The evolution of this attack campaign demonstrates how threat actors continuously adapt their techniques to bypass security controls, emphasizing the importance of multi-layered detection approaches and continuous monitoring for similar attack patterns. The attachment typically uses the “application/windows-library+xml” file format, which frequently bypasses email security gateways due to its seemingly innocuous nature compared to binary files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Cybersecurity experts have identified a sophisticated attack campaign exploiting Cloudflare’s tunnel infrastructure to distribute various remote access trojans (RATs). The infrastructure, which has demonstrated remarkable resilience since February 2024, serves as a distribution platform for malicious files and trojans that enable attackers to gain unauthorized access to victims’ systems. The complexity of this attack demonstrates how threat actors continue to develop innovative methods to bypass modern security controls, even in 2025. This script triggers a BAT file that installs Python and executes obfuscated Python code, which then injects the next payload stage into “notepad.exe” processes. The attackers leverage domains with the “trycloudflare.com” suffix, including “malawi-light-pill-bolt.trycloudflare.com,” “players-time-corresponding-th.trycloudflare.com,” and others to host their malicious content. Security vendors including Forcepoint, Fortinet, Orange, and Proofpoint have documented this persistent threat, highlighting its evolving nature and growing impact on organizations worldwide. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. When opened, this file establishes a connection to a remote WebDav resource hosted on the Cloudflare tunnel infrastructure. This infrastructure delivers payloads that ultimately establish persistent remote access to compromised systems, potentially enabling data theft and further network compromise. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Their analysis reveals an intricate multi-stage infection chain that employs various obfuscation techniques to evade detection systems. This establishes the RAT’s connection to its command and control server, often using dynamic DNS services like “duckdns.org” for communication.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Apr 2025 21:05:08 +0000