Cofense Intelligence exposes how hackers weaponize Windows File Explorer and WebDAV servers to bypass browser security and push RATs into corporate targets. Classic move, right?
Threat actors have discovered a brilliant new way to infect your computer: bypassing the browser entirely. Cofense Intelligence dropped a report on Feb 25, 2026, revealing a campaign that abuses Windows File Explorer’s ability to connect to WebDAV servers. Why use a browser when you can trick your computer into thinking it’s just opening a folder? Microsoft probably thought, “Let’s keep this old WebDAV thing just in case someone needs it,” and now it’s a hacker’s playground. Most users have no idea File Explorer can reach out to internet servers. Who knew?
WebDAV is an ancient HTTP-based protocol from the 90s. Few people use it anymore, but Microsoft left it in there like a time bomb. They deprecated it in 2023, but they didn’t remove it. “Oh, we’ll get around to it eventually,” they said. Well, guess who’s using it now? Hackers, that’s who. They’re like, “Thanks, Microsoft, for the open door.”
When Your Folder Isn’t a Folder (Spoiler: It’s a Hacker’s Playground)
Cofense Intelligence says this campaign first popped up in Feb 2024, spiked in Sept 2024, and hasn’t stopped. 87% of attacks deliver RATs like XWorm, Async, and DcRAT. It’s like a malware buffet. And 50% of campaigns are in German. Because nothing screams “trust me” like a suspicious invoice from Germany. The rest? English (30%), Italian, and Spanish. Classic European corporate targets. Who knew?
You Should Probably Read This Too: Crypto Security Breach: January Hacks Total $86M, Phishing Skyrockets
How the Attack Actually Works (Spoiler: It’s Tricky)
Victims get phishing emails disguised as invoices. The emails have .url or .lnk files that silently open WebDAV connections in File Explorer. The user sees a folder. It’s not a folder. It’s a trap. What makes it worse? Scripts pull down more scripts from WebDAV servers, mixing good files with evil ones. It’s like a Trojan horse, but instead of Greeks, it’s malware. Security tools miss it because they’re only looking for browser downloads. Silly tools.
Cloudflare Tunnel is the hacker’s new best friend. They use free demo accounts on trycloudflare.com to host malicious servers. The traffic looks legit until it doesn’t. And when they’re done, they vanish. It’s like leaving a fake party and then disappearing before anyone can ask questions.
Because You Loved That Last Hack So Much: npm Worm Steals Crypto Keys, Targets 19 Packages
Why Crypto Holders Should Panic (Or at Least Check Their Wallets)
This is where it gets messy. RATs like XWorm and Async give hackers remote access to your machine. Clipboard contents? Gone. Browser sessions? Stolen. Crypto wallet files? Out the door. Clipboard hijacking? It’s like a thief in your pocket stealing your cash while you’re distracted. And with phishing losses over $300 million in January 2026, it’s not just a problem-it’s a full-blown crisis.
Also Worth Your Time: As Threats Increase, Crypto Wallet Security Will Be A Top Priority In 2026
What Organizations Should Do Now (But Probably Won’t)
Cofense recommends hunting for traffic to Cloudflare Tunnel demo accounts. EDR tools should flag .url and .lnk files reaching out to servers. The real fix? User education. Most people don’t know File Explorer’s address bar works like a browser. Check it like you would a suspicious URL. And maybe stop using FTP and SMB, but who’s keeping track?
Related (Because Why Not?): Hacks and Security Incidents in 2025: A Year That Exposed Crypto’s Weakest Links
The full report with IOC tables and Cloudflare Tunnel examples is available at cofense.com. Go ahead, read it. It’s not like your crypto is safe until you do.
Read More
- USD CLP PREDICTION
- USD BGN PREDICTION
- USD DKK PREDICTION
- USD MYR PREDICTION
- GBP CAD PREDICTION
- USD AUD PREDICTION
- CNY JPY PREDICTION
- XRP GBP PREDICTION. XRP cryptocurrency
- TRUMP PREDICTION. TRUMP cryptocurrency
- Crypto Scammers Caught! SEC Goes After $14M Fraud Scheme 😱💸
2026-03-02 01:24