AsyncRAT Campaign Continues to Evade Endpoint Detection

Halcyon reports a global, sector-agnostic phishing campaign (since early 2024) that abuses legitimate cloud services (notably TryCloudflare tunnels and Dropbox-hosted ZIPs) and obfuscated scripts to deploy Python-based loaders and Remote Access Trojans (AsyncRAT, XWorm, VenomRAT, Remcos), evading traditional EPP/EDR; the report provides specific IOCs (TryCloudflare subdomains and multiple file hashes) and detailed mitigation guidance including blocking tunnels, advanced email filtering, monitoring Python execution, and deploying behavioral EDR/anti-ransomware controls.