Webdav Malicious File Hosting Powering Stealthy Malware Attacks

A new method of attack has emerged that leverages WebDAV technology to host malicious files. This approach, which facilitates the distribution of the Emmenhtal loader—also known as PeakLight—has been under scrutiny since December 2023.

The loader is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide.

This article delves into the use of WebDAV for malicious purposes, the range of malware distributed through this infrastructure, and the potential for this setup to be part of a broader “Infrastructure-as-a-Service” (IaaS) offering to cybercriminals.

The Role of WebDAV in Malicious File Hosting

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to manage files on web servers.

While it has legitimate applications in collaborative environments, cybercriminals have increasingly exploited it for malicious activities.

The Sekoia TDR team identified over 100 malicious WebDAV servers involved ...