Hackers Leverage Cloudflare for RAT Deployment

Hackers have been using Cloudflare tunnels since February 2024 to host malware and spread remote access trojans like AsyncRAT, according to Sekoia TDR.

Complex malware attacks are using phishing emails disguised as invoices or orders. These emails contain an uncommon file type, application/windows-library+xml, which can bypass some email filters.

When opened, the file connects to a WebDAV resource hosted on Cloudflare, triggering a multi-step infection process.

The user is led to open a shortcut (LNK) file that launches an HTML Application (HTA) instead of a PDF. This HTA file runs a script that installs Python using PowerShell, helping the malware remain hidden and continue its execution.

To avoid detection, attackers hide installation folders and use cleanup scripts. They ensure persistence by placing malicious scripts in the Windows Startup folder, allowing the malware to run after every reboot.

Detection and Monitoring Efforts

Sekoia uses a mix of Sigma rules and custom queries in their SOL language to detect different stages of the attack — from suspicious email attachments to PowerShell commands.

Rules like “Suspicious Email Attachment Received” and “Mshta Suspicious Child Process” help identify malicious activity and command-and-control behavior.

The report highlights how hard it is to detect these advanced threats, especially with attackers using trusted infrastructure and clever evasion tactics.

Sekoia TDR continues to track these threats and improve their detection tools. Their research shows the need for real-time threat intelligence and strong monitoring to stay ahead of cybercriminals.

IOCs

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!