Stealth Falcon’s Abuse of CVE-2025-33053 in Their Latest Cyber Espionage Ops

Stealth Falcon, a Middle Eastern APT group, has been observed exploiting a zero-day vulnerability in Microsoft Windows (CVE-2025-33053) to launch cyber-espionage campaigns targeting high-profile organizations in the Middle East and Africa.

Severity Level: High

Vulnerability Details

• CVE ID: CVE-2025-33053 [Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability]
• CVSS Score: 8.8
• Exploited in the Wild: Yes
• CWE-73: External Control of File Name or Path
• Affected Products:
  • Windows 10/11 (x86, x64, ARM)
  • Windows Server 2008 through 2025 (Core & Full installations)
• Root Cause:
  • The vulnerability lies in how Windows handles .url (internet shortcut) files when they specify a remote working directory via WebDAV. When the .url file points to a legitimate executable (like iediagcmd.exe) and sets a remote WebDAV path as the working directory, Windows:
  • Executes binaries from that remote location instead of the default system path (system32), due to how Process.Start() resolves binaries based on the working directory.
  • This allows attackers to hijack the binary execution path and substitute malicious executables (e.g., route.exe).

Stealth Falcon – CVE -2025-33053 Exploitation

Stage 1: Initial Access – Phishing via .url or .lnk Files

• Vector: Spear-phishing emails sent to defense/government sector employees.
• Attachment: A .url file masquerading as a PDF report (e.g., TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url).
• Target: Turkey, Qatar, Egypt, Yemen – primarily defense contractors or government entities.

Stage 2: Exploitation of CVE-2025-33053

• Technique: The .url file launches a legitimate Windows executable (e.g., iediagcmd.exe) with a WebDAV path as the working directory.
• Abuse: Windows’ Process.Start() function prioritizes the attacker-controlled WebDAV path, leading to execution of a malicious route.exe.

Stage 3: Loader Execution – Horus Loader

• File: route.exe (custom-built, signed with outdated cert).
• Functionality:
  • Decrypts and displays a decoy PDF document.
  • Loads and decrypts payloads (e.g., using “IPfuscation” via fake IPv6 addresses).
  • Bypasses EDRs by evading memory scanners and performing manual DLL mapping.
  • Implements anti-analysis (code virtualizers, obfuscation, task termination).

Stage 4: Payload Deployment – Horus Agent

• Implant: A custom C++ agent based on Mythic C2 framework.
• Capabilities:
  • Advanced victim fingerprinting (survey, ls, shinjectchunked).
  • Dynamic configuration loading.
  • AES+HMAC encrypted communication over HTTP(S).
  • Limited built-in functionality (minimalist profile to avoid detection).
  • Uses RC4 encrypted strings, API hashing, and control flow flattening.

Stage 5: C2 Communication & Tasking

• Endpoints: GET/POST requests to attacker-controlled C2 using encrypted query strings.
• Format: Base64-encoded packet: [UUID] + [IV] + [AES-encrypted data] + [HMAC].
• Tasks Supported: Process injection (shinjectchunked, shinjectstealth), File system enumeration, Configuration update, Exit, upload, job control

Stage 6: Post-Exploitation Modules

• Credential Dumper: Extracts AD credential stores via virtual disk snapshot using .vhdx and .NET DiscUtils library.
• Keylogger: Logs keystrokes to disk using RC4 encryption (retrieved later).
• Passive Backdoor: Listens on TCP, decrypts shellcode, runs it in-memory.
• Custom Apollo Loader: Historical .NET-based version of the implant delivered via .cpl files (used in prior operations).

Clean-up & Evasion

• Removes evidence by:
  • Wiping WebDAV cache: %WINDIR%\ServiceProfiles…\TfsStore\Tfs_DAV
  • Obfuscating traffic via HTTP mimicking and using legacy domains.
  • Deploying anti-debug, anti-hook, and anti-VM checks across all stages.

Recommendations

1. Patch CVE-2025-33053 immediately (available from Microsoft as of June 10, 2025).
2. Configure Windows Group Policy to block execution of .url, .lnk, .cpl from email or downloads directories.
3. Train employees to identify suspicious .url and .lnk attachments pretending to be documents.
4. Watch for suspicious service installations like UsrProfSCC via Event ID 7045 or via Sysmon.
5. Detect .url files triggering execution of Windows binaries like iediagcmd.exe or CustomShellHost.exe from non-standard paths (WebDAV shares).
6. Monitor creation of PDF or temp files in unusual directories during infection chain:
   %TEMP%\TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf
   %ProgramData%\ds_notifier_0.vhdx
   %Windows%\Temp~TN*.tmp
7. Use AppLocker or WDAC to restrict use of known abused binaries (e.g., route.exe, forfiles.exe, etc.).
8. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/9b68aa557a11abce1a24d26ae661e6650c4f5e097d01f956e738a4906e0add52/iocs

Source:

• https://research.checkpoint.com/2025/stealth-falcon-zero-day/
• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.