Cofense Intelligence has unveiled a concerning trend in cybersecurity, revealing how threat actors exploit Windows File Explorer and WebDAV servers to circumvent browser security measures and deliver Remote Access Trojans (RATs) to corporate systems.
In a significant development, threat actors have devised a method to infiltrate corporate machines without the need for a web browser. Findings published by Cofense Intelligence on February 25, 2026, highlight an ongoing campaign that leverages Windows File Explorer’s inherent capability to connect to remote WebDAV servers. This tactic effectively bypasses the standard download warnings typically associated with browsers, leaving many users unaware of File Explorer’s ability to access internet servers.
WebDAV, a legacy HTTP-based file management protocol, is seldom utilized in modern contexts. Despite its deprecation by Microsoft in November 2023, Windows continues to support it natively within File Explorer. This gap between deprecation and complete removal has become a pathway for attackers.
When a Folder Is Not Really a Folder
Cofense Intelligence reports that the volume of these campaigns first emerged in February 2024, experiencing a sharp increase in September of the same year, and has remained active since. Alarmingly, 87 percent of all Active Threat Reports associated with this method deliver multiple RATs as their final payloads, with XWorm RAT, Async RAT, and DcRAT being the most frequently encountered.
Must Read: Crypto Security Breach: January Hacks Total M, Phishing Skyrockets
How the Attack Actually Works
The attack begins with victims receiving phishing emails, often masquerading as invoices in German. These emails contain either URL shortcut files (.url) or LNK shortcut files (.lnk), both of which can silently initiate a WebDAV connection within File Explorer. To the unsuspecting user, it appears as though they are interacting with a local folder, when in fact, they are not.
The real danger lies in the subsequent chain of events. Scripts are employed to download additional scripts from various WebDAV servers, blending legitimate files with malicious ones to obscure detection. By the time a RAT is deployed, the delivery process has traversed multiple layers of obfuscation, eluding security tools that typically monitor browser downloads.
Notably, the Cofense report indicates that 50% of affected campaigns are conducted in German, while English-language campaigns account for 30%. The remaining campaigns are in Italian and Spanish, highlighting European corporate email accounts as the primary target demographic.
You Might Also Like: npm Worm Steals Crypto Keys, Targets 19 Packages
Cloudflare Tunnel plays a crucial role in facilitating these attacks. All Active Threat Reports associated with this tactic utilize free demo accounts on trycloudflare[.]com to host the malicious WebDAV servers. The infrastructure provided by Cloudflare routes the victim’s connection, making the traffic appear legitimate at first glance. These demo accounts are designed to be short-lived, allowing threat actors to dismantle them quickly after launching their campaigns, thereby hindering forensic analysis.
Why Crypto Holders Face Serious Exposure
This situation poses significant risks for individuals holding digital assets. RATs such as XWorm and Async RAT grant attackers persistent, remote access to infected machines, allowing them to access clipboard contents, browser sessions, saved passwords, and crypto wallet files. Clipboard hijacking, a method already linked to substantial crypto theft, becomes alarmingly straightforward once a RAT is operational.
According to security tracking data, phishing losses alone exceeded 0 million in January 2026, a figure that far surpasses losses from protocol hacks during the same period. The attack methods outlined by Cofense are directly integrated into this troubling trend. A RAT deployed via WebDAV on a finance team employee’s machine transcends mere corporate IT issues; it opens a direct avenue to drained wallets and stolen keys.
Also Worth Your Attention: As Threats Increase, Crypto Wallet Security Will Be A Top Priority In 2026
What Organizations Need to Do Now
The Cofense report advises organizations to actively monitor network traffic for Cloudflare Tunnel demo instances. Endpoint Detection and Response (EDR) tools equipped with behavioral analysis should flag .URL and .LNK files that connect to remote servers. However, the more challenging aspect lies in user education. Many individuals remain unaware that File Explorer’s address bar functions similarly to a web browser.
Encouraging users to scrutinize it as they would a suspicious URL represents the first line of defense. It is also worth noting that similar exploitation is feasible through FTP and SMB protocols, both of which are commonly used in enterprise environments and can connect to external servers. The attack surface identified by Cofense extends beyond just WebDAV.
Related: Hacks and Security Incidents in 2025: A Year That Exposed Crypto’s Weakest Links
For a comprehensive technical breakdown, including IOC tables and Cloudflare Tunnel domain examples linked to specific Active Threat Reports, refer to the Cofense Intelligence report available at cofense.com.
