An APT hacking group often known asĀ ‘Stealth Falcon’ exploited a Home windows WebDav RCE vulnerability in zero-day assaults since March 2025 in opposition to protection and authorities organizations in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon (aka ‘FruityArmor’) is a complicated persistent risk (APT) group recognized for conducting cyberespionage assaults in opposition to Center East organizations.
The flaw, tracked below CVE-2025-33053, is a distant code execution (RCE) vulnerability that arises from the improper dealing with of the working listing by sure respectable system executables.
Particularly, when a .url file units its WorkingDirectory to a distant WebDAV path, a built-in Home windows instrument may be tricked into executing a malicious executable from that distant location as a substitute of the respectable one.
This permits attackers to pressure units to execute arbitrary code remotely from WebDAV servers below their management with out dropping malicious information domestically, making their operations stealthy and evasive.
The vulnerability was found by Verify Level Analysis, with Microsoft fixing the flawĀ within the newest Patch Tuesday replace, launched yesterday.
In line with Verify Level, theĀ tried assaults assaults could not have been profitable, although the vulnerability is legitimate and confirmed to be exploited nonetheless.
“In March 2025, Verify Level Analysis recognized an tried cyberattack in opposition to a protection firm in Turkey,” mentions the Verify Level report.
“The risk actors used a beforehand undisclosed method to execute information hosted on a WebDAV server they managed, by manipulating the working listing of a respectable built-in Home windows instrument.”
The tried assaults used a misleading URL file disguised as a PDF, despatched to targets by way of phishing electronic mail.
Verify Level retrieved the file and subsequent payloads hosted on the attacker’s server to research the tried assault.
The exploit begins with a .url file, proven under,Ā whose URL parameter factors to iediagcmd.exe,Ā a respectable Web Explorer diagnostics instrument. When executed, this instrument launches varied community diagnostic instructions, equivalent to route, ipconfig, and netsh, to assist troubleshoot networking points.
Nevertheless, the flaw is exploitable because of how Home windows locates and runs these command-line diagnostic instruments.
Supply: Verify Level
When iediagcmd.exeĀ is executed, the Home windows diagnostic packagesĀ are launched utilizing the .NET Course of.Begin() operate. This operate first seems to be within the utility’s present working listing for this system earlier than looking out the Home windows system folders, like System32.
On this assault, the malicious .url exploit units the working listing to the attacker’s WebDAV server,Ā inflicting the iediagcmd.exe instrument to run the instructions instantly from the distant WebDav share.
This causes iediagcmd.exe to run the attacker’s faux route.exe program from the distant server, which installs a customized multi-stage loader referred to as ‘Horus Loader.’
The loader then drops the first payload, ‘Horus Agent,’ a customized C++ Mythic C2 implant that helps command execution for system fingerprinting, config modifications, shellcode injection, and file operations.
Supply: Verify Level
Verify Level additionally discovered a number of post-exploitation instruments, together with a credential file dumper, a keylogger, and a passive backdoor consisting of a tiny C service listening for encrypted shellcode payloads over the community.
Supply: Verify Level
Verify Level underlines the evolution of Stealth Falcon, a risk actor energetic since no less than 2012, centered on espionage.
Beforehand, the risk actors used custom-made Apollo brokers, whereas their newest Horus instruments are extra superior, evasive, and modular, offering operational stealth and adaptability.
Given the energetic exploitation of CVE-2025-33053 in espionage operations, vital organizations are beneficial to use the newest Home windows updates as quickly as potential.
If upgrading is unimaginable, it is suggested to dam or carefully monitor WebDAV site visitors for suspicious outbound connections to unknown endpoints.
Patching used to imply advanced scripts, lengthy hours, and limitless hearth drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch sooner, cut back overhead, and give attention to strategic work — no advanced scripts required.
