Posted in

WebDAV Malware Delivery: How Hackers Exploit Windows File Explorer

by Rakesh0

Phishing is no longer confined to the browser. A fast‑growing tactic—WebDAV malware delivery—leverages legacy behavior in Windows File Explorer to sidestep browser warnings, reputation filters, and some endpoint defenses. Threat actors are delivering RATs (Remote Access Trojans) by mounting remote WebDAV shares as if they were local folders, making payloads appear trustworthy and familiar to users.

In this article, you’ll learn what WebDAV malware delivery is, how the attack chain works, why it reliably bypasses traditional controls, and the best practices CISOs, SOC analysts, and security engineers can implement today. We’ll cover real‑world IOCs, map to MITRE ATT&CK, and outline actionable detections, controls, and a ready‑to‑run IR playbook.

Contents

  • What Is WebDAV Malware Delivery?
  • How the Attack Works (Step‑by‑Step)
  • Why This Bypasses Threat Detection
  • Observed Payloads, Targeting & Infrastructure
  • Common Mistakes & Misconceptions
  • Best Practices: Detection & Prevention
  • Frameworks, Standards & ATT&CK Mapping
  • Risk–Impact Analysis (Executive View)
  • Incident Response Playbook (Condensed)
  • Indicators of Compromise (IOCs)
  • FAQs
  • Conclusion
  • Additional Output

What Is WebDAV Malware Delivery?

WebDAV malware delivery is a phishing and initial‑access technique where adversaries abuse Web-based Distributed Authoring and Versioning (WebDAV)—an HTTP‑based file management protocol—to present a remote server inside Windows File Explorer as if it were a local folder. This allows malicious files to appear native and trustworthy while bypassing web browsers (and the security safeguards they enforce like safe browsing warnings, download prompts, or detonation sandboxes).

Although Microsoft deprecated native WebDAV support in File Explorer in November 2023, most Windows environments retain functionality pathways that can still connect File Explorer to remote WebDAV endpoints. This legacy behavior is precisely what attackers exploit to deliver malware outside normal browser pipelines.

Key idea: Attackers trick users into opening a “folder” that is actually a remote WebDAV share, then coax them to run a LNK, URL shortcut, HTA, script, or executable that drops RATs and other payloads.

How the Attack Works (Step‑by‑Step)

1) Lure & Initial Contact

Attackers deliver phishing emails—often finance/invoice-themed—with links or attachments that are crafted to open Windows File Explorer directly to a WebDAV endpoint. Typical methods include:

  • Direct Linking (file:// URI):
    A link like file://example[.]com/ launches the system’s file browser (Explorer) instead of a web browser, opening a remote directory view.
  • URL Shortcut Files (.url):
    These use UNC paths to target WebDAV, e.g.:
    \\exampledomain[.]com@SSL\DavWWWRoot\
    The special DavWWWRoot keyword points Explorer to the root of a WebDAV server over HTTP/HTTPS, often transparently.
  • LNK Shortcut Files (.lnk):
    .lnk shortcuts embed commands that invoke cmd.exe, powershell.exe, or mshta.exe to fetch and execute scripts or binaries from the WebDAV share—frequently silently.

Evasion quirk: Simply opening a local folder that contains a malicious .url file pointing to a UNC path can trigger background DNS lookups and a TCP SYN to the attacker’s infrastructure—signaling that a victim has viewed the directory even if they didn’t click. This gives adversaries telemetry to profile or time the payload delivery.

2) Explorer Mounts Remote WebDAV as a Folder

If successful, Windows File Explorer shows the remote WebDAV endpoint as a normal folder. Files appear “local,” and users often continue without suspicion—especially in enterprises that legitimately use network shares, SharePoint mappings, or content management systems.

3) User Execution with Familiar Prompts

Windows may display a generic warning when executing files over remote paths, but users familiar with network shares tend to dismiss it. Attackers also use file names and icons that blend in (e.g., “Invoice_2026-02‑28.pdf.lnk” with a PDF icon), or leverage living-off-the-land binaries (LOLBins) to reduce friction.

