A wide-ranging phishing campaign has been identified that enables threat actors to bypass traditional security controls and delay detection. The campaign, tracked since 2024, has facilitated remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across numerous organizations. The likely new or rebranded cybercriminal group behind this campaign uses legitimate services like TryCloudflare to host and deliver highly evasive malware such as AsyncRAT and other Remote Access Trojans. This malware allows threat actors to remotely control infected networks throughout the full attack lifecycle. The campaign targets organizations globally across multiple sectors without industry preference, using widely available malware and difficult-to-detect techniques involving Python scripts, obfuscated batch scripts, trusted cloud services, and dynamic infrastructure. Author: AlienVault
Related Tags:
cybercriminal
endpoint evasion
python scripts
trycloudflare
PureHVNC
T1120
T1059.006
Obfuscation
remote access trojan
Associated Indicators:
7E4F335241D4DED5EA19BF5C92F8E70EA76DE7167CD3691752B9386FF094848F
4D2FCCAD69BB02305948814F1AA6EF76C85423EB780EC5F3751B7FFBF8B74CA3
66938C34825D1E32D5F3DAF8911311F05DD9BAD07278268AE6B783DCDC8130A9
B16D2800811E7A72C90BEA50640330966CDB931A03F76338478DA682EA6FDED7
A836A92E0618A2D2654A98551DB3908F4A4531C7C6EF8F4BD41BADCFA9E05096
4ED08DCAD1CF63F4AB46176F60ED17F326046A02DCB72448C3134B25191E8CD0
54FA1E565CE615F5A39B9EE502BD8B23F90E6D803E3DA108FF150D8434EC5CD9
300ECA2F1DB53DA4E638B364531722D31E629C51
A375E27EC85DD7B04CE44D4C02A0E5E162E484F0