A new Astaroth Trojan variant uses Cloudflare Workers serverless computing platform to avoid detection and block automated analysis attempts. The Trojan is part of a three-stage infection process, starting with a phishing e-mail that comes with an HTML attachment containing obfuscated JavaScript code and linking to a domain that sits behind cloudflare’s infrastructure. The payload is downloaded using one of “ten randomized and unique URLs”” each with 900 million possible URL variations. The third stage uses DLL side-loading to hollow legitimate processes and loads a malicious DLL to get the final command and control.”
Source: https://www.bleepingcomputer.com/news/security/astaroth-trojan-uses-cloudflare-workers-to-bypass-av-software/