4) Payload Delivery & Execution

Clicking the booby‑trapped item triggers a download‑and‑execute chain. Common patterns:

  • PowerShell or bitsadmin retrieves payloads from the same WebDAV host.
  • mshta.exe runs remote or embedded HTA scripts.
  • rundll32 or regsvr32 executes fetched DLLs or scripts.

5) Post‑Exploitation

Once on the endpoint, malware establishes persistence, profiles the host, and may deploy credential theft, lateral movement tooling, or beacon to C2 for RAT control.

Why This Bypasses Threat Detection

  • Browser bypass: Links launch File Explorer instead of Chrome/Edge/Firefox, sidestepping browser security (reputation, safe‑download prompts, isolation/sandbox features).
  • Familiar UX: WebDAV folders look and feel like local directories. Users are conditioned to trust network shares.
  • Legacy pathways: Despite deprecation, WebDAV access paths remain usable across many Windows builds and configurations.
  • Cloudflare Tunnels (trycloudflare.com): Adversaries front WebDAV with short‑lived Cloudflare Tunnel demo endpoints, piggybacking reputable infrastructure to evade blocklists and blend TLS/IP reputation.
  • Shortcut file abuse: .lnk and .url files are ubiquitous in Windows environments; file icons and names reduce suspicion.
  • Signal-on-view: The .url UNC quirk provides attacker telemetry even without clicks, aiding targeting and timing.

Observed Payloads, Targeting & Infrastructure

  • Primary goal: Deploy Remote Access Trojans (RATs) for hands‑on‑keyboard control.
  • Common families: XWorm RAT, AsyncRAT, DcRAT—often multiple RATs per campaign to maintain redundancy and coverage.
  • Targeting: Predominantly European enterprise environments; approx. 50% German‑language lures (finance/invoice), 30% English.
  • Hosting: Short‑lived WebDAV servers via free Cloudflare Tunnel demo accounts on *.trycloudflare[.]com. Attackers rotate infrastructure quickly to frustrate takedown and detection.

Common Mistakes & Misconceptions

  • “We blocked dangerous URLs in the browser, so we’re safe.”
    The file:// scheme and UNC/WebDAV paths bypass browsers entirely.
  • “WebDAV is deprecated; no issue.”
    Deprecation ≠ removal. Legacy access patterns remain on many systems.
  • “Users will see the warning and stop.”
    In enterprises using real network shares, users frequently ignore remote execution prompts.
  • “Cloudflare domains are safe.”
    trycloudflare[.]com is commonly abused for temporary, tunneled infrastructure that blends with legitimate traffic.
  • “EDR will always catch it.”
    If EDR doesn’t monitor Explorer‑initiated network I/O and shortcut file behaviors (LNK/URL/UNC), it may miss early stages.

Best Practices: Detection & Prevention

1) Harden URL & Shortcut Handling

  • Block/Restrict file:// scheme in email clients, chat apps, and productivity suites (via Safe Links rewrite/strip policies where applicable).
  • Attachment controls: Quarantine or warn on .url, .lnk, .hta, .wsf, .ps1 from untrusted senders. Treat double extensions as high‑risk (e.g., .pdf.lnk).
  • Untrusted shortcut execution prompts: Configure Group Policy to increase prompts (or block) execution from Internet/Untrusted zones.

2) WebDAV & UNC Path Controls

  • Disable WebDAV where not explicitly required (services, WebClient).
  • Block UNC over HTTP/HTTPS to unknown domains; allowlist only approved hosts.
  • Enforce Zone Mapping and Attachment Manager policies (Mark-of-the-Web) to label remotely sourced files.

3) Network & Tunnel Governance

  • Detect and block unauthorized tunnels (Cloudflare Tunnel, ngrok, localhost.run, etc.).
  • Create SWG/SASE policies to inspect and risk‑score traffic to *.trycloudflare.com and similar ephemeral hosting providers.
  • Apply TLS fingerprinting (JA3/ALPN) and domain age controls with cooldown windows (e.g., restrict access to new domains < 7–14 days).

4) Endpoint & EDR Telemetry

  • Alert on Explorer.exe initiating external connections (especially to new/suspicious domains and Cloudflare Tunnels).
  • Monitor child processes spawned by Explorer.exe running:
    powershell.exe, cmd.exe, mshta.exe, rundll32.exe, regsvr32.exe, bitsadmin.exe.
  • Track Shell Link (LNK) analytics: recently created/received .lnk originating from email/cache/temp paths.
  • Flag execution from UNC paths and files lacking Mark-of-the-Web where expected.

