CVE-2025-33053, Stealth Falcon and Horus A Saga of Middle Eastern Cyber Espionage

Key Findings

Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.

CVE-2025-33053 allows remote code execution through manipulation of the working directory. Following CPR’s responsible disclosure, Microsoft today, June 10, 2025, released a patch as part of their June Patch Tuesday updates.

Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen.

Stealth Falcon continues to use spear-phishing emails as an infection method, often including links or attachments that utilize WebDAV and LOLBins to deploy malware.

Stealth Falcon deploys custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant dubbed Horus Agent. The customization not only introduces anti-analysis and anti-detection measures but also validates target systems before ultimately delivering more advanced payloads.

In addition, the threat group employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.

To read the complete article see: Complete Article