A sophisticated phishing campaign that uses a fake invoice PDF to mask the delivery of multiple remote access trojans primarily AsyncRAT, but also VenomRAT and XWorm via layered shortcuts.
TryCloudflare quick tunnels, and disguised Python packages. The campaign echoes an August attack previously analysed by X‑Labs and reinforces the group’s 2025 Future Insights prediction that adversaries will increasingly abuse legitimate infrastructure to increase delivery success and evade detection.
The attack initiates with a phishing email containing a Dropbox URL that points to a ZIP archive. When the victim downloads and opens the archive, they find an internet shortcut (.URL) that references a TryCloudflare tunnel.
That tunnel hosts an .LNK file which, when launched, triggers PowerShell to fetch an obfuscated JavaScript file from the same temporary Cloudflare address.
The deobfuscated JavaScript in turn retrieves a heavily obfuscated .BAT file. The BAT script performs the heavy lifting: it uses Invoke‑WebRequest to download a large ZIP (ma.zip) containing what appears to be a legitimate Python package, extracts it, opens a decoy invoice PDF in the default browser.
Inside the ma.zip package, the majority of files mimic a normal Python environment, but analysis shows that load.py and five .bin files are the real malicious components. load.py is base64‑obfuscated; once decoded it uses the ctypes library to call low‑level Windows APIs VirtualAlloc, RtlMoveMemory, CreateThread and WaitForSingleObject to allocate executable memory, copy shellcode and create threads for execution.

The Forcepoint X-Labs said in a report shared with GBhackers, identified another AsyncRAT malware campaign that leverages malicious payloads delivered through suspicious TryCloudflare.
Phishing Campaign Uses Fake Invoice PDF
The campaign uses Early Bird APC Queue process injection: creating a new legitimate process and injecting shellcode before its main thread runs, a technique that can bypass some AV/EDR hooks by executing malicious code very early in process initialization.
Each .bin houses shellcode for a different RAT: most inject AsyncRAT into explorer.exe, payload.bin deploys VenomRAT into notepad.exe, and xr.bin injects XWorm.
After injection the implants reach back to the same command‑and‑control infrastructure over different ports (examples include 62.60.190.141:3232 and :4056), enabling remote control, data exfiltration and further lateral movement.
This multi‑stage chain ZIP > .URL > .LNK > .JS > .BAT > ma.zip > load.py + .bin combines legitimate cloud services, layered obfuscation and process‑level stealth to reduce suspicion and detection.
The use of a decoy PDF is central to social engineering: while the malicious payloads deploy silently in the background, the victim sees an innocuous invoice and assumes normalcy.
Defenders should note several actionable indicators and mitigations. Monitor and block anomalous use of TryCloudflare and other quick‑tunnel domains in inbound links, flag downloads that contain .URL/.LNK files or scripts inside ZIPs, and inspect PowerShell commands for Invoke‑WebRequest calls that extract and execute archives.
Endpoint controls should detect Early Bird injection patterns and memory injection via the listed Windows APIs; application control and improved script‑blocking can prevent the chain’s script and BAT stages from executing.
Finally, user training should reinforce skepticism of unexpected invoice emails and discourage opening archive contents without verification.
Forcepoint’s findings expand on their earlier analysis (see the original Forcepoint X‑Labs writeup) and underline a persistent trend: adversaries will continue exploiting low‑cost, legitimate hosting and tunnelling services to increase campaign resilience.
IOCs
| Type | Value |
|---|---|
| URL | hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/ |
| URL | hxxps[.]//mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip |
| URL | hxxp[:]//sufficiently-points-est-minimize[.]trycloudflare[.]com/ma[.]zip |
| C2 IP | 62.60.190.141 |
| C2 IP | 62.60.190.196 |
| ZIP hash | 55724b766dd1fe8bf9dd4cb7094b83b88d57d945 |
| URL hash | 4483561a49791a7cd684258e9f1623fe7dfba772 |
| LNK hash | 0aa1b8fba8d7bd19a0064edfdf86c027da253644 |
| JS hash | 659ecdeb19b8e49be61fe41e8796d1215272b16e |
| BAT hash | cd61de9e4003ba568ae76f064935addb106a6d6d |
| ZIP hash | 0221ec304905a758d9b47d6a631622b7dcf3c1f5 |
| PY hash | 4747ee49bdf31351c025049d8c3b7fef831be77c |
| BIN hash | 8ef36a4865f4a73a4e8fe4b90e5eff4a7feb3647 |
| BIN hash | ae1dece09c2b627d8d3fe1c1f758db9ca6d5820c |
| BIN hash | 8dc9071a46a019547c8355a155d9c3c3b154e7a2 |
| BIN hash | 098c369c904e8c328df40062190aff009e02d369 |
| BIN hash | ff6186eef1c17a2668c6013d38fecead4f507556 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

