Cofense Intelligence exposes how threat actors abuse Windows File Explorer and WebDAV servers to bypass browser security and push RATs to corporate targets.
Threat actors have found a way to push malware directly onto corporate machines without going through a web browser at all. Cofense Intelligence published findings on February 25, 2026, revealing an active campaign that weaponizes Windows File Explorer’s built-in ability to connect to remote WebDAV servers. The tactic sidesteps standard browser download warnings entirely. Most users have no idea that File Explorer can reach out to internet servers.
WebDAV is an old HTTP-based file management protocol. Few people use it today. But Windows still supports it natively inside File Explorer, even though Microsoft deprecated the feature in November 2023. That gap between deprecation and full removal is exactly what attackers are walking through.
When a Folder Is Not Really a Folder
According to Cofense Intelligence in their published report, campaign volume first appeared in February 2024, then spiked sharply in September 2024. It has remained active ever since. The attacks have not slowed. 87 percent of all Active Threat Reports tied to this tactic deliver multiple remote access trojans as final payloads. XWorm RAT, Async RAT, and DcRAT show up most often.
Must Read: Crypto Security Breach: January Hacks Total $86M, Phishing Skyrockets
How the Attack Actually Works
Victims receive phishing emails, often disguised as invoices in German. The emails carry either URL shortcut files (.url) or LNK shortcut files (.lnk). Both can silently open a WebDAV connection inside File Explorer. The user sees what looks like a local folder. It is not.
What makes this particularly damaging is the chain that follows. Scripts pull down additional scripts from separate WebDAV servers. Legitimate files mix in with malicious ones to blur detection. By the time a RAT lands, the delivery path has passed through several layers of obfuscation. Security tools that scan browser downloads miss the whole sequence.
The Cofense report notes that 50% of all affected campaigns are in German. English-language campaigns account for 30%. Italian and Spanish make up the rest. That split points directly at European corporate email accounts as the primary target pool.
You Might Also Like: npm Worm Steals Crypto Keys, Targets 19 Packages
Cloudflare Tunnel is doing heavy lifting for the attackers here. All ATRs tied to this tactic use free demo accounts on trycloudflare[.]com to host the malicious WebDAV servers. Cloudflare’s own infrastructure routes the victim’s connection. That makes the traffic look legitimate on first inspection. The demo accounts are short-lived by design, so threat actors pull them down fast after campaigns go active, cutting off forensic analysis.
Why Crypto Holders Face Serious Exposure
This is where it gets dangerous for anyone holding digital assets. RATs like XWorm and Async RAT give attackers persistent, remote access to an infected machine. That means clipboard contents, browser sessions, saved passwords, and crypto wallet files all sit within reach. Clipboard hijacking, a method already linked to hundreds of millions in crypto theft, becomes trivial once a RAT is running.
Phishing losses alone exceeded $300 million in January 2026, according to security tracking data. That figure dwarfs protocol hack losses in the same period. The attack methods documented by Cofense feed directly into that pipeline. A RAT dropped via WebDAV on a finance team employee’s machine is not just a corporate IT problem. It is a direct path to drained wallets and stolen keys.
Also Worth Your Attention: As Threats Increase, Crypto Wallet Security Will Be A Top Priority In 2026
What Organizations Need to Do Now
The Cofense report recommends hunting for network traffic to Cloudflare Tunnel demo instances specifically. EDR tools with behavioral analysis should flag.URL and .LNK files that reach out to remote servers. The harder fix is user education. Most people simply do not know that File Explorer’s address bar works like a browser.
Checking it the same way they would check a suspicious URL is the first line of defense. Similar abuse is possible through FTP and SMB. Both protocols see regular enterprise use, and both can reach external servers. The attack surface Cofense is documenting is wider than just WebDAV.
Related: Hacks and Security Incidents in 2025: A Year That Exposed Crypto’s Weakest Links
The full technical breakdown, including IOC tables and Cloudflare Tunnel domain examples tied to specific Active Threat Reports, is available in the Cofense Intelligence report published at cofense.com.
