TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response

Franklynn Uy · 2026-01-12 · Read original ↗

ATT&CK techniques detected

26 predictions
T1059.006Python
98%
"table summarizes the activities of the vio. bat and xeno. bat files. table 2. summary of the vio. bat and xeno. bat files based on amsi telemetry we observed python. exe being used to perform code injection into explorer. exe via the command python ne. py new. bin - k a. txt. ana…"
T1218.011Rundll32
95%
"exe processcmd : c : \ windows \ system32 \ svchost. exe - k localservice - p - s webclient eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ windows \ system32 \ rundll32. exe objectcmd : rundll32. exe c : \ windows \ system32 \ davclnt. dll, davsetcookie plus…"
T1055.004Asynchronous Procedure Call
94%
"time it downloads the file ahke. bat. finally, it executes the same python script ne. py with new. bin and a. txt as parameters. - these batch files are installed as persistence mechanisms to ensure that the ne. py script is executed on startup with new. bin and a. txt. interesti…"
T1204.002Malicious File
93%
"affected system. the other files hosted on the trycloudflare sites do not appear to be used for this specific case, though they may be employed in separate attack chains. although the specific context of these files is unclear, their presence suggests that attackers may reuse a s…"
T1547.001Registry Run Keys / Startup Folder
87%
"' " the archive p. zip was then extracted using the powershell command expand - archive to c : \ users \ < username > \ appdata \ local \ z1man. it then establishes persistence by dropping a batch file in the startup folder ; however, this time it downloads the files ahke. bat an…"
T1204.002Malicious File
87%
"on trycloudflare domains. these scripts then install a python environment, establish persistence via startup folder scripts, and inject code into explorer. exe. the final payload ( new. bin ) was identified to be asyncrat. managed detection and response ( mdr ) investigation and …"
T1059.006Python
82%
"thy - redeem. trycloudflare [. ] com. both servers host the same set of files. while minor variations result in differing file hashes, the overall file structure remains highly similar. both urls also retrieve a legitimate pdf file from the website ihk [. ] de and host the final …"
T1204.002Malicious File
81%
"analyzing a multi - stage asyncrat campaign via managed detection and response malware analyzing a multi - stage asyncrat campaign via managed detection and response threat actors exploited cloudflare ' s free - tier infrastructure and legitimate python environments to deploy the…"
T1105Ingress Tool Transfer
77%
". - owners - insertion - rentals - pursuit. trycloudflare [. ] com - initially accesses 87 [. ] 106 [. ] 191 [. ] 217 via port 5380, then redirects to this site. - strength - blind - bristol - ten. trycloudflare [. ] com - syracuse - seeks - wilson - row. trycloudflare [. ] com -…"
T1566.001Spearphishing Attachment
76%
"on trycloudflare domains. these scripts then install a python environment, establish persistence via startup folder scripts, and inject code into explorer. exe. the final payload ( new. bin ) was identified to be asyncrat. managed detection and response ( mdr ) investigation and …"
T1204.002Malicious File
73%
"captcha that leads to the download of a javascript file masquerading as a pdf via a double file extension. - this javascript file will run the trycloudflare routine. - finally, it redirects to a dropbox url showing a 404 error even if the js file was downloaded : hxxps : / / www.…"
T1059.001PowerShell
68%
"trycloudflare [. ] com http : / / plus - condos - thy - redeem. trycloudflare [. ] com / anc. wsf table 1. trend micro antimalware scan interface ( amsi ) telemetry generated by the file “ anc. wsf ” in summary, anc. wsf performs the following : - downloads vio. bat and xeno. bat…"
T1055.001Dynamic-link Library Injection
64%
"s temporary folder. the downloaded file, in this specific case, is an embedded version of python 3. 14. 0 for 64 - bit windows systems, which is saved as p. zip. processfilepath : c : \ windows \ system32 \ cmd. exe processcmd : c : \ windows \ system32 \ cmd. exe / c " " c : \ u…"
T1204.002Malicious File
64%
