In March 2025, Check Point Research uncovered a cyberattack targeting a defense company in Turkey, executed by the APT group Stealth Falcon. This group exploited a zero-day vulnerability in Microsoft (CVE-2025-33053) using a .url file to execute malware from a WebDAV server they controlled. The vulnerability allowed remote code execution by manipulating the working directory. Following disclosure, Microsoft released a patch on June 10, 2025. Stealth Falcon, active since 2012, is known for cyber espionage in the Middle East and Africa, focusing on government and defense sectors. They employ spear-phishing emails with links or attachments to deploy malware using WebDAV and LOLBins. Their tools include custom implants like the Horus Agent, based on the Mythic C2 framework, and various custom payloads such as keyloggers and backdoors. The group uses sophisticated methods to evade detection, including code obfuscation and anti-analysis techniques. Their operations are supported by an infrastructure that uses repurposed legitimate domains, complicating attribution and detection efforts.
How Did Stealth Falcon Exploit a Microsoft Zero-Day Vulnerability?