5) Email & Collaboration Security

  • Detonate attachments containing .lnk/.url in sandbox; emulate Explorer behavior (not just browser).
  • Use computer vision/OCR for image‑only lures with embedded file:// or UNC patterns in the message.
  • Rewrite & inspect links at click‑time to follow redirect chains.

6) User Awareness & Process

  • Train users to check the File Explorer address bar for unfamiliar domains/IPs, and be skeptical of network prompts for “documents.”
  • Emphasize that invoice/finance documents should never arrive as shortcuts (.lnk/.url).
  • Build a rapid reporting workflow (one‑click “Report Suspicious” add‑ins) to accelerate SOC triage.

Key takeaway: Treat Explorer + WebDAV + shortcuts as a high‑risk trio. If your controls don’t observe Explorer‑origin network activity, shortcut execution, and tunneling endpoints, you have a gap.

Frameworks, Standards & ATT&CK Mapping

MITRE ATT&CK

  • T1566 – Phishing (email lures, attachments)
  • T1204 – User Execution (LNK/URL shortcuts; HTA/scripts)
  • T1105 – Ingress Tool Transfer (WebDAV-hosted payloads)
  • T1218 – Signed Binary Proxy Execution (mshta, rundll32, regsvr32)
  • T1090 – Proxy (Cloudflare Tunnel–fronted infrastructure)
  • T1071.001/.004 – Web protocols & DNS used for C2 or delivery

NIST Cybersecurity Framework (CSF 2.0)

  • ID.RA – Risk assessment: legacy protocol exposure (WebDAV)
  • PR.AC / PR.PT – Access & Protective Technology: restrict tunnels, zone policies
  • DE.CM / DE.AE – Detection & Analytics: shortcut/LNK telemetry, Explorer network activity
  • RS.MI / RS.AN – Response & Analysis: incident playbooks for WebDAV abuse

NIST SP 800‑53 (rev. 5) – Examples

  • AC‑4 / SC‑7 – Boundary protection; prohibited tunneling
  • SI‑3 / SI‑4 – Malicious code & monitoring (sandboxing, EDR analytics)
  • CM‑7 / CM‑8 – Least functionality; inventory legacy services (WebClient/WebDAV)
  • IR‑4 – Incident handling (shortcut/phishing/WebDAV)

ISO/IEC 27001/27002

  • A.8 – Asset management (catalog legacy protocol use)
  • A.12 – Operations security (logging, monitoring)
  • A.14 – System acquisition/development (secure defaults; MoTW & zone policies)
  • A.16 – Incident management (malware & phishing)

Risk–Impact Analysis (Executive View)

  • Likelihood: High—low complexity; leverages default Windows behaviors and social engineering.
  • Impact: High—RAT deployment → credential theft, lateral movement, data exfiltration, potential ransomware.
  • Detection difficulty: Medium–High—browser bypass; ephemeral tunnels; shortcut abuse.
  • Control maturity required: Moderate–High—endpoint analytics, tunnel governance, shortcut filtering, WebDAV restrictions.

Business risk: Successful compromises can lead to BEC, data breaches (GDPR exposure for EU orgs), production downtime, and regulatory reporting.

Incident Response Playbook

1) Triage

  • Identify emails/attachments delivering .lnk/.url with file:// or UNC references.
  • Query DNS/Proxy logs for *.trycloudflare[.]com hits associated with Explorer.exe processes.
  • Hunt for Explorer.exe → powershell/cmd/mshta process trees.

2) Containment

  • Block/sinkhole IOCs (domains below).
  • Temporarily disable WebClient/WebDAV service where feasible.
  • Invalidate credentials, enforce MFA re‑registration, and revoke sessions for exposed accounts.

3) Eradication

  • Remove persistence (Run Keys, Scheduled Tasks, WMI, Startup folders).
  • Clean LNK/URL droppers from user profiles, Temp, Downloads, and network paths.
  • Patch SEG/SWG to quarantine .lnk/.url and restrict file:// schemes.

