Cybercriminals are increasingly abusing a legacy feature within Windows File Explorer<\/a> to distribute malware, bypassing traditional web browser security and endpoint detection controls. <\/p>\n According to a threat report by Kahng An of the Cofense Intelligence Team, threat actors are leveraging Web-based Distributed Authoring and Versioning (WebDAV) to trick victims into executing malicious payloads.<\/a>\u200b<\/p>\n WebDAV is an older HTTP-based network protocol<\/a> originally designed for remote file management. <\/p>\n Although Microsoft formally deprecated native WebDAV support in Windows File Explorer in November 2023, the functionality remains accessible on most systems. <\/p>\n Attackers exploit this legacy support by sending malicious links that force File Explorer to connect directly to remote WebDAV servers.<\/a>\u200b<\/p>\n Because this connection bypasses web browsers entirely, victims do not receive standard browser-based security warnings or download prompts. <\/p>\n The remote server simply appears as a local folder, making downloaded files seem safe and locally stored. <\/p>\n While Windows provides a default pop-up warning when executing files over a remote network, users accustomed to interacting with legitimate enterprise file shares frequently ignore it.<\/a>\u200b<\/p>\n Attackers use three primary methods to deliver this exploit, often relying on the specific\u00a0 A notable technical quirk makes this tactic highly evasive: when a user simply opens a local directory containing a malicious\u00a0 This inadvertently sends a TCP SYN packet to the attacker\u2019s infrastructure, notifying them that the payload is active even if the user never clicked the file.<\/a>\u200b<\/p>\n Since campaign volume surged in late 2024, the primary goal has been deploying Remote Access Trojans (RATs) to gain unauthorized system control. <\/p>\n Cofense observed that <\/a>87% of Active Threat Reports (ATRs) associated with this tactic deliver multiple RATs, heavily featuring XWorm RAT, Async RAT, and DcRAT.<\/a>\u200b<\/p>\n These campaigns predominantly target European corporate networks. Approximately 50% of the phishing emails are written in German, often disguised as finance or invoice documents, while 30% are in English.<\/a>\u200b<\/p>\n To successfully mask their infrastructure, threat actors are creating short-lived WebDAV servers using free Cloudflare Tunnel demo accounts hosted on\u00a0 This routes malicious traffic through legitimate Cloudflare infrastructure, severely complicating detection efforts for security teams before the attackers take the temporary servers offline.<\/a>\u200b<\/p>\n The following table details known malicious Cloudflare Tunnel domains associated with these campaigns:<\/p>\nThe WebDAV Loophole<\/strong><\/h2>\n
![\"Windows](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/02\/image-94.png?ssl=1\")
DavWWWRoot<\/code>\u00a0keyword to target the root directory of a remote server:<\/a>\u200b<\/p>\n\n
file:\/\/<\/code>\u00a0URI scheme to open remote folders directly within the system\u2019s file browser.<\/a>\u200b<\/li>\n\\exampledomain[.]com@SSLDavWWWRoot<\/code>) to invisibly access remote servers over HTTP or HTTPS.<\/a>\u200b<\/li>\n.url<\/code>\u00a0file with a UNC path, Windows automatically triggers a DNS lookup. <\/p>\n![\"network](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/02\/image-93.png?ssl=1\")
Malware Payloads and Targeting<\/strong><\/h2>\n
trycloudflare[.]com<\/code>. <\/p>\n![\"Windows](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/02\/image-92.png?ssl=1\")
Indicators of Compromise<\/strong><\/h2>\n