This threat involves the abuse of Windows File Explorer's support for the Web Distributed Authoring and Versioning (WebDAV) protocol, a legacy protocol that allows users to access files on remote servers as if they were local. Threat actors exploit this functionality by crafting WebDAV URLs that, when opened in File Explorer, initiate downloads of malicious payloads without using a web browser, thereby potentially bypassing browser-based security controls and filters. The attackers use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs) such as Xworm, DCRat, and Async RAT. The delivery mechanism often includes URL shortcut (.url) files and Windows shortcut (.lnk) files that manipulate File Explorer to access malicious WebDAV servers hosted on Cloudflare Tunnel demo accounts, which are abused to avoid easy takedown and detection. The campaigns have been observed since February 2024, with a notable increase in activity from September 2024 onwards. The threat actors target European corporate email accounts, particularly those using German and English languages, indicating a regional focus. The attack chain leverages phishing emails containing malicious shortcuts that, when clicked, cause File Explorer to connect to the attacker-controlled WebDAV server and download malware payloads. This approach circumvents some endpoint protections that focus on browser-based downloads and exploits the trust in File Explorer's handling of WebDAV links. The campaign uses multiple MITRE ATT&CK techniques including T1202 (Indirect Command Execution), T1218 (Signed Binary Proxy Execution), T1059 (Command and Scripting Interpreter), T1204 (User Execution), T1547.001 (Registry Run Keys/Startup Folder), T1566 (Phishing), T1573.002 (Encrypted Channel), T1071.001 (Web Protocols), and T1105 (Ingress Tool Transfer). Indicators of compromise include numerous Cloudflare Tunnel domains and URLs used as WebDAV servers.

The exploitation of Windows File Explorer's WebDAV functionality for malware delivery poses a significant risk to organizations worldwide, especially those with large Windows user bases. Successful exploitation can lead to the installation of Remote Access Trojans (RATs), enabling attackers to gain persistent remote access, steal sensitive data, conduct espionage, or move laterally within networks. Because the attack bypasses browser-based security controls, traditional web filtering and browser sandboxing solutions may be ineffective, increasing the likelihood of successful infection. The use of legitimate Windows features and signed binaries for execution complicates detection by endpoint security solutions. Organizations may face data breaches, operational disruption, and reputational damage. The focus on European corporate email accounts suggests targeted espionage or financially motivated attacks against businesses in this region. The abuse of Cloudflare Tunnel demo accounts also indicates attackers' attempts to evade takedown and attribution, prolonging campaign lifespan and increasing exposure.

Organizations should implement multi-layered defenses specifically addressing this attack vector. First, educate users about the risks of opening unsolicited URL shortcut (.url) and LNK files received via email, emphasizing caution with unexpected attachments or links. Deploy endpoint detection and response (EDR) solutions capable of monitoring and alerting on suspicious use of WebDAV protocols and unusual File Explorer behaviors, including connections to uncommon WebDAV servers. Restrict or monitor outbound WebDAV traffic at the network perimeter and consider blocking or scrutinizing connections to known malicious Cloudflare Tunnel domains. Implement application control policies to restrict execution of scripts and binaries commonly abused in these attacks, such as Windows Script Host files (.wsh) and suspicious LNK files. Enhance email security by using advanced phishing detection and sandboxing to identify and block malicious attachments and links. Regularly audit and harden Windows registry run keys and startup folders to detect unauthorized persistence mechanisms. Finally, maintain up-to-date threat intelligence feeds to quickly identify and block indicators of compromise related to this campaign.