By rssfeeds-admin 
According to a threat report by Kahng An of the Cofense Intelligence Team, threat actors are leveraging Web-based Distributed Authoring and Versioning (WebDAV) to trick victims into executing malicious payloads.
The WebDAV Loophole
WebDAV is an older HTTP-based network protocol originally designed for remote file management.
Although Microsoft formally deprecated native WebDAV support in Windows File Explorer in November 2023, the functionality remains accessible on most systems.
Attackers exploit this legacy support by sending malicious links that force File Explorer to connect directly to remote WebDAV servers.
Because this connection bypasses web browsers entirely, victims do not receive standard browser-based security warnings or download prompts.
![Windows File Explorer connected to a WebDAV server hosted on module-brush-sort-factory[.]trycloudflare[.]com. (Source: Cofense)](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw== "Hackers Abuse Windows File Explorer And Webdav For Stealthy Malware Delivery 1")
The remote server simply appears as a local folder, making downloaded files seem safe and locally stored.
While Windows provides a default pop-up warning when executing files over a remote network, users accustomed to interacting with legitimate enterprise file shares frequently ignore it.
Attackers use three primary methods to deliver this exploit, often relying on the specific DavWWWRoot keyword to target the root directory of a remote server:
- Direct Linking: Threat actors use the
file://URI scheme to open remote folders directly within the system’s file browser. - URL Shortcut Files (.url): These files utilize Windows UNC paths (e.g.,
\exampledomain[.]com@SSLDavWWWRoot) to invisibly access remote servers over HTTP or HTTPS. - LNK Shortcut Files (.lnk): These shortcuts typically contain hidden commands that invoke Command Prompt or PowerShell to silently download and run malicious scripts hosted remotely.
A notable technical quirk makes this tactic highly evasive: when a user simply opens a local directory containing a malicious .url file with a UNC path, Windows automatically triggers a DNS lookup.
This inadvertently sends a TCP SYN packet to the attacker’s infrastructure, notifying them that the payload is active even if the user never clicked the file.
Malware Payloads and Targeting
Since campaign volume surged in late 2024, the primary goal has been deploying Remote Access Trojans (RATs) to gain unauthorized system control.
Cofense observed that 87% of Active Threat Reports (ATRs) associated with this tactic deliver multiple RATs, heavily featuring XWorm RAT, Async RAT, and DcRAT.
These campaigns predominantly target European corporate networks. Approximately 50% of the phishing emails are written in German, often disguised as finance or invoice documents, while 30% are in English.
To successfully mask their infrastructure, threat actors are creating short-lived WebDAV servers using free Cloudflare Tunnel demo accounts hosted on trycloudflare[.]com.
This routes malicious traffic through legitimate Cloudflare infrastructure, severely complicating detection efforts for security teams before the attackers take the temporary servers offline.
Indicators of Compromise
The following table details known malicious Cloudflare Tunnel domains associated with these campaigns:
Security analysts must monitor for unusual network activity originating from Windows Explorer and educate users to verify the address bar in File Explorer for unfamiliar IP addresses.
This tactic highlights a broader risk, as similar abuses could potentially involve other enterprise protocols like FTP and SMB.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.