An APT hacking group generally known as ‘Stealth Falcon’ exploited a Home windows WebDav RCE vulnerability in zero-day assaults since March 2025 towards protection and authorities organizations in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon (aka ‘FruityArmor’) is a complicated persistent risk (APT) group identified for conducting cyberespionage assaults towards Center East organizations.
The flaw, tracked underneath CVE-2025-33053, is a distant code execution (RCE) vulnerability that arises from the improper dealing with of the working listing by sure legit system executables.
Particularly, when a .url file units its WorkingDirectory to a distant WebDAV path, a built-in Home windows device will be tricked into executing a malicious executable from that distant location as an alternative of the legit one.
This permits attackers to drive gadgets to execute arbitrary code remotely from WebDAV servers underneath their management with out dropping malicious recordsdata regionally, making their operations stealthy and evasive.
The vulnerability was found by Verify Level Analysis, with Microsoft fixing the flaw within the newest Patch Tuesday replace, launched yesterday.
In keeping with Verify Level, the tried assaults assaults might not have been profitable, although the vulnerability is legitimate and confirmed to be exploited nonetheless.
“In March 2025, Verify Level Analysis recognized an tried cyberattack towards a protection firm in Turkey,” mentions the Verify Level report.
“The risk actors used a beforehand undisclosed method to execute recordsdata hosted on a WebDAV server they managed, by manipulating the working listing of a legit built-in Home windows device.”
The tried assaults used a misleading URL file disguised as a PDF, despatched to targets by way of phishing e mail.
Verify Level retrieved the file and subsequent payloads hosted on the attacker’s server to research the tried assault.
The exploit begins with a .url file, proven beneath, whose URL parameter factors to iediagcmd.exe
, a legit Web Explorer diagnostics device. When executed, this device launches numerous community diagnostic instructions, reminiscent of route, ipconfig, and netsh, to assist troubleshoot networking points.
Nevertheless, the flaw is exploitable attributable to how Home windows locates and runs these command-line diagnostic instruments.

Supply: Verify Level
When iediagcmd.exe is executed, the Home windows diagnostic packages are launched utilizing the .NET Course of.Begin() perform. This perform first appears within the software’s present working listing for this system earlier than looking out the Home windows system folders, like System32.
On this assault, the malicious .url exploit units the working listing to the attacker’s WebDAV server, inflicting the iediagcmd.exe device to run the instructions immediately from the distant WebDav share.
This causes iediagcmd.exe to run the attacker’s pretend route.exe program from the distant server, which installs a customized multi-stage loader referred to as ‘Horus Loader.’
The loader then drops the first payload, ‘Horus Agent,’ a customized C++ Mythic C2 implant that helps command execution for system fingerprinting, config modifications, shellcode injection, and file operations.

Supply: Verify Level
Verify Level additionally discovered a number of post-exploitation instruments, together with a credential file dumper, a keylogger, and a passive backdoor consisting of a tiny C service listening for encrypted shellcode payloads over the community.

Supply: Verify Level
Verify Level underlines the evolution of Stealth Falcon, a risk actor energetic since a minimum of 2012, centered on espionage.
Beforehand, the risk actors used personalized Apollo brokers, whereas their newest Horus instruments are extra superior, evasive, and modular, offering operational stealth and suppleness.
Given the energetic exploitation of CVE-2025-33053 in espionage operations, crucial organizations are really useful to use the newest Home windows updates as quickly as doable.
If upgrading is inconceivable, it’s endorsed to dam or carefully monitor WebDAV site visitors for suspicious outbound connections to unknown endpoints.
Patching used to imply advanced scripts, lengthy hours, and limitless hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, cut back overhead, and deal with strategic work — no advanced scripts required.