The phishing campaign shows how attackers continue to weaponize legitimate cloud services and open source tools to evade detection and gain trust.
January 13, 2026 By Elizabeth Montalbano
An emerging phishing campaign is exploiting a dangerous combination of legitimate Cloudflare services and open source Python tools to deliver the commodity AsyncRAT. The attack demonstrates threat actors' increasing abuse of legitimate services and open source tools to evade detection and establish persistent remote access to victim environments.
Discovered by researchers at Trend Micro, the campaign leverages Cloudflare's free-tier services and TryCloudflare tunneling domains to host attacker servers, disguising malicious activities under trusted infrastructure. This makes detections challenging for traditional security solutions while ensuring reliable payload delivery, according to a blog poat published Monday.
Moreover, Trend Micro researchers said the attack also exploits the popular Python programming language by using legitimate Python downloads from official sources. In fact, it establishes a complete Python environment on victim systems to execute "sophisticated code-injection techniques," giving malicious activity a veil of legitimacy.