Cofense Intelligence has uncovered a sophisticated malware campaign exploiting Windows File Explorer and WebDAV servers to deploy remote access trojans (RATs) directly onto corporate systems, bypassing traditional browser security measures. The findings, published on 2026-02-25, highlight a significant threat to organizations, particularly those dealing with cryptocurrency.
Exploiting Windows Explorer and WebDAV
Threat actors have leveraged the deprecated yet still functional WebDAV protocol within Windows File Explorer to bypass browser download warnings. This tactic, active since February 2024 and peaking in September 2024, involves phishing emails disguised as invoices, primarily targeting European corporations. These emails contain URL or LNK shortcut files that silently open WebDAV connections, allowing the download of malicious files alongside legitimate ones.
Impact on Cryptocurrency Security
The RATs deployed, including XWorm RAT and Async RAT, provide attackers with persistent access to infected machines, enabling them to steal clipboard contents, browser sessions, saved passwords, and crypto wallet files. This has led to significant financial losses, with phishing-related thefts exceeding $300 million in January 2026 alone. The use of Cloudflare Tunnel accounts further obscures malicious activity, complicating forensic investigations.
Mitigation Strategies for Organizations
Cofense advises organizations to monitor network traffic for Cloudflare Tunnel demo instances and employ EDR behavioral analysis to detect suspicious .URL and .LNK files. User education is crucial, as employees should treat File Explorer links with the same caution as suspicious URLs. The attack surface extends beyond WebDAV, with potential abuse via FTP and SMB protocols.
For a detailed technical breakdown, including indicators of compromise and specific domain examples, refer to the full Cofense Intelligence report available at cofense.com.
Comments (0)