Stealth Falcon Exploits Windows WebDAV CVE-2025-33053 for Advanced Cyber Espionage

The cybersecurity landscape has once again been upended by the recent discovery and exploitation of a critical remote code execution (RCE) vulnerability found in Microsoft Windows’ implementation of WebDAV. This zero-day, tracked as CVE-2025-33053, has been actively leveraged by the notorious ‘Stealth Falcon’ advanced persistent threat (APT) group against defense and government targets in several Middle Eastern nations. Security incidents like these reaffirm the ongoing, high-stakes cat-and-mouse game between malicious actors and global technology vendors, challenging organizations to remain vigilant and proactive in securing their environments.

The Anatomy of a Stealthy Exploit​

Stealth Falcon, also known as ‘FruityArmor,’ has a well-documented history of sophisticated cyberespionage campaigns dating back to at least 2012, primarily targeting political, military, and government organizations across the Middle East. Their latest attacks—first detected in March 2025—center on a cleverly crafted zero-day vulnerability in Windows’ handling of WebDAV-initiated processes. Unlike typical file-based malware, this exploit leverages trusted system tools and remote file execution, enabling the threat actor to operate with extraordinary stealth.

Understanding CVE-2025-33053​

The vulnerability at the heart of the operation is both insidious and elegant. Windows’ WebDAV (Web Distributed Authoring and Versioning) protocol facilitates remote file operations—a feature often leveraged by both legitimate applications and attackers. CVE-2025-33053 specifically arises from Windows’ improper handling of executable file lookups when a .url file (commonly used to create desktop shortcuts) is configured with a remote working directory pointing to a WebDAV share.
By manipulating this parameter, threat actors can trick legitimate system executables like iediagcmd.exe (an Internet Explorer diagnostics tool) into running malicious binaries hosted remotely, instead of their trusted local counterparts. This is due to the behavior of the .NET Process.Start() function, which searches the working directory for the requested executable before checking system folders such as System32. As a result, an attacker can supply a path to their own weaponized binary—disguised under the same name as a trusted tool—hosted on their WebDAV server. Crucially, this entire process occurs without first downloading or storing the malware locally, making traditional endpoint detection techniques far less effective.

Attack Chain in Focus​

The documented attack chain observed by Check Point Research, who first reported this vulnerability, unfolds as follows:

• A phishing email delivers a .url file, camouflaged to appear as a legitimate PDF document, to the intended victim.
• When the user clicks this file, it launches iediagcmd.exe with its working directory set to the attacker's malicious WebDAV share.
• Rather than executing the legitimate network diagnostic helper tools (such as route.exe), the system unwittingly executes a counterfeit version, placed by the attacker on the WebDAV share.
• This rogue executable is a multi-stage loader dubbed ‘Horus Loader,’ which installs the main espionage payload: ‘Horus Agent.’

Breaking Down Horus Agent​

Horus Agent is a custom C++ backdoor, built for stealth and flexibility. Once deployed, it operates as a fully-featured command-and-control (C2) implant. Its capabilities, closely reviewed by Check Point analysts, include:

• System fingerprinting and reconnaissance
• Configuration changes
• Arbitrary command execution
• File exfiltration and manipulation
• Shellcode injection into memory

This modular approach enables the attackers to dynamically extend Horus Agent’s abilities using additional plugins. Post-exploitation, researchers also observed supplementary tools being deployed by Stealth Falcon, including a credential dumper, a keylogger, and a passive network backdoor capable of receiving and executing encrypted shellcode over the network.

Why This Exploit Is Particularly Dangerous​

The primary threat posed by CVE-2025-33053 stems from its ability to entirely bypass traditional malware detection defenses. Because the malicious code is executed directly from the remote server and masquerades as a legitimate system process, it leaves virtually no trace on disk. Furthermore, since the initial infection vector is a simple .url file, even careful users may be tricked into opening it, especially if the phishing message is well-crafted.

Technical Specifics and Verifiability​

To corroborate key details in this exploit chain, multiple reputable sources corroborate the mechanism outlined by Check Point, including BleepingComputer and The Register. Security advisories from Microsoft also confirm that the .NET Process.Start() method’s lookup order can allow this kind of hijacking if the working directory is externally controlled, and that iediagcmd.exe legitimately calls external binaries like route.exe for diagnostics. Cross-validation of these behaviors is possible in Microsoft’s own developer documentation and historical CVE records covering similar execution path hijacks.
Researchers have specifically demonstrated .url files with remote working directories calling arbitrary executables from WebDAV shares, and confirm that standard security controls (ranging from EDR to traditional antivirus) may fail to recognize or block the malicious activity without behavioral or network-based detections.

The Evolution of Stealth Falcon’s Toolset​

Stealth Falcon is far from a newly emerged threat actor. Originating in the early 2010s and linked to the Middle Eastern region—with strong indications of state sponsorship—the group’s technical sophistication has consistently increased with each campaign. Their early operations relied extensively on the Apollo malware framework, a highly customized espionage platform tailored to evade signature-based detection and enable long-term persistence.
The latest arsenal, particularly the Horus suite of tools, marks an evolutionary leap:

• Horus Agent is architected for deep modularity; its plugins allow operators to customize infection chains based on the specific objectives, from initial reconnaissance to full-scale data exfiltration.
• The supporting tools—keyloggers, credential dumpers, and stealthy passive network listeners—are each layered for staged deployment, ensuring the group can shift tactics with minimal risk of broad detection.
• Extensive use of encrypted communications and in-memory shellcode execution demonstrates the operator’s awareness of modern digital forensics and incident response techniques.

