Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AsyncRAT distribution via TryCloudflare, Dropbox, and WSH infection chain

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A multi-stage phishing chain is distributing AsyncRAT through TryCloudflare tunnels and Dropbox ZIP links, creating a persistent Windows infection path that ends with shellcode injection into explorer.exe. The initial Windows Script Host (WSH) payload downloads additional scripts from a WebDAV server, then stages batch files and a Python environment to extend execution. The activity matters because it uses trusted infrastructure and living-off-the-land tools to hide delivery, maintain persistence, and support remote access.

Related Happenings

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

StoatWaffle malware distributed through malicious VS Code projects

Malware Activity
First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: The **StoatWaffle** malware is being delivered through malicious **VS Code projects**, creating a live risk of **credential theft** and **remote command execution** on developer s...

Open Happening

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

Timeline

  1. 14.01.2026 16:18 2 articles · 4mo ago

    AsyncRAT delivery chain uses TryCloudflare and Dropbox

    Technical Analysis Update

    A multi-stage phishing campaign distributes AsyncRAT through Dropbox ZIP links and TryCloudflare tunnels, using an internet shortcut file, a Windows Script Host initial payload, and follow-on scripts hosted on a WebDAV server. The infection chain stages a Python environment, establishes persistence through Windows startup folder scripts, and injects AsyncRAT shellcode into explorer.exe, while abusing Cloudflare free-tier infrastructure and other trusted services to evade detection.

    Show sources
    Open in new tab