solutions that can analyze in-memory activity and flag anomalous use of scripting engines like PowerShell, Python, and Windows Script Host (WSH). Incorporating threat hunting rules based on known AsyncRAT behaviors—such as its use of ctypes for shellcode execution or connections to dynamic DNS C2 infrastructure—can significantly enhance detection. Automated containment and response actions, such as isolating compromised endpoints or terminating rogue processes, are essential to mitigating the rapid spread of RAT-based infections.

Defense-in-Depth

Deploy a dedicated anti-ransomware solution like Halcyon to harden endpoint defenses against advanced attacker techniques designed to blind, unhook, or bypass traditional EPP and EDR tools. Halcyon provides an additional protective layer against data exfiltration and lateral movement, while also delivering early-stage behavioral detection and automated response capabilities. In campaigns such as this one, where EDR tools have been known to miss the initial payload or loader activity, Halcyon’s purpose-built architecture ensures continuity of protection and recovery even when endpoint agents are compromised or disabled.

Awareness

Train employees to recognize phishing lures that abuse cloud-hosted files such as those served via Dropbox, Google Drive, or TryCloudflare tunnels. Awareness programs should include examples of malicious .ZIP, .LNK, and .URL files disguised as business documents, invoices, or project links. Employees should be trained to verify the source of any cloud-hosted content before interacting with it and to report any unexpected file downloads, redirects, or executable prompts. Additionally, simulate real-world phishing scenarios involving cloud services during training exercises to improve real-time recognition and response to these evolving tactics.

Newly Identified Infrastructure and Indicators of Compromise (IOCs)  

As of June 2025, Halcyon has identified the following new infrastructure and IOCs from this campaign’s targeting of several organizations’ networks:

TryCloudflare Tunnel Domains:

• now-refer-several-tariff[.]trycloudflare[.]com

• wizard-individual-intervals-franklin[.]trycloudflare[.]com

• lender-router-exclusively-fractio[.]trycloudflare[.]com

File Hashes:

• WSF: b16d2800811e7a72c90bea50640330966cdb931a03f76338478da682ea6fded7

• LNK:3d3a6d7905ca1387f3ec7a637cb672d6b6efa0f8efdbf819f756a8e5f92bc960

• BAT: 7e4f335241d4ded5ea19bf5c92f8e70ea76de7167cd3691752b9386ff094848f

• PY: 4d2fccad69bb02305948814f1aa6ef76c85423eb780ec5f3751b7ffbf8b74ca3

• ASYNCRAT Python Shellcode: 54fa1e565ce615f5a39b9ee502bd8b23f90e6d803e3da108ff150d8434ec5cd9

• PureHVNC Python Shellcode: 4ed08dcad1cf63f4ab46176f60ed17f326046a02dcb72448c3134b25191e8cd0

• XWorm Python Shellcode: a836a92e0618a2d2654a98551db3908f4a4531c7c6ef8f4bd41badcfa9e05096

• XWorm Python Shellcode: 66938c34825d1e32d5f3daf8911311f05dd9bad07278268ae6b783dcdc8130a9

• AsyncRat Bin Shellcode: 821f0956d3f52819c90035041c0f4c0ec644924af46222c5913e05de1c385b04

Conclusion

The abuse of tunneling services like TryCloudflare represents a growing trend in malware delivery, especially among financially motivated threat actors.  

The AsyncRAT+Python+Cloudflare combination reflects a low-cost, high-obfuscation technique that provides attackers with the ability to bypass traditional security controls, delay detection, and reduce the effectiveness of takedown operations by rotating temporary subdomains.  

These techniques are attractive not only because of their accessibility and effectiveness, but also because they blend in with legitimate DevOps and remote access workflows.

This convergence of cloud infrastructure misuse and commodity malware delivery is lowering the barrier to entry for cybercriminals while also providing stealthy infrastructure options to more sophisticated actors.  

As the tactic gains popularity, defenders should anticipate increased adoption across diverse threat segments, including ransomware operators, initial access brokers, and nation-state groups. This reinforces the need for layered defenses capable of detecting behavioral anomalies rather than relying solely on static indicators or reputation-based blocking.

Security teams should also recognize that public tunneling platforms like TryCloudflare are only one piece of a broader shift toward the abuse of legitimate infrastructure, a trend that includes VPNs, cloud file-sharing services, and CI/CD pipelines. Continuous threat modeling and adversary emulation exercises are key to preparing for these increasingly modular, evasive delivery mechanisms.

Organizations are encouraged to stay engaged with Halcyon RISE threat intelligence channels for timely alerts and deeper technical analysis as this threat activity continues to unfold.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.