Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response

    Monday, January 12, 2026 In: Threat Research Print

    Date: 01/12/2026

    Severity: High

    Summary

    A multi-stage campaign linked to AsyncRAT abuses trusted infrastructure to evade detection and ensure reliable payload delivery. Threat actors leverage Cloudflare free-tier services and TryCloudflare tunnels to host WebDAV servers, while phishing emails delivered via Dropbox use double-extension files to trick victims. The attack installs a legitimate Python environment to inject code into explorer.exe, establishes persistence through startup scripts and WebDAV mounting, and relies heavily on living-off-the-land tools like PowerShell and Windows Script Host to remain stealthy.

    Indicators of Compromise (IOC) List

    URLs/Domains

    owners-insertion-rentals-pursuit.trycloudflare.com

    plus-condos-thy-redeem.trycloudflare.com

    citysearch-packed-bacterial-receptors.trycloudflare.com

    strength-blind-bristol-ten.trycloudflare.com

    syracuse-seeks-wilson-row.trycloudflare.com

    license-appointed-asset-pulled.trycloudflare.com

    pie-references-chart- ozone.trycloudflare.com

    http://dl.dropboxusercontent.com/scl/fi/50mvsqpvyxid7m39g773l/Rechnung-zu-Auftrag-W19248960825.pdf.zip?rlkey=rtgatrazvz9rbqtxbj9rtf7os&st=t318uel6&dl=0

    https://dl.dropboxusercontent.com/scl/fi/5uvu1977pm1v8e5w9dujx/LEXWARE0019.pdf.zip?rlkey=n9y56p52jbsgujjk84pnvdrrf&st=fqekaosq&dl=0

