Threats Tagged 'webdav'
View all threats tagged with 'webdav'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'webdav'
Click on any threat for detailed analysis and mitigation recommendations
REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation 0 An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage. Join the discussion | AlienVault OTX General | 04/13/2026, 15:06:23 UTC Added: 04/13/2026, 15:46:50 UTC |
Abusing Windows File Explorer and WebDAV for Malware Delivery 0 This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts. Join the discussion | AlienVault OTX General | 03/01/2026, 05:26:45 UTC Added: 03/02/2026, 11:55:31 UTC |
Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response 0 Threat actors exploited Cloudflare's free-tier infrastructure and Python environments to deploy AsyncRAT, demonstrating advanced evasion techniques. The attack begins with phishing emails containing Dropbox links to malicious files. It uses legitimate Python downloads and sophisticated code injection targeting explorer.exe. The campaign ensures persistence through multiple vectors, including startup folder scripts and WebDAV mounting. It abuses trusted infrastructure like Cloudflare to mask activities and evade detection. The attackers employ social engineering tactics, such as displaying legitimate PDF documents, to reduce suspicion. This campaign highlights the trend of abusing cloud services for malware delivery and execution, emphasizing the need for multi-layered security approaches. Join the discussion | AlienVault OTX General | 01/12/2026, 20:30:28 UTC Added: 01/13/2026, 16:11:30 UTC |
GOLD BLADE remote DLL sideloading attack deploys RedLoader 0 A new infection chain for GOLD BLADE's RedLoader malware has been identified, combining previously separate techniques. The attack begins with a malicious PDF link, leading to a ZIP archive containing a LNK file masquerading as a PDF. This file executes conhost.exe, which uses WebDAV to contact a CloudFlare domain and remotely sideload a malicious DLL. The infection progresses through two stages of RedLoader, ultimately establishing command and control communication. This updated method, observed in July 2025, demonstrates the threat actors' ability to adapt and bypass defenses by combining known techniques in novel ways. Join the discussion | AlienVault OTX General | 07/31/2025, 15:01:10 UTC Added: 07/31/2025, 15:17:46 UTC |
Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware 0 The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts. Join the discussion | AlienVault OTX General | 06/20/2025, 06:08:42 UTC Added: 06/20/2025, 08:31:51 UTC |
Showing 1 to 5 of 5 results