CVE-2025-33053 & Stealth Falcon’s Espionage Campaign: Everything You Need to Know

A critical zero-day vulnerability, CVE-2025-33053, has recently been exploited in the wild by the APT group known as Stealth Falcon (also identified as “FruityArmor”). This attack targets a flaw in Windows’ WebDAV implementation and employs sophisticated payloads—including a custom implant dubbed Horus Agent. Here’s a full breakdown and advice on how to safeguard your systems.

🕵️ Who is Stealth Falcon?
Stealth Falcon is an Advanced Persistent Threat (APT) group active since at least 2012, known for targeting government and defense organizations—primarily in the Middle East and Africa

Also referred to as “FruityArmor,” the group is believed to have backing ties to the UAE

Vulnerability Overview: CVE-2025-33053
Type: Remote Code Execution (RCE) in Windows’ WebDAV via manipulation of the working-directory during execution

CVSS Score: 8.8 (High severity)

Attack Vector: A phishing-based .url shortcut triggers a legitimate Windows tool (e.g., iediagcmd.exe) to run malicious executables hosted on attacker-controlled WebDAV servers

Microsoft released a patch for this flaw on June 10, 2025, even extending updates to legacy systems like Windows 8 and Server 2012

.

Attack Kill Chain
Phishing delivery: A .url file disguised as a PDF (e.g., TLM.005_…pdf.url) tricks recipients into clicking a malicious link

Remote executable hijack: Using Windows’ working-directory resolution, iediagcmd.exe launches a malicious route.exe hosted on WebDAV

Loader deployment: route.exe, the Horus Loader, uses code virtualization to evade detection, displays decoy docs, and drops the payload

Implant installation: The final payload, Horus Agent, a custom C++ implant built on the Mythic C2 framework, enables system fingerprinting, shellcode injection, backdoor communication, keylogging, and credential theft

Who’s at Risk?
High-value targets: Defense and government entities in the Middle East (e.g., Turkey, Qatar, Egypt, Yemen)

Broader threat: Now that the patch is public, cybercriminals may begin exploiting the vulnerability more widely—including ransomware actors

🛡️ How to Protect Yourself
1. Patch Immediately
Apply Microsoft’s June 10, 2025 update for CVE‑2025‑33053—available even for legacy Windows versions
darkreading.com

2. Limit .url/.lnk Exposure
Block execution of .url, .lnk, .cpl files from email/download folders using Group Policy, AppLocker, or WDAC
ampcuscyber.com
.

Train users to recognize suspicious shortcuts disguised as attachments.

3. Restrict WebDAV Access
Monitor or block connections to unknown WebDAV servers on port 443.

Detect when trusted Windows tools spawn from non-standard working directories
kaspersky.com

4. Deploy Defense-in-Depth
Use threat emulation, intrusion prevention systems, and endpoint protection (e.g., Check Point Harmony, PTR IPS)
research.checkpoint.com

Monitor logs for unusual service installations (Event ID 7045), creation of PDF or VHD files, or .url files launching legitimate processes – indicators include filenames like TLM.005_*.pdf, %TEMP%\…vhdx, ds_notifier, etc.

5. Incident Response & Visibility
Watch for new executables named route.exe, unusual file drops, or anomalous behavior from Edge/IE diagnostic tools.

Keep threat intelligence feeds up-to-date with IOCs like URL hashes provided by Check Point.

Summary
CVE-2025-33053, exploited by Stealth Falcon, is a potent zero-day involving deceptive shortcut files and a sophisticated implant deployment pipeline culminating in the stealthy Horus Agent. If you haven’t already, patch now, enforce strict execution controls, and monitor your network for signs of exploitation.

Need help with implementation or want a deeper technical breakdown? Just reach out or leave a comment!

How it works: