Abusing Windows File Explorer and WebDAV for Malware Delivery
Essential information
- Published
- 01/03/2026 05:26
- Modified
- 02/03/2026 12:12
- Tags
- 2026-03-01 abuse async rat cloudflare tunnel dcrat lnk file malware delivery phishing remote access trojan url shortcut webdav xworm rat
- Related entities
- 4 observables, 8 techniques (mitre), 3 malware, 14 others
Description
This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts.