Threat actors are abusing Cloudflare’s free hosting and tunneling services to make malicious infrastructure appear legitimate and evade filtering. Trend Micro reported an AsyncRAT campaign that uses TryCloudflare tunnel domains to stand up attacker-controlled WebDAV servers, effectively masking command-and-control and payload staging behind Cloudflare-trusted traffic. The infection chain starts with phishing emails containing Dropbox links to invoice-themed ZIP archives; the ZIPs include a deceptive double-extension Internet Shortcut (.url) that points to the WebDAV resource and triggers a multi-stage execution flow while opening a legitimate PDF as a decoy. The campaign also downloads legitimate Python components from official sources to establish a local Python environment used in later stages.
Separately, a long-lived fake “Fast Ray VPN” review site hosted on Cloudflare Pages (fast-ray-vpn.pages.dev) was observed redirecting users via tracking-heavy URLs to third-party domains associated with affiliate/traffic-broker style distribution. The “Download” links did not deliver a VPN client; instead, users were funneled to generic “Your File Download Is Ready!” pages and, in at least one observed path, were ultimately served OperaSetup.exe—legitimate software delivered through deceptive pretext, consistent with PUA/misleading distribution tactics rather than a conventional short-lived phishing page.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Forcepoint reported that the phishing campaign abusing Dropbox and TryCloudflare did not only deploy AsyncRAT, but also injected VenomRAT into notepad.exe and XWorm into another legitimate process. The analysis also described the Python loader's use of ctypes and Early Bird APC Queue injection alongside a fake PDF invoice decoy.
Trend Micro reported that attackers were abusing Cloudflare's free-tier TryCloudflare service to hide malicious WebDAV servers and command-and-control activity behind trusted Cloudflare traffic. The report highlighted the broader security risk of threat actors using legitimate cloud tunneling and hosting services to evade reputation-based defenses.
In the AsyncRAT campaign, victims were directed to download a legitimate signed Python installer from python.org, after which a script named ne.py injected AsyncRAT into explorer.exe. The attackers also established persistence by placing batch files such as ahke.bat and olsm.bat in the Startup folder.
Threat actors launched a campaign delivering AsyncRAT through phishing emails with Dropbox-hosted ZIP files disguised as invoices. The infection chain used a double-extension .url file to access a malicious WebDAV resource exposed through TryCloudflare tunnels and Cloudflare-backed infrastructure.
The fake Fast Ray VPN infrastructure was found to block further redirection when accessed from VPNs or sandbox-like environments, displaying an "Anonymous Proxy detected" message instead. This indicated anti-analysis controls designed to hinder investigation and automated inspection.
Researchers documented that the fake Fast Ray VPN site redirected users through tracking-laden third-party domains consistent with traffic-broker or affiliate infrastructure. Depending on conditions, visitors received unrelated software such as OperaSetup.exe, a potentially unwanted application identified as Pixelsee, or were sent to advertising, adult, or financial landing pages.
A deceptive site hosted at fast-ray-vpn.pages.dev was publicly accessible for at least eight months before reporting, posing as a legitimate Fast Ray VPN review page. It appeared in top Google results for "fast ray vpn," increasing the chance of organic user visits.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityonline.info
Open sourcemalwr-analysis.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.