4) Recovery

  • Restore affected systems from known‑good images where necessary.
  • Increase telemetry for Explorer‑origin network traffic; deploy updated detections.
  • Communicate targeted awareness to impacted business units (AP/AR, Finance).

5) Lessons Learned

  • Decommission legacy WebDAV unless business‑critical; document exceptions.
  • Enforce tunnel governance and domain‑age‑based egress policies.
  • Add shortcut abuse checks to email and EDR policies.

Indicators of Compromise (IOCs)

Cloudflare Tunnel domains associated with campaigns:

Cloudflare Tunnel DomainAssociated ATR
tiny-fixtures-glossary-advantage[.]trycloudflare[.]com374884
nasdaq-aged-sf-cheers[.]trycloudflare[.]com377161
lose-croatia-acdbentity-lt[.]trycloudflare[.]com377161
discounted-pressed-lc-vcr[.]trycloudflare[.]com376309
skills-statute-alberta-demand[.]trycloudflare[.]com376309
whats-menu-familiar-zshops[.]trycloudflare[.]com386717
publicity-jenny-paintball-gilbert[.]trycloudflare[.]com386717

Operational tip: Correlate Explorer.exe network flows to these domains, plus process‑tree analytics for shortcut‑spawned shells and LOLBins.

Detection Content (Examples)

Sigma (DNS/Proxy) – trycloudflare + Explorer Pattern

YAML

title: Explorer-Origin Traffic to trycloudflare WebDAV

logsource:

product: proxy

detection:

selection_domain:

url|contains: ‘trycloudflare.com’

selection_proc:

process_name|contains: ‘explorer.exe’

condition: selection_domain and selection_proc

level: high

fields:

– user

– src_ip

– user_agent

– process_name

– url
Show more lines

Sigma (Endpoint) – Shortcut Abuse Spawning LOLBins

YAML

title: Shortcut-Led Execution of LOLBins

logsource:

product: windows

service: sysmon

detection:

parent_is_explorer:

ParentImage|endswith: ‘\explorer.exe’

child_lolbins:

Image|endswith:

– ‘\powershell.exe’

– ‘\cmd.exe’

– ‘\mshta.exe’

– ‘\rundll32.exe’

– ‘\regsvr32.exe’

– ‘\bitsadmin.exe’

condition: parent_is_explorer and child_lolbins

level: high
Show more lines

KQL (Defender for Endpoint) – UNC/WebDAV Execution

KQL

DeviceProcessEvents

| where InitiatingProcessFileName =~ “explorer.exe”

| where FileName in~ (“powershell.exe”,”cmd.exe”,”mshta.exe”,”rundll32.exe”,”regsvr32.exe”,”bitsadmin.exe”)

| where ProcessCommandLine has_any (“DavWWWRoot”,”trycloudflare.com”,”\\\\”,”file://”)
Show more lines

FAQs

Q1. What is WebDAV malware delivery in simple terms?
Attackers mount a remote server inside Windows File Explorer using WebDAV so it looks like a normal folder. Users then launch malicious files without browser safeguards.

Q2. If WebDAV is deprecated, why is it still a risk?
Deprecation doesn’t remove all legacy paths. Many systems still support connections via WebDAV‑style UNC paths and Explorer integrations.

Q3. Which files are most dangerous in this technique?
.lnk, .url, .hta, .ps1, .wsf—especially when sourced from UNC/WebDAV paths or containing DavWWWRoot.

Q4. How can we quickly reduce exposure this week?
Block .lnk/.url from external senders, disable WebDAV where possible, monitor Explorer.exe → LOLBins, and restrict access to *.trycloudflare.com.

Q5. What payloads are commonly dropped?
XWorm RAT, AsyncRAT, and DcRAT, often with redundant implants per host for resiliency.

Q6. Does Zero Trust help here?
Yes—continuous risk evaluation, device posture, and per‑request authorization limit what a compromised endpoint can reach or exfiltrate.

Conclusion

WebDAV malware delivery exemplifies how adversaries weaponize legacy Windows behaviors and trusted UX patterns to bypass modern browser‑centric defenses. By focusing detections on Explorer‑origin traffic, shortcut abuse, and tunnel governance, and by decommissioning WebDAV where feasible, organizations can meaningfully reduce risk.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *