Threat Intelligence, IOC Validation, MITRE ATT&CK Mapping and Detection Opportunities
Trend Micro researchers identified a multi-stage phishing campaign delivering AsyncRAT through Cloudflare TryCloudflare infrastructure. The threat leveraged phishing emails, malicious Internet Shortcut files, WebDAV-hosted scripts, Python-based loaders, startup folder persistence, and code injection into explorer.exe.
Victim receives phishing email containing Dropbox-hosted ZIP archive.
User opens Rechnung PDF shortcut file.
Connection established to TryCloudflare infrastructure.
WSH and BAT scripts download Python environment and malware components.
ahke.bat and olsm.bat added to Startup folder.
new.bin decrypted and injected into explorer.exe using ne.py.
| IOC Type | Indicator | Confidence |
|---|---|---|
| IP Address | 87.106.191.217 | High |
| Domain | strength-blind-bristol-ten.trycloudflare.com | High |
| Domain | syracuse-seeks-wilson-row.trycloudflare.com | High |
| Domain | citysearch-packed-bacterial-receptors.trycloudflare.com | High |
| Malware | AsyncRAT | High |
| File | new.bin | High |
| File | ne.py | High |
| File | xeno.bat | High |
| File | vio.bat | High |
| Indicator | Detection Ratio |
|---|---|
| 87.106.191.217 | 3/94 Vendors |
| strength-blind-bristol-ten.trycloudflare.com | 11/91 Vendors |
| syracuse-seeks-wilson-row.trycloudflare.com | 11/91 Vendors |
| citysearch-packed-bacterial-receptors.trycloudflare.com | 10/91 Vendors |
| Tactic | Technique |
|---|---|
| Initial Access | T1566.001 Spearphishing Attachment |
| Execution | T1059.001 PowerShell |
| Persistence | T1547.001 Startup Folder |
| Defense Evasion | T1218 Rundll32 |
| Process Injection | T1055 |
| Command and Control | T1105 Ingress Tool Transfer |
This campaign demonstrates the abuse of trusted cloud infrastructure and legitimate Python environments to deploy AsyncRAT while evading traditional security controls. The use of WebDAV, Cloudflare tunnels, startup persistence, and explorer.exe injection provides multiple opportunities for SOC detection and threat hunting.