Detecting Multi-Stage Infection Chains Madness

Sekoia TDR reports on a resilient, multi-stage phishing campaign (since at least Feb 2024) that uses Cloudflare tunnel infrastructure and WebDAV to host and deliver AsyncRAT. The chain involves email attachments (.ms-library), LNK -> HTA -> BAT -> Python stages, reflective DLL loading from a JPEG, persistence via Startup VBS/BAT, and C2 using TryCloudflare and dynamic DNS; the report provides IoCs (domains, hashes) and Sigma detection rules to aid detection and hunting.