IOC ANALYSIS REPORT

AsyncRAT Multi-Stage Infection Campaign

Threat Intelligence, IOC Validation, MITRE ATT&CK Mapping and Detection Opportunities

Analyst
Rajkumar G
Date
June 2026
Severity
High
Malware
AsyncRAT

Executive Summary

Trend Micro researchers identified a multi-stage phishing campaign delivering AsyncRAT through Cloudflare TryCloudflare infrastructure. The threat leveraged phishing emails, malicious Internet Shortcut files, WebDAV-hosted scripts, Python-based loaders, startup folder persistence, and code injection into explorer.exe.

Threat Overview

Attack Chain

Initial Access

Victim receives phishing email containing Dropbox-hosted ZIP archive.

User Execution

User opens Rechnung PDF shortcut file.

WebDAV Connection

Connection established to TryCloudflare infrastructure.

Payload Download

WSH and BAT scripts download Python environment and malware components.

Persistence

ahke.bat and olsm.bat added to Startup folder.

Execution

new.bin decrypted and injected into explorer.exe using ne.py.

IOC Table

IOC Type Indicator Confidence
IP Address 87.106.191.217 High
Domain strength-blind-bristol-ten.trycloudflare.com High
Domain syracuse-seeks-wilson-row.trycloudflare.com High
Domain citysearch-packed-bacterial-receptors.trycloudflare.com High
Malware AsyncRAT High
File new.bin High
File ne.py High
File xeno.bat High
File vio.bat High

VirusTotal Verification

Indicator Detection Ratio
87.106.191.217 3/94 Vendors
strength-blind-bristol-ten.trycloudflare.com 11/91 Vendors
syracuse-seeks-wilson-row.trycloudflare.com 11/91 Vendors
citysearch-packed-bacterial-receptors.trycloudflare.com 10/91 Vendors

MITRE ATT&CK Mapping

Tactic Technique
Initial Access T1566.001 Spearphishing Attachment
Execution T1059.001 PowerShell
Persistence T1547.001 Startup Folder
Defense Evasion T1218 Rundll32
Process Injection T1055
Command and Control T1105 Ingress Tool Transfer

Detection Opportunities

Analyst Assessment

This campaign demonstrates the abuse of trusted cloud infrastructure and legitimate Python environments to deploy AsyncRAT while evading traditional security controls. The use of WebDAV, Cloudflare tunnels, startup persistence, and explorer.exe injection provides multiple opportunities for SOC detection and threat hunting.