Target Profile and Geopolitical Implications​

The current campaign evidences a continued strategic focus on governments and defense contractors, primarily in Turkey, Qatar, Egypt, and Yemen. This regional cluster holds significant geopolitical importance, and the operational targeting aligns with the stated or presumed interests of Middle Eastern intelligence adversaries. Security analysts at both CheckPoint and independent threat intelligence firms note a clear pattern: Stealth Falcon rarely engages opportunistic or ransomware-style attacks, preferring instead to conduct highly targeted surveillance for intelligence gathering.

Defensive Recommendations and Mitigation Strategies​

Given the proven exploitation in the wild and the advanced capabilities of Stealth Falcon, Windows system administrators and security professionals are strongly advised to take immediate remedial steps.

Patch Urgency​

First and foremost, CVE-2025-33053 has been addressed in Microsoft’s June Patch Tuesday release. Applying this update should be an immediate priority, especially for organizations operating in high-risk sectors or those with a history of targeted attacks. According to Check Point, while the observed attacks may not have been universally successful, the exploit is valid and demonstrates a viable path to compromise.

Temporary Workarounds​

For organizations unable to patch immediately—often a reality in highly regulated sectors or during operational constraints—the following countermeasures are recommended:

• Block WebDAV Traffic: Restrict outbound WebDAV connections at both firewall and proxy levels. Most enterprises do not require broad internet WebDAV access; by disabling this vector, potential attacks relying on remote hosting can be disrupted.
• Monitor for Unusual .url File Activity: Implement network and endpoint monitoring to flag instances where .url files are executed referencing network shares or anomalous remote paths.
• User Awareness: Train users to recognize suspicious file types and phishing attempts. Emphasize the danger posed by shortcut files and the importance of reporting any unexpected prompts to open or run diagnostics.
• Network Segmentation: Limit lateral movement by segmenting sensitive infrastructure and maintaining strict controls over what tools can be run from remote shares.

Detection and Response​

Though classic signature-based detection mechanisms are ineffective against this type of attack, more advanced behavioral analytics tools may be able to spot:

• Execution of legitimate system utilities from non-standard directories (especially remote WebDAV shares)
• Suspicious network connections to previously unknown WebDAV endpoints
• Use of seldom-invoked diagnostic binaries (like iediagcmd.exe) in unusual operational contexts

Several managed threat detection vendors have updated their platforms to specifically look for indicators of this exploit. Still, timely, multidisciplinary incident response remains essential in the event of suspected compromise.

Critical Analysis: Notable Strengths and Remaining Risks​

The discovery, analysis, and patching of CVE-2025-33053 illustrate the robust collaboration between security researchers, vendors, and threat intelligence communities. Check Point’s timely disclosure affords defenders critical days or weeks to implement fixes and raise user awareness, while Microsoft’s rapid patching limits the exploit’s window of opportunity.
However, underlying risks persist:

• Zero-Day Vulnerability Recurrence: The exploit technique exploits systemic flaws—in this case, executable lookup order and remote working directory handling—that have been recurrently problematic in Windows' design history. Unless more comprehensive architectural changes are made, similar issues could resurface in the future.
• Sophistication of APT Operations: Stealth Falcon’s campaign reflects a persistent strategic commitment to modular malware and multi-staged infection chains. Even as one vulnerability gets patched, defenders must anticipate new, creative avenues for compromise.
• Detection Challenges: The inherent stealthiness of remote, fileless execution means that prevention and detection will remain difficult as attacker sophistication grows. Security organizations must prioritize both rapid patch management and innovations in detection methodology.

Multi-Source Validation​

Independent analysis from multiple sources, including technical write-ups from BleepingComputer, The Register, and Microsoft, all confirm the critical nature of CVE-2025-33053 and the validity of the discovered exploit chain. While some operational details of the Stealth Falcon campaign are necessarily withheld to preserve ongoing investigations, the core mechanics, attack vectors, and remediation steps are publicly documented and widely accepted.

Conclusion: A Sobering Reminder for the Security Community​

The Stealth Falcon exploitation of Windows WebDAV (CVE-2025-33053) underscores an unpleasant but inescapable reality of today’s threat landscape: even trusted, built-in operating system utilities present avenues for remote, highly evasive compromise. While the prompt release of a security patch highlights the value of open threat intelligence sharing, it also emphasizes the relentless pace of adversarial innovation.
Organizations in high-risk sectors must move quickly, not only to remediate known flaws, but to evolve their defense paradigms in anticipation of similar threats. Securing critical infrastructure requires a holistic approach—combining technical patching, robust network defenses, vigilant monitoring, and continuous user education.
For now, the best defense is timely patching and heightened vigilance. Security professionals must treat every remote file operation and privileged tool invocation as a potential threat vector—and take comfort in the growing collaboration across the cybersecurity ecosystem to meet these challenges head-on.
As cyber threats evolve, so too must our collective response—a lesson that the Stealth Falcon attacks drive home with new urgency.

---

Source: BleepingComputer Hackers exploited Windows WebDav zero-day to drop malware