    IP Address

    43.157.118.169

    158.94.209.23

    Hash

    3475330b22f8652e713311689085a5ec24d03ce68d229e43afe89ed2f05a4a01

    33696190e43ede407b1b4903b10cafda0e49376d8ce0c85f01197f7c5073bc04

    e8abdc2f58bb7391eb541e4c06467f422549a79740a3a1ad2979d48595555400

    af22cd07ebfcba8d457a1bfacee7b66c60846de1b1d7ab356398dac696984ced

    41a01b6f2c4dc340cf35fab38c732e5d2660bedb15e3912d9970d724e20b4f71

    403784357e6402433153d47c2362f26cc26e135a1305393cea074574d3027af5

    47fe42924e00e92e3b297426a8ce3aa39864fbf6e7ae65893b4f5dbe0ea8176c

    0948683788167caec8ec5552b88cf66e3c0a5c6d99b3843317f5c794400b401f

    201c4c502678c41ba2dbb196cfe0f9f61371c10fdf947f1682eff8202f4ce580

    0aa3250cfb6d7defc68d6d7ddfbdee05a2329a20d944e8d4bb0e6b7f5a85caee

    f3564370f1b243ca0bb6b31afe8f4bb11c35218e340dba94d4481218385be277

    7600f3d353aa29512dfc0cbc4aa0481453c078692174384a8da668ff1c6bd65a

    b1032815b078aad59eb3bd32c29dee4621b37e516e679e84cb7d1c11c3eaff15

    4a75881d1ea48ae165ab7069dbfe398882d982e6a860c29ed1d940c4f285c871

    e6cdcf2cdd49ac3ca256f30a7b5d11a9953748b5820b73845afcd7f9439d6290

    9e3a9db6942f7c42da4c53b5294604b232354002cee16f554a82edb1cf69c82f

    667d8cbd146c7e4c6dc674ff4219d3a7e682d6464e777a107e6207a7070bf626

    d035d396ae5cda562d4e674b66eeda52a55510fe5c1d379930bff5bfcce10f13

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://dl.dropboxusercontent.com/scl/fi/5uvu1977pm1v8e5w9dujx/LEXWARE0019.pdf.zip?rlkey=n9y56p52jbsgujjk84pnvdrrf&st=fqekaosq&dl=0" or siteurl like "https://dl.dropboxusercontent.com/scl/fi/5uvu1977pm1v8e5w9dujx/LEXWARE0019.pdf.zip?rlkey=n9y56p52jbsgujjk84pnvdrrf&st=fqekaosq&dl=0" or url like "https://dl.dropboxusercontent.com/scl/fi/5uvu1977pm1v8e5w9dujx/LEXWARE0019.pdf.zip?rlkey=n9y56p52jbsgujjk84pnvdrrf&st=fqekaosq&dl=0" or domainname like "http://dl.dropboxusercontent.com/scl/fi/50mvsqpvyxid7m39g773l/Rechnung-zu-Auftrag-W19248960825.pdf.zip?rlkey=rtgatrazvz9rbqtxbj9rtf7os&st=t318uel6&dl=0" or siteurl like "http://dl.dropboxusercontent.com/scl/fi/50mvsqpvyxid7m39g773l/Rechnung-zu-Auftrag-W19248960825.pdf.zip?rlkey=rtgatrazvz9rbqtxbj9rtf7os&st=t318uel6&dl=0" or url like "http://dl.dropboxusercontent.com/scl/fi/50mvsqpvyxid7m39g773l/Rechnung-zu-Auftrag-W19248960825.pdf.zip?rlkey=rtgatrazvz9rbqtxbj9rtf7os&st=t318uel6&dl=0" or domainname like "owners-insertion-rentals-pursuit.trycloudflare.com" or siteurl like "owners-insertion-rentals-pursuit.trycloudflare.com" or url like "owners-insertion-rentals-pursuit.trycloudflare.com" or domainname like "plus-condos-thy-redeem.trycloudflare.com" or siteurl like "plus-condos-thy-redeem.trycloudflare.com" or url like "plus-condos-thy-redeem.trycloudflare.com" or domainname like "citysearch-packed-bacterial-receptors.trycloudflare.com" or siteurl like "citysearch-packed-bacterial-receptors.trycloudflare.com" or url like "citysearch-packed-bacterial-receptors.trycloudflare.com" or domainname like "strength-blind-bristol-ten.trycloudflare.com" or siteurl like "strength-blind-bristol-ten.trycloudflare.com" or url like "strength-blind-bristol-ten.trycloudflare.com" or domainname like "syracuse-seeks-wilson-row.trycloudflare.com" or siteurl like "syracuse-seeks-wilson-row.trycloudflare.com" or url like "syracuse-seeks-wilson-row.trycloudflare.com" or domainname like "license-appointed-asset-pulled.trycloudflare.com" or siteurl like "license-appointed-asset-pulled.trycloudflare.com" or url like "license-appointed-asset-pulled.trycloudflare.com" or domainname like "pie-references-chart- ozone.trycloudflare.com" or siteurl like "pie-references-chart- ozone.trycloudflare.com" or url like "pie-references-chart- ozone.trycloudflare.com"

    Detection Query 2 :

    dstipaddress IN ("43.157.118.169","158.94.209.23") or srcipaddress IN ("43.157.118.169","158.94.209.23")

    Detection Query 3 :

    sha256hash IN ("33696190e43ede407b1b4903b10cafda0e49376d8ce0c85f01197f7c5073bc04","47fe42924e00e92e3b297426a8ce3aa39864fbf6e7ae65893b4f5dbe0ea8176c","667d8cbd146c7e4c6dc674ff4219d3a7e682d6464e777a107e6207a7070bf626","403784357e6402433153d47c2362f26cc26e135a1305393cea074574d3027af5","3475330b22f8652e713311689085a5ec24d03ce68d229e43afe89ed2f05a4a01","e8abdc2f58bb7391eb541e4c06467f422549a79740a3a1ad2979d48595555400","af22cd07ebfcba8d457a1bfacee7b66c60846de1b1d7ab356398dac696984ced","41a01b6f2c4dc340cf35fab38c732e5d2660bedb15e3912d9970d724e20b4f71","0948683788167caec8ec5552b88cf66e3c0a5c6d99b3843317f5c794400b401f","201c4c502678c41ba2dbb196cfe0f9f61371c10fdf947f1682eff8202f4ce580","0aa3250cfb6d7defc68d6d7ddfbdee05a2329a20d944e8d4bb0e6b7f5a85caee","f3564370f1b243ca0bb6b31afe8f4bb11c35218e340dba94d4481218385be277","7600f3d353aa29512dfc0cbc4aa0481453c078692174384a8da668ff1c6bd65a","b1032815b078aad59eb3bd32c29dee4621b37e516e679e84cb7d1c11c3eaff15","4a75881d1ea48ae165ab7069dbfe398882d982e6a860c29ed1d940c4f285c871","e6cdcf2cdd49ac3ca256f30a7b5d11a9953748b5820b73845afcd7f9439d6290","9e3a9db6942f7c42da4c53b5294604b232354002cee16f554a82edb1cf69c82f","d035d396ae5cda562d4e674b66eeda52a55510fe5c1d379930bff5bfcce10f13")

    Reference:

    https://www.trendmicro.com/en_us/research/26/a/analyzing-a-a-multi-stage-asyncrat-campaign-via-mdr.html


    Tags

    MalwareAsyncRATCloudflarePhishingPython

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.