HomeVulnerabilityHackers exploited Home windows WebDav zero-day to drop malware

Hackers exploited Home windows WebDav zero-day to drop malware

An APT hacking group generally known as ‘Stealth Falcon’ exploited a Home windows WebDav RCE vulnerability in zero-day assaults since March 2025 towards protection and authorities organizations in Turkey, Qatar, Egypt, and Yemen.

Stealth Falcon (aka ‘FruityArmor’) is a complicated persistent risk (APT) group identified for conducting cyberespionage assaults towards Center East organizations.

The flaw, tracked underneath CVE-2025-33053, is a distant code execution (RCE) vulnerability that arises from the improper dealing with of the working listing by sure legit system executables.

Particularly, when a .url file units its WorkingDirectory to a distant WebDAV path, a built-in Home windows device will be tricked into executing a malicious executable from that distant location as an alternative of the legit one.

This permits attackers to drive gadgets to execute arbitrary code remotely from WebDAV servers underneath their management with out dropping malicious recordsdata regionally, making their operations stealthy and evasive.

The vulnerability was found by Verify Level Analysis, with Microsoft fixing the flaw within the newest Patch Tuesday replace, launched yesterday.

See also  4 Essential Vulnerabilities Expose HPE Aruba Gadgets to RCE Attacks

In keeping with Verify Level, the tried assaults assaults might not have been profitable, although the vulnerability is legitimate and confirmed to be exploited nonetheless.

“In March 2025, Verify Level Analysis recognized an tried cyberattack towards a protection firm in Turkey,” mentions the Verify Level report.

“The risk actors used a beforehand undisclosed method to execute recordsdata hosted on a WebDAV server they managed, by manipulating the working listing of a legit built-in Home windows device.”

The tried assaults used a misleading URL file disguised as a PDF, despatched to targets by way of phishing e mail.

Verify Level retrieved the file and subsequent payloads hosted on the attacker’s server to research the tried assault.

The exploit begins with a .url file, proven beneath, whose URL parameter factors to iediagcmd.exe, a legit Web Explorer diagnostics device. When executed, this device launches numerous community diagnostic instructions, reminiscent of route, ipconfig, and netsh, to assist troubleshoot networking points.

Nevertheless, the flaw is exploitable attributable to how Home windows locates and runs these command-line diagnostic instruments.

URL file used to exploit CVE-2025-33053
URL file used to take advantage of CVE-2025-33053
Supply: Verify Level

When iediagcmd.exe is executed, the Home windows diagnostic packages are launched utilizing the .NET Course of.Begin() perform. This perform first appears within the software’s present working listing for this system earlier than looking out the Home windows system folders, like System32.

See also  U.S. Sanctions Chinese language Cybersecurity Agency for State-Backed Hacking Campaigns

On this assault, the malicious .url exploit units the working listing to the attacker’s WebDAV server, inflicting the iediagcmd.exe device to run the instructions immediately from the distant WebDav share.

This causes iediagcmd.exe to run the attacker’s pretend route.exe program from the distant server, which installs a customized multi-stage loader referred to as ‘Horus Loader.’

The loader then drops the first payload, ‘Horus Agent,’ a customized C++ Mythic C2 implant that helps command execution for system fingerprinting, config modifications, shellcode injection, and file operations.

Commands supported by Horus Agent
Instructions supported by Horus Agent
Supply: Verify Level

Verify Level additionally discovered a number of post-exploitation instruments, together with a credential file dumper, a keylogger, and a passive backdoor consisting of a tiny C service listening for encrypted shellcode payloads over the community.

Stealth Falcon's infection chain
Stealth Falcon’s an infection chain
Supply: Verify Level

Verify Level underlines the evolution of Stealth Falcon, a risk actor energetic since a minimum of 2012, centered on espionage.

Beforehand, the risk actors used personalized Apollo brokers, whereas their newest Horus instruments are extra superior, evasive, and modular, offering operational stealth and suppleness.

See also  12 most progressive launches at RSA 2025

Given the energetic exploitation of CVE-2025-33053 in espionage operations, crucial organizations are really useful to use the newest Home windows updates as quickly as doable.

If upgrading is inconceivable, it’s endorsed to dam or carefully monitor WebDAV site visitors for suspicious outbound connections to unknown endpoints.

Tines Needle

Patching used to imply advanced scripts, lengthy hours, and limitless hearth drills. Not anymore.

On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, cut back overhead, and deal with strategic work — no advanced scripts required.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular