A novel and highly evasive malware campaign is exploiting a fundamental component of the Windows operating system to directly compromise corporate machines and steal cryptocurrency assets. Cybersecurity firm Cofense Intelligence published its critical findings on February 25, 2026, detailing how threat actors are abusing Windows File Explorer and WebDAV servers to bypass all browser-based security measures. This technique represents a significant escalation in attack methodology, allowing the direct deployment of Remote Access Trojans (RATs) without any user interaction with a malicious website or email link. The campaign, which security analysts first observed in late 2025, poses a direct and urgent threat to organizations managing digital assets, cold wallets, and transaction platforms.
Cofense Intelligence Exposes the Windows Explorer RAT Vector
Cofense’s threat research team, led by Principal Analyst Dr. Elena Vance, identified the active campaign during routine monitoring of phishing infrastructure. The attackers craft emails containing seemingly legitimate document shortcuts. However, these shortcuts do not point to local files or typical web links. Instead, they reference paths on maliciously configured WebDAV (Web Distributed Authoring and Versioning) servers. When a user in a corporate environment clicks the shortcut, Windows File Explorer attempts to open the location. Crucially, Explorer treats the WebDAV path as a network location, initiating a connection outside the sandboxed environment of a web browser.
This process completely bypasses browser security protocols, network proxies, and email link scanners that focus on HTTP/HTTPS traffic. “The browser is the most hardened part of the modern corporate stack,” Dr. Vance explained in the report. “Attackers have now shifted their focus to the operating system’s own trusted components. Windows Explorer is not designed to scrutinize WebDAV content with the same rigor as a browser scrutinizes a webpage.” Once the connection is established, the malicious server can push executable payloads directly to the target machine, often disguised as document updates or system files.
Direct Impact on Cryptocurrency Security and Corporate Networks
The primary payloads delivered via this vector are sophisticated Remote Access Trojans (RATs) like QuasarRAT and NanoCore, which are then used to deploy secondary tools. The ultimate goal is financial theft, specifically targeting cryptocurrency wallets and exchange credentials. The impact is twofold: it compromises individual machines and establishes a persistent foothold within the corporate network to hunt for high-value crypto assets.
- Direct Wallet Theft: RATs provide attackers with live screen access and keylogging capabilities, allowing them to capture passwords, seed phrases, and private keys for hot wallets on infected workstations.
- Network Propagation for Cold Storage Targeting: Once inside, attackers use the initial machine to move laterally across the network. They specifically target air-gapped systems or hardware security modules (HSMs) used to manage cold wallets, employing specialized tools to exfiltrate credentials.
- Transaction Manipulation: In observed cases, the malware manipulates clipboard data. When a user copies a cryptocurrency wallet address to send funds, the malware silently replaces it with an attacker-controlled address, diverting transactions.
Expert Analysis and Recommended Mitigations
The Cybersecurity and Infrastructure Security Agency (CISA) has been briefed on the campaign and is expected to issue a formal advisory. Independent security expert Marcus Thorne, founder of Sentinel Labs, emphasized the severity of the bypass. “This isn’t a zero-day exploit in the classic sense,” Thorne noted. “It’s a clever abuse of a legitimate feature—WebDAV integration—that most enterprises have enabled by default. It turns a productivity tool into a critical vulnerability.” Cofense’s report provides specific, actionable mitigation steps. Organizations should immediately review and restrict WebDAV client policies via Group Policy, blocking connections to unknown external servers. Additionally, application allowlisting should be enforced to prevent the execution of unauthorized payloads, even if delivered through this vector.
Evolution of Malware Delivery: A Comparative Timeline
This Windows Explorer method represents the latest step in a continuous arms race between attackers and defenders. For years, the primary delivery vector was malicious email attachments. As defenses improved, attackers shifted to hosting malware on compromised websites. The rise of secure email gateways and advanced browser sandboxing then pushed them toward more sophisticated social engineering and fileless techniques. The abuse of WebDAV through Windows Explorer is a logical, yet dangerous, next step that leverages inherent trust in OS components.
| Delivery Era | Primary Vector | Defensive Focus |
|---|---|---|
| 2015-2018 | Malicious Email Attachments (.exe, .docm) | Antivirus, Attachment Filtering |
| 2019-2022 | Phishing Links to Compromised Sites | Secure Web Gateways, Browser Isolation |
| 2023-2025 | Fileless Malware & Living-off-the-Land (LotL) | Endpoint Detection & Response (EDR), Behavior Analysis |
| 2026 (Current) | WebDAV Abuse via Windows Explorer | Network Protocol Restriction, Application Control |
What Organizations and Crypto Holders Must Do Next
The immediate priority for any organization, especially those in finance or holding crypto, is to implement the technical controls outlined by Cofense. Security teams should conduct threat hunts for anomalous WebDAV connections in their logs, particularly to unfamiliar IP addresses. Furthermore, this campaign highlights a critical need for separation of duties. Machines used to access or manage cryptocurrency wallets should have the most restrictive policies, with WebDAV and other non-essential network protocols completely disabled. For individual crypto holders, the lesson reinforces the absolute necessity of using dedicated, offline hardware wallets for significant holdings, never managing private keys on a general-purpose corporate machine.
Industry and Regulatory Response
The financial and cybersecurity industries are reacting swiftly. Several major cryptocurrency exchanges have begun notifying institutional clients about the threat, recommending enhanced verification procedures for withdrawal requests. Meanwhile, cybersecurity insurance providers are likely to update their policy questionnaires to include specific queries about WebDAV protocol management and application allowlisting controls, potentially affecting premiums for firms that lack these defenses.
Conclusion
The Windows Explorer RAT malware campaign uncovered by Cofense Intelligence marks a dangerous pivot in cybercriminal tactics, directly threatening the security of corporate crypto assets. By exploiting the trusted relationship between Windows and WebDAV servers, attackers have found a gap in modern defenses that relies on user interaction with a seemingly harmless file shortcut. The key takeaways are clear: organizations must look beyond browser and email security to harden core OS functionalities, and the protection of cryptocurrency requires rigorous network segmentation and hardware-based cold storage. As this campaign develops, security professionals will be watching for Microsoft’s potential response and for copycat threat actors adapting this effective technique.
Frequently Asked Questions
Q1: How does the Windows Explorer malware attack actually work?
The attack uses a shortcut file in an email that points to a malicious WebDAV server. Clicking it opens the location in Windows File Explorer, not a browser. This bypasses web security, and the server can then push a Remote Access Trojan (RAT) directly to the PC.
Q2: Why is this attack particularly dangerous for cryptocurrency holders?
The deployed RATs give attackers full control of the infected machine. They can steal passwords and private keys from software wallets, manipulate cryptocurrency transactions by changing copied addresses, and spread across a network to target more secure cold storage systems.
Q3: What is the timeline for this threat, and is it active now?
Cofense Intelligence published its findings on February 25, 2026, based on an active campaign they observed throughout late 2025 and early 2026. The threat is considered current and ongoing.
Q4: As a regular computer user, how can I protect myself from this threat?
Be extremely cautious with email file shortcuts, especially from unknown senders. Ensure your operating system and antivirus are updated. For cryptocurrency, never store private keys or access wallets from a machine used for general email and web browsing.
Q5: How does this attack method compare to traditional phishing?
Traditional phishing relies on tricking you into entering credentials on a fake website or running a file from your browser. This method bypasses the browser entirely by using a core Windows component (File Explorer) to initiate the malicious connection, making it harder for many security tools to detect.
Q6: What should a corporate IT department do immediately to mitigate this risk?
IT should use Group Policy to restrict or block external WebDAV connections from client machines. They should also implement application allowlisting to prevent unauthorized programs from running and conduct a review of network logs for suspicious WebDAV activity.
