Stealth Falcon Exploits CVE-2025-33053 in Targeted Espionage Across Middle East

Stealth Falcon (aka. FruityArmor) is a long-standing APT group active since 2012 and known for conducting targeted cyber espionage in the Middle East and Africa. In March 2025, Check Point observed a new campaign exploiting CVE-2025-33053, a vulnerability patched by Microsoft in its June 2025 update. The flaw involves external control of file paths over WebDAV and can result in unauthorized code execution. “Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen,” according to Check Point. The campaign used this vulnerability to execute malware hosted on attacker-controlled WebDAV servers through crafted ".url" files exploiting the "WorkingDirectory" parameter and "Process.Start()" behavior, ultimately resulting in code execution.

Check Point’s analysis shows the attackers used ".url" files with misleading double extensions, likely delivered via phishing emails. The shortcut pointed to a legitimate tool, "iediagcmd.exe", while redefining the working directory to a malicious WebDAV path. This setup caused the tool to run a rogue binary, "route.exe", located on the attacker’s server instead of the expected system version under the System32 directory. The binary was identified as the Horus Loader, which used anti-analysis features like manual DLL mapping and process scans against over 100 known security tools. Another LOLBin, "CustomShellHost.exe", was abused similarly, demonstrating the threat actor's preference for stealth and living-off-the-land binaries (LOLBins). Horus Loader decrypted and ran a lure document to maintain legitimacy while injecting a payload using techniques such as "IPfuscation" and process hollowing via "msedge.exe".

The final payload is a customized Mythic C2 agent dubbed Horus Agent. This implant, written in C++, deviates from previously used Mythic agents like Apollo and implements obfuscation, API hashing, and control flow flattening to evade static and dynamic analysis. The Horus Agent communicates over a custom C2 profile and supports commands including system survey for information collection, file listing, shellcode injection, and configuration updates. It features command variants like "shinjectchunked", which allows shellcode delivery in parts, and a stealth mode for injection based on observed AV processes. The configuration and communication channels are encrypted with AES and HMAC integrity checks. Initial check-in captures extensive system fingerprinting data, helping the actor evaluate the target’s value before deploying follow-on payloads.

Check Point also details past activity by Stealth Falcon that complements their latest TTPs. In 2022–2023, campaigns utilized ".cpl" files named after Star Trek characters to deploy the Apollo agent through WebDAV infrastructure. In another 2023 case, a phishing email to a Qatari target delivered a ZIP archive containing a LNK file. Upon execution, it chained LOLBins like "cmd.exe", "DeviceCredentialDeployment.exe", and "forfiles.exe" to execute scripts hosted over WebDAV. Across these campaigns, Stealth Falcon has maintained consistent use of native Windows binaries, phishing, and multi-stage delivery using obfuscated loaders. This includes additional tools like a DC credential dumper leveraging VHDX snapshots, passive backdoors using AES-encrypted communications, and a keylogger that stores encrypted logs locally each designed for stealth, modularity, and control in high-value espionage operations.