AsyncRAT Malware Delivered via Cloudflare and Python Exploits

AsyncRAT Malware Infests Orgs via Python & Cloudflare

A new phishing campaign is utilizing Cloudflare’s free services and Python tools to deliver AsyncRAT, a commodity remote access trojan. The attack demonstrates how threat actors are increasingly weaponizing legitimate infrastructure to evade detection and gain access to victim systems.

The campaign highlights the challenge of distinguishing malicious activity from legitimate use of cloud services and open-source tools, increasing the potential scale of successful attacks and associated costs for remediation and recovery.

Key Insights

• Phishing emails using Dropbox links are the initial attack vector, as reported by Trend Micro, January 2026.
• Attackers use double file extensions (.pdfurl) to disguise malicious files as legitimate PDFs, exploiting user trust.
• AsyncRAT’s modularity allows for customization, making it a popular choice for attackers seeking flexible remote access capabilities.

Working Example

(No code provided in source context)

Practical Applications

• Use Case: Organizations in Europe, particularly those receiving invoice-related emails, are potential targets for this campaign.
• Pitfall: Relying solely on signature-based detection can be ineffective against malware delivered through legitimate services like Cloudflare and Python.

References:

• https://www.darkreading.com/endpoint-security/attackers-abuse-python-cloudflare-deliver-asyncrat