{ "Event": { "analysis": "1", "date": "2026-02-25", "extends_uuid": "", "info": "[Threat Intel] Abusing Windows File Explorer and WebDAV for Malware Delivery", "protected": false, "publish_timestamp": "1772807235", "published": true, "threat_level_id": "3", "timestamp": "1772807235", "uuid": "d5c099cd-ed6f-4cd8-bb78-3eb0ddd065d2", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#e0933f", "local": false, "name": "misp-galaxy:producer=\"Cofense\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003f", "local": false, "name": "rectifyq:sub-category=\"tool-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"8206e5d7-9189-4d8b-855d-339fa45e9c47\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772506812", "to_ids": false, "type": "link", "uuid": "d6506405-9747-422b-aa66-dfb2979e4ef1", "value": "https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772506812", "to_ids": false, "type": "text", "uuid": "7f6388f3-ee85-4d81-a85d-6339306620b9", "value": "This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772506812", "to_ids": false, "type": "text", "uuid": "e2d239ef-c26b-4873-b332-80b67866b457", "value": "Name: Abusing Windows File Explorer and WebDAV for Malware Delivery\nAuthor: AlienVault\nAdversary: \nTags: [\"malware delivery\", \"remote access trojan\", \"xworm rat\", \"dcrat\", \"async rat\", \"webdav\", \"url shortcut\", \"cloudflare tunnel\", \"lnk file\", \"phishing\", \"abuse\"]\nTgtd countries: [\"Germany\"]\nMlwr families: [\"XWorm RAT\", \"Async RAT\", \"DcRAT\"]\nAttack_ids: [\"T1202\", \"T1218\", \"T1059\", \"T1204\", \"T1547.001\", \"T1566\", \"T1573.002\", \"T1071.001\", \"T1105\"]\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575224", "to_ids": true, "type": "url", "uuid": "f344242c-3f70-4d1b-b919-4941fb76c8d0", "value": "http://everything-teach-pearl-eat.trycloudflare.com/DE", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575246", "to_ids": true, "type": "url", "uuid": "2f1b89ee-7859-40f5-a3cf-be169f8b58bd", "value": "http://frontier-shops-timothy-cal.trycloudflare.com/DE", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575267", "to_ids": true, "type": "url", "uuid": "b8dc18d5-69b2-4f9e-b08b-38887199132f", "value": "http://frontier-shops-timothy-cal.trycloudflare.com/documents/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575288", "to_ids": true, "type": "url", "uuid": "2cee0e1b-4944-4206-944f-5b0899a848ce", "value": "http://frontier-shops-timothy-cal.trycloudflare.com/rec.wsh", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575309", "to_ids": true, "type": "hostname", "uuid": "2543c38d-c08e-4d59-a1c1-16ba53586e71", "value": "discounted-pressed-lc-vcr.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575332", "to_ids": true, "type": "hostname", "uuid": "1d0f3f15-acc0-4a2b-bc69-f49bbc98ec78", "value": "earl-dont-princess-bit.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575353", "to_ids": true, "type": "hostname", "uuid": "9e39249c-2ee6-4acf-ba36-8525a0ef09de", "value": "everything-teach-pearl-eat.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575374", "to_ids": true, "type": "hostname", "uuid": "3d4a4ab5-301a-42cf-ad54-cdc799e5fc66", "value": "frontier-shops-timothy-cal.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575397", "to_ids": true, "type": "hostname", "uuid": "d06db1dd-43df-46ac-9677-af2b0b711a1e", "value": "harbor-microwave-called-teams.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575418", "to_ids": true, "type": "hostname", "uuid": "db884c0b-ed7f-4cba-a891-d0efb2eea0bc", "value": "lose-croatia-acdbentity-lt.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575439", "to_ids": true, "type": "hostname", "uuid": "e946a444-ab5a-4b62-81e2-c958d6455f0d", "value": "module-brush-sort-factory.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575460", "to_ids": true, "type": "hostname", "uuid": "f9d94803-1f45-48f6-ba19-0d154c80d03d", "value": "nasdaq-aged-sf-cheers.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575481", "to_ids": true, "type": "hostname", "uuid": "ccbf2e98-1fbb-40e9-a13a-6579e58b236f", "value": "publicity-jenny-paintball-gilbert.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575503", "to_ids": true, "type": "hostname", "uuid": "e3f92743-69ba-4f39-83d6-2a3d233e06d4", "value": "skills-statute-alberta-demand.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575524", "to_ids": true, "type": "hostname", "uuid": "edc4149e-fa05-4c1f-9e4c-96556afd09ed", "value": "tiny-fixtures-glossary-advantage.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575545", "to_ids": true, "type": "hostname", "uuid": "a44f6192-872f-47c0-96be-97aeeb2d7814", "value": "whats-menu-familiar-zshops.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575566", "to_ids": true, "type": "url", "uuid": "e877b2a5-2dd7-4ef5-bd60-9890d1293e6a", "value": "https://frontier-shops-timothy-cal.trycloudflare.com/rec.wsh", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }