The Explorer Trap: How Hackers Turn Windows File Explorer into a Silent Portal for Remote Access Trojans

Security researchers at Cofense Intelligence have uncovered a stealthy and growing malware delivery campaign that bypasses traditional web browsers entirely. By exploiting a forgotten legacy feature within Windows, threat actors are turning the familiar Windows File Explorer into a silent conduit for devastating Remote Access Trojans (RATs).

The core of this attack revolves around the abuse of Web-based Distributed Authoring and Versioning (WebDAV). As the Cofense report states, “Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware”.

WebDAV is a legacy file management protocol that operates over HTTP. While largely replaced by modern cloud storage solutions, Windows File Explorer natively supports it as a method for remotely accessing file servers. Hackers have realized that this native integration is the perfect disguise.

When a victim is tricked into opening a WebDAV link—often delivered via seemingly harmless .url or .lnk shortcut files—File Explorer opens a window that looks identical to a local folder. The danger lies in user psychology; as Cofense notes, “WebDAV links in File Explorer make it less obvious that a file is being downloaded compared to if the user were to open a file download link in a web browser”.

More alarmingly, this method evades standard perimeter defenses. Because the malicious files are fetched directly through the operating system’s file browser, this technique “bypasses web browser security controls by bypassing the browser entirely and may bypass some endpoint detection and response (EDR) security controls by using such an uncommon attack vector”.

One of the most dangerous aspects of this campaign involves a quirk in how Windows handles URL shortcut files containing Universal Naming Convention (UNC) paths.

According to the researchers, “Whenever someone is browsing through a directory that happens to have a URL shortcut file with a UNC path, the file can automatically attempt to ping out to threat actor infrastructure, potentially alerting threat actors that their payload is active on a victim”. This means a victim doesn’t even need to click the malicious file; simply opening the folder containing it is enough to trigger a DNS lookup and alert the attackers.

To host these malicious WebDAV servers, the threat actors are leaning heavily on legitimate infrastructure to mask their activities. “Demo instances for Cloudflare Tunnel hosted on trycloudflare[.]com have been abused to host WebDAV servers in multiple, often similar, campaigns,” the report explains. Because the traffic routes through trusted Cloudflare domains, it becomes incredibly difficult for security analysts to spot the malicious activity at a glance.

Once a connection is established, the attackers deploy their payloads. Cofense found that a staggering “87% of all Active Threat Reports (ATR) seen with this tactic deliver multiple RATs as final malware payloads,” including notorious variants like XWorm RAT, Async RAT, and DcRAT.

The primary targets appear to be European corporate environments. The data shows that 50% of the campaigns use German-language emails disguised as financial invoices, followed by English (30%), Italian, and Spanish campaigns.