Hackers Weaponize Windows File Explorer WebDAV for RAT Delivery

Home » Uncategorized
Yash Shield
Uncategorized
Reading time icon 3 min. read

Calendar icon Published on

Cybercriminals bypass browser defenses by abusing Windows File Explorer’s legacy WebDAV support. Attackers deliver RATs through file:// links, .url shortcuts, and LNK files that connect directly to remote servers. Cofense Intelligence reports 87% of campaigns deploy XWorm, AsyncRAT, and DcRAT against European corporate networks. No browser warnings appear during connections.

WebDAV protocol support lingers in Explorer despite Microsoft’s 2023 deprecation announcement. Remote servers appear as local folders. Users ignore standard “Open file from network?” prompts accustomed to legitimate shares. DNS beaconing occurs when directories containing malicious .url files open.

German-language phishing dominates at 50% of campaigns disguised as invoices. Cloudflare Tunnel trycloudflare[.]com hosts ephemeral WebDAV servers. Legitimate CDN traffic masks malicious activity until servers vanish.

Windows File Explorer connected to a WebDAV server hosted on module-brush-sort-factory[.]trycloudflare[.]com. (Source: Cofense)

Attack Delivery Methods

Three vectors exploit File Explorer directly.

MethodTechniqueEvasion Benefit
file:// URIDirect WebDAV folder accessNo browser security prompts
.url ShortcutsUNC paths over HTTP/HTTPSDNS beacon on directory open
LNK ShortcutsHidden CMD/PowerShell downloadSilent payload execution

DavWWWRoot keyword targets WebDAV root directory consistently.

Malware Distribution

RATs dominate payload selection.

  • XWorm RAT: 42% of analyzed campaigns
  • AsyncRAT: 31% deployment rate
  • DcRAT: 14% observed instances
  • Multiple RATs: 87% of Active Threat Reports

European targets receive German (50%) and English (30%) phishing lures.

network traffic to the malicious domain. (Source: Cofense)

Infrastructure Characteristics

Cloudflare Tunnel domains rotate rapidly:

Malicious DomainATR ID
tiny-fixtures-glossary-advantage.trycloudflare.com374884
nasdaq-aged-sf-cheers.trycloudflare.com377161
lose-croatia-acdbentity-lt.trycloudflare.com377161
discounted-pressed-lc-vcr.trycloudflare.com376309

Servers live hours before decommission. Legitimate Cloudflare IPs evade reputation blocks.

Windows File Explorer is by default configured to provide a message to confirm whether the file is intended to be run. (Source: Cofense)

Detection Challenges

Traditional controls fail:

  • Browser download scanners bypassed
  • No HTTP referer headers sent
  • File Explorer lacks URL reputation
  • Users dismiss network file warnings
  • Ephemeral domains evade blocklists

DNS queries trigger on .url directory access even without clicks.

Security Recommendations

Immediate Actions:

  • Block trycloudflare[.]com subdomains
  • Monitor File Explorer network connections
  • Disable WebDAV client via registry
  • Train users to check Explorer address bar
  • Deploy network beacons to listed ATR domains

Registry Hardening:

HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Start=4HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Start=4

EDR Hunting:process_name:explorer.exe AND destination_port:80 OR 443
file_extension:.url AND path:DavWWWRoot

User Awareness

Educate employees:

  • Verify File Explorer address bar shows legitimate domains
  • Treat network file warnings as high-risk
  • Report invoice phishing immediately
  • Never open unexpected .url or .lnk files

FAQ

How does WebDAV bypass browser security?

File Explorer connects directly, skipping browser warnings.

What malware dominates these campaigns?

XWorm RAT (42%), AsyncRAT (31%), DcRAT (14%).

Which protocol keyword appears consistently?

DavWWWRoot targets WebDAV server root.

Do users see download warnings?

Standard network file prompt appears but gets ignored.

How do attackers hide WebDAV servers?

Cloudflare Tunnel trycloudflare[.]com with rotating subdomains.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages