Tag: webdav

13 Attack Reports | 0 Vulnerabilities

Attack reports

REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation

An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote …
powershell
webdav
phishing-as-a-service
2026-04-13
rat-as-a-service
bulgarian-infrastructure
cryptocurrency-theft
refundee
shadow panel
shadow-panel
spanish-portuguese-targeting
Published: April 13, 2026
Downloadable IOCs: 17

Abusing Windows File Explorer and WebDAV for Malware Delivery

This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns oft…
phishing
dcrat
webdav
lnk file
async rat
remote access trojan
malware delivery
xworm rat
cloudflare tunnel
abuse
2026-03-01
url shortcut
Published: March 1, 2026
Downloadable IOCs: 4

Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit

UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hija…
ukraine
webdav
com hijacking
microsoft office
covenant
CVE-2026-21509
2026-02-04
eu
filen
Published: February 4, 2026
Linked vulnerabilities : CVE-2026-21509 (CVSS 7.8)
Downloadable IOCs: 34

Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response

Threat actors exploited Cloudflare's free-tier infrastructure and Python environments to deploy AsyncRAT, demonstrating advanced evasion techniques. The attack begins with phishing emails containing Dropbox links to malicious files. It uses legitimate Python downloads and sophisticated code injecti…
phishing
social engineering
python
persistence
asyncrat
webdav
cloudflare
code injection
cloud abuse
2026-01-12
Published: January 12, 2026
Downloadable IOCs: 27

GOLD BLADE remote DLL sideloading attack deploys RedLoader

A new infection chain for GOLD BLADE's RedLoader malware has been identified, combining previously separate techniques. The attack begins with a malicious PDF link, leading to a ZIP archive containing a LNK file masquerading as a PDF. This file executes conhost.exe, which uses WebDAV to contact a C…
dll sideloading
webdav
redloader
2025-07-31
Published: July 31, 2025
Downloadable IOCs: 5

Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware

The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The …
obfuscation
rat
phishing
asyncrat
webdav
stealth techniques
memory injection
cloudflare tunnels
shellcode loader
2025-06-20
revengerat
python-based malware
donut packer
Published: June 20, 2025
Downloadable IOCs: 147

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file …
apt
cyberespionage
webdav
keylogger
mythic
CVE-2025-33053
2025-06-11
zeroday
Published: June 11, 2025
Downloadable IOCs: 40

Blind Eagle: ...And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single…
phishing
remcos
government
purecrypter
webdav
remcos rat
CVE-2024-43451
heartcrypt
2025-04-10
apt-c-36
colombia
Published: April 10, 2025
Downloadable IOCs: 0

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…
phishing
powershell
infostealer
dll file
webdav
2024-10-30
javascript code
zip file
webdav server
strela
Published: October 30, 2024
Downloadable IOCs: 103

Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware

A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
obfuscation
xworm
phishing
python
powershell
asyncrat
webdav
2024-10-04
shellcode injection
trycloudflare
Published: October 4, 2024
Downloadable IOCs: 15

WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog

The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.
darkgate
dcrat
webdav
2024-09-19
marko polo
zgrat
google cloud
clearfake
emmenhtal
peaklight
selfau3
Published: September 19, 2024
Downloadable IOCs: 120

Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connectio…
xworm
remcos
asyncrat
venomrat
guloader
rats
webdav
cloudflare
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 13

Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a suspected geopolitical or hacktivist group. While their origin remains unclear, recent techniques suggest espionage and data exfiltration intent. Sticky Werewolf has targeted the aviation industry, employing ph…
phishing
rhadamanthys stealer
2024-06-07
netwire
rats
webdav
metastealer
ozone rat
lnks
aviation
darktrack
Published: June 7, 2024
Downloadable IOCs: 14
Click here to see more Attack Reports