Dissecting Multi-Stage Infection Chains with AsyncRAT at the Cor

Summary

CRIL came across a blog published by the Sekoia TDR team detailing a sophisticated phishing campaign that begins with malicious emails disguised as urgent invoices or orders. These emails contain .ms-library attachments that connect to remote WebDAV resources upon user interaction. The attack progresses through a chain of file executions—LNK to HTA to BAT to Python—each stage designed to bypass detection using social engineering and scripting obfuscation, triggering multiple Sigma detection rules.

The infection culminates in the use of obfuscated Python scripts to deploy and inject a remote access trojan (AsyncRAT) via reflective DLL loading from disguised image files. Persistence is maintained through startup folder scripts, while defense evasion tactics like file hiding and cleanup are used to remain undetected. The campaign leverages public infrastructure such as TryCloudflare and dynamic DNS for command and control, with Sekoia’s CTI and Sigma rules enabling efficient detection and correlation of this malicious behavior'.

Technical Details

The technical analysis of this attack reveals a sophisticated multi-stage infection chain designed to evade detection and gain persistent access to target systems. It leverages a combination of phishing, script-based execution, and stealthy payload delivery methods.

Initial Access (Email → .ms-library)

The attack starts with a phishing email posing as an urgent invoice or order, sometimes using fake conversation threads to appear more convincing. It includes a .ms-library attachment—an outdated but still-supported file type that can bypass some email filters. When opened, the file displays a WebDAV URL, and if the user approves the security warning, it connects to a remote server to fetch additional malicious content.

Execution Chain (LNK → HTA → BAT → Python)

The LNK file, disguised as a PDF shortcut, is downloaded from the WebDAV server. Although browsers often add a .download extension to prevent accidental execution, users can still manually rename and run it. When executed, the LNK file launches an HTA file written in VBScript, which then uses mshta.exe to trigger a command prompt and run a heavily obfuscated BAT script. This script leverages PowerShell to retrieve a Python environment and associated scripts from a remote server, helping it avoid basic detection methods.

This chain triggers multiple Sigma detection rules, such as:

• Mshta Suspicious Child Process

• HTA Infection Chains

• ISO LNK Infection Chain, due to archive (XZ) creation and PowerShell activity

Python Execution and Injection (Python → BAT → DLL)

The BAT file runs the Python environment, which injects a DLL into multiple notepad.exe processes to evade detection. Persistence is set up using obfuscated VBS and BAT scripts in the Startup folder, some of which include sandbox evasion tricks. These can be detected using Sekoia queries to spot unusual script activity.

Payload Delivery & Command and Control (C2)

The reflective DLL is concealed within a JPEG image hosted on a public site, and is decoded and executed via PowerShell using the [System.Reflection.Assembly]::Load() method, which signals inmemory payload execution. This behavior is flagged by the “Suspicious PowerShell Keywords” Sigma rule. The attack uses AsyncRAT, a remote access trojan that establishes connections to C2 servers via dynamic DNS services (dyndns.org) and tunnels through TryCloudflare infrastructure, making detection and blocking more challenging. The C2 infrastructure relies on compromised websites, publicly resolvable IPs, and dynamic domain names for communication.

Defense Evasion

Post-execution, the attack performs cleanup:

• Marks installed Python folders (e.g., Extracted, Print) as hidden using attrib.exe, flagged by the “Hiding Files With Attrib.exe” rule.

• These folders are suspicious in naming and location, useful indicators during forensic analysis.

Although some techniques (e.g., hiding files or script-based automation) are used by IT admins, temporal filtering and behavioral correlation can reduce false positives

Recommendations

• Implement robust email filtering to block suspicious attachments and links, especially uncommon file types like .ms-library or .lnk. Regularly train employees to recognize phishing attempts and avoid opening unexpected files.

• Limit the use of scripting languages like PowerShell, VBScript, and BAT files through execution policies or application control tools. Enable logging to detect unusual script behaviors, such as reflective DLL loading.

• Restrict outbound connections to untrusted domains and monitor for connections using dynamic DNS services or tunneling platforms like TryCloudflare. Use threat intelligence to identify and block known C2 infrastructure.

Conclusion

This attack highlights the persistent use of multi-stage infection chains and legitimate tools to bypass modern security defenses. Despite being executed in 2025, it demonstrates that attackers continue to rely on tried-and-tested methods, adapted to evade detection. The use of obfuscated scripts, reflective loading, and dynamic infrastructure underscores the importance of layered defense and continuous threat monitoring.