Phishing Campaign Distributes AsyncRAT, VenomRAT, and XWorm via Fake Invoice PDF

Phishing Campaign Distributes AsyncRAT, VenomRAT, and XWorm via Fake Invoice PDF

First seen 2 Jul 2026, 19:45 UTC Gbhackers 86% similarity 69.0
Share:

Article Content

Browse articles
ThreatCluster

A phishing campaign has been identified that utilizes a fake invoice PDF to deliver multiple remote access trojans (RATs), primarily AsyncRAT, along with VenomRAT and XWorm. The attack begins with a phishing email containing a Dropbox URL leading to a ZIP archive. Upon extraction, the archive reveals a shortcut that connects to a TryCloudflare tunnel, which hosts a series of obfuscated scripts and files. These scripts execute a BAT file that downloads a ZIP file containing malicious Python packages disguised as legitimate files. The campaign employs advanced obfuscation techniques and process injection methods to evade detection. The attackers leverage legitimate cloud services to enhance delivery success. This campaign is reminiscent of an August attack previously analyzed by X-Labs, indicating a trend in the use of legitimate infrastructure for malicious purposes. Security professionals are advised to monitor and block suspicious TryCloudflare domains and flag anomalous downloads.

Key Points: • Phishing emails deliver RATs using fake invoice PDFs as bait. • Attack utilizes layered obfuscation and legitimate cloud services for stealth. • Defenders should monitor TryCloudflare domains and flag suspicious downloads.

ThreatCluster AI

Timeline

2025-08-01
Similar attack analyzed by X-Labs
X-Labs reported on a phishing campaign using similar techniques to deliver malware via legitimate infrastructure.
Gbhackers
2026-07-02
Current phishing campaign reported
A new sophisticated phishing campaign was reported, utilizing a fake invoice PDF to deliver AsyncRAT, VenomRAT, and XWorm.
Gbhackers

Community

Browse all →