Find notable cyber news and cases, enriched with sources, timelines, and signals.

AsyncRAT distribution via TryCloudflare, Dropbox, and WSH infection chain

Malware Activity
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

A multi-stage phishing chain is distributing AsyncRAT through TryCloudflare tunnels and Dropbox ZIP links, creating a persistent Windows infection path that ends with shellcode injection into explorer.exe. The initial Windows Script Host (WSH) payload downloads additional scripts from a WebDAV server, then stages batch files and a Python environment to extend execution. The activity matters because it uses trusted infrastructure and living-off-the-land tools to hide delivery, maintain persistence, and support remote access.

Related Happenings

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
H score23 First: 09.07.2026 17:00 Last: 09.07.2026 17:00 Sources 1

About this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
H score22 First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

StoatWaffle malware distributed through malicious VS Code projects

Malware Activity
H score29 First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: The **StoatWaffle** malware is being delivered through malicious **VS Code projects**, creating a live risk of **credential theft** and **remote command execution** on developer s...

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
H score18 First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Timeline

  1. 14.01.2026 16:18 2 articles · 5mo ago

    AsyncRAT delivery chain uses TryCloudflare and Dropbox

    Technical Analysis Update

    A multi-stage phishing campaign distributes AsyncRAT through Dropbox ZIP links and TryCloudflare tunnels, using an internet shortcut file, a Windows Script Host initial payload, and follow-on scripts hosted on a WebDAV server. The infection chain stages a Python environment, establishes persistence through Windows startup folder scripts, and injects AsyncRAT shellcode into explorer.exe, while abusing Cloudflare free-tier infrastructure and other trusted services to evade detection.

    Show sources