"living - off - the - land techniques, including the use of windows script host and powershell, further complicates detection and response efforts. the campaign also employed social engineering tactics, including the display of legitimate pdf documents, to deceive victims and redu…"
T1055.001Dynamic-link Library Injection
58%
"##32 \ cmd. exe processcmd : c : \ windows \ system32 \ cmd. exe / c " " c : \ users \ < username > \ appdata \ local \ temp \ xeno. bat " " eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ program files ( x86 ) \ microsoft \ edge \ application \ msedge. exe o…"
T1059.001PowerShell
54%
"\ windows \ system32 \ cmd. exe / c " " c : \ users \ < username > \ appdata \ local \ temp \ vio. bat " h " eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ windows \ system32 \ windowspowershell \ v1. 0 \ powershell. exe objectcmd : powershell - command " iw…"
T1566.001Spearphishing Attachment
49%
"analyzing a multi - stage asyncrat campaign via managed detection and response malware analyzing a multi - stage asyncrat campaign via managed detection and response threat actors exploited cloudflare ' s free - tier infrastructure and legitimate python environments to deploy the…"
T1566.002Spearphishing Link
45%
"living - off - the - land techniques, including the use of windows script host and powershell, further complicates detection and response efforts. the campaign also employed social engineering tactics, including the display of legitimate pdf documents, to deceive victims and redu…"
T1566.001Spearphishing Attachment
40%
"living - off - the - land techniques, including the use of windows script host and powershell, further complicates detection and response efforts. the campaign also employed social engineering tactics, including the display of legitimate pdf documents, to deceive victims and redu…"
T1218.011Rundll32
37%
". processfilepath : c : \ windows \ explorer. exe processcmd : c : \ windows \ explorer. exe eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ windows \ system32 \ wscript. exe objectcmd : " c : \ windows \ system32 \ wscript. exe " " \ \ plus - condos - thy - …"
T1059Command and Scripting Interpreter
37%
", olsm. bat ), webdav mounting, and legitimate " living - off - the - land " techniques using windows script host, powershell, and built - in system utilities to evade detection. - trendai vision one™ detects and blocks the indicators of compromise ( iocs ) outlined in this blog,…"
T1055.001Dynamic-link Library Injection
36%
"\ windows \ system32 \ cmd. exe / c " " c : \ users \ < username > \ appdata \ local \ temp \ vio. bat " h " eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ windows \ system32 \ windowspowershell \ v1. 0 \ powershell. exe objectcmd : powershell - command " iw…"
T1204.002Malicious File
34%
"\ windows \ system32 \ cmd. exe / c " " c : \ users \ < username > \ appdata \ local \ temp \ vio. bat " h " eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ windows \ system32 \ windowspowershell \ v1. 0 \ powershell. exe objectcmd : powershell - command " iw…"
T1204.002Malicious File
33%
": c : \ users \ < username > \ appdata \ local \ temp \ microsoftedgedownloads \ 6afacba0 - f0d1 - 4b8b - 85c7 - 5bfc8784b9c5 \ rechnung zu auftrag w19248960825. pdf. zip parentfilepath : c : \ program files ( x86 ) \ microsoft \ edge \ application \ msedge. exerequest : hxxps [ …"
T1204.002Malicious File
33%
"directory contains the complete python library as well as the malicious shell, keys, and python scripts. xcopy " q : \ extracted \ * " ". " / y / i / s c : \ users \ < username > \ appdata \ local \ microsoft \ systemcache25 \ _ zstd. pyd file analysis we successfully extracted a…"
T1059.003Windows Command Shell
32%
"exe processcmd : c : \ windows \ system32 \ svchost. exe - k localservice - p - s webclient eventsubid : 2 - telemetry _ process _ create objectfilepath : c : \ windows \ system32 \ rundll32. exe objectcmd : rundll32. exe c : \ windows \ system32 \ davclnt. dll, davsetcookie plus…"

Summary

Threat actors exploited Cloudflare's free-tier infrastructure and legitimate Python environments to deploy the AsyncRAT remote access trojan, demonstrating advanced evasion techniques that abuse trusted cloud services for malicious operations.