Abusing Windows File Explorer and WebDAV for Malware Delivery

This Cofense Intelligence report describes active phishing campaigns that exploit Windows File Explorer's WebDAV capabilities and Cloudflare Tunnel demo instances to host and deliver remote access trojans (notably XWorm, Async RAT, and DcRAT) via .url and .lnk shortcuts, UNC paths, and script chains; it provides example Cloudflare Tunnel domains, highlights that 87% of ATRs using this tactic deliver RATs, notes campaign language targeting (mainly German and English finance-themed lures), and offers detection and mitigation guidance including EDR hunting for shortcut files and monitoring trycloudflare.com demo instances.