Cofense Intelligence exposes how risk actors abuse Home windows File Explorer and WebDAV servers to bypass browser safety and push RATs to company targets.
Menace actors have discovered a method to push malware instantly onto company machines with out going via an online browser in any respect. Cofense Intelligence revealed findings on February 25, 2026, revealing an lively marketing campaign that weaponizes Home windows File Explorer’s built-in means to hook up with distant WebDAV servers. The tactic sidesteps normal browser obtain warnings fully. Most customers do not know that File Explorer can attain out to web servers.
WebDAV is an previous HTTP-based file administration protocol. Few individuals use it at this time. However Home windows nonetheless helps it natively inside File Explorer, despite the fact that Microsoft deprecated the function in November 2023. That hole between deprecation and full elimination is precisely what attackers are strolling via.
When a Folder Is Not Actually a Folder
In keeping with Cofense Intelligence of their revealed report, marketing campaign quantity first appeared in February 2024, then spiked sharply in September 2024. It has remained lively ever since. The assaults haven’t slowed. 87 p.c of all Energetic Menace Studies tied to this tactic ship a number of distant entry trojans as closing payloads. XWorm RAT, Async RAT, and DcRAT present up most frequently.
Should Learn: Crypto Safety Breach: January Hacks Whole $86M, Phishing Skyrockets
How the Assault Truly Works
Victims obtain phishing emails, typically disguised as invoices in German. The emails carry both URL shortcut recordsdata (.url) or LNK shortcut recordsdata (.lnk). Each can silently open a WebDAV connection inside File Explorer. The person sees what seems to be like a neighborhood folder. It isn’t.
What makes this significantly damaging is the chain that follows. Scripts pull down extra scripts from separate WebDAV servers. Legit recordsdata combine in with malicious ones to blur detection. By the point a RAT lands, the supply path has handed via a number of layers of obfuscation. Safety instruments that scan browser downloads miss the entire sequence.
The Cofense report notes that fifty% of all affected campaigns are in German. English-language campaigns account for 30%. Italian and Spanish make up the remainder. That cut up factors instantly at European company e mail accounts as the first goal pool.
You Would possibly Additionally Like: npm Worm Steals Crypto Keys, Targets 19 Packages
Cloudflare Tunnel is doing heavy lifting for the attackers right here. All ATRs tied to this tactic use free demo accounts on trycloudflare[.]com to host the malicious WebDAV servers. Cloudflare’s personal infrastructure routes the sufferer’s connection. That makes the visitors look reliable on first inspection. The demo accounts are short-lived by design, so risk actors pull them down quick after campaigns go lively, slicing off forensic evaluation.
Why Crypto Holders Face Severe Publicity
That is the place it will get harmful for anybody holding digital belongings. RATs like XWorm and Async RAT give attackers persistent, distant entry to an contaminated machine. Meaning clipboard contents, browser classes, saved passwords, and crypto pockets recordsdata all sit inside attain. Clipboard hijacking, a technique already linked to a whole bunch of tens of millions in crypto theft, turns into trivial as soon as a RAT is working.
Phishing losses alone exceeded $300 million in January 2026, in line with safety monitoring knowledge. That determine dwarfs protocol hack losses in the identical interval. The assault strategies documented by Cofense feed instantly into that pipeline. A RAT dropped through WebDAV on a finance group worker’s machine isn’t just a company IT downside. It’s a direct path to drained wallets and stolen keys.
Additionally Value Your Consideration: As Threats Improve, Crypto Pockets Safety Will Be A Prime Precedence In 2026
What Organizations Have to Do Now
The Cofense report recommends trying to find community visitors to Cloudflare Tunnel demo situations particularly. EDR instruments with behavioral evaluation ought to flag.URL and .LNK recordsdata that attain out to distant servers. The more durable repair is person training. Most individuals merely have no idea that File Explorer’s handle bar works like a browser.
Checking it the identical approach they’d verify a suspicious URL is the primary line of protection. Comparable abuse is feasible via FTP and SMB. Each protocols see common enterprise use, and each can attain exterior servers. The assault floor Cofense is documenting is wider than simply WebDAV.
Associated: Hacks and Safety Incidents in 2025: A 12 months That Uncovered Crypto’s Weakest Hyperlinks
The total technical breakdown, together with IOC tables and Cloudflare Tunnel area examples tied to particular Energetic Menace Studies, is accessible within the Cofense Intelligence report revealed at cofense.com.