CVE-2025-33053 Detection: A Critical WebDAV Zero-Day RCE Vulnerability Actively Weaponized by Stealth Falcon APT Group
Table of contents:
A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory. Attackers leveraged a previously unknown method to run files from a WebDAV server by altering the working directory of a legitimate Windows tool while relying on advanced anti-analysis techniques for detection evasion.
Detect CVE-2025-33053 Exploitation by Stealth Falcon APT
Vulnerability exploitation remains one of the most common initial attack vectors. In 2025, attackers have been leveraging vulnerabilities for initial access 34% more, leading to more security breaches than the year before.
Advanced hacking groups frequently rely on a fusion of sophisticated adversarial techniques, such as zero-day exploits, custom malware, and stealth tactics, to pose severe risks to high-profile organizations worldwide, like the latest campaign by Stealth Falcon.
Security teams looking for more related detection content can browse Threat Detection Marketplace using the dedicated “Stealth Falcon” tag or explore a broader collection of algorithms by applying the “CVE” tag.
All detections can be used across multiple SIEM, EDR, and Data Lake technologies and are aligned with the MITRE ATT&CK framework to facilitate threat investigation. SOC Prime Platform equips security teams with high-quality detection content enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs from the dedicated Check Point report into actionable hunting queries, enabling efficient investigation of Stealth Falcon APT activity exploiting CVE-2025-33053. Additionally, Uncoder supports crafting detection logic from raw threat reports, ATT&CK tags prediction, AI-driven query optimization, and detection content translation across multiple platforms.
CVE-2025-33053 Analysis
Check Point researchers have identified a new campaign by the APT group known as Stealth Falcon, which leveraged a URL file to weaponize a zero-day exploit. Tracked as CVE-2025-33053, this flaw with a high CVSS score reaching 8.8, enables unauthorized attackers to exploit external control of file names or paths in WebDAV to execute code remotely over a network.
Stealth Falcon has been known for cyber espionage in the Middle East since at least 2012. In the latest campaign, threat actors targeted high-profile entities in the Middle East and Africa, including public and defense sectors in Turkey, Qatar, Egypt, and Yemen. Stealth Falcon continues to rely on spear-phishing emails containing links or attachments that exploit WebDAV and LOLBins to deploy malware.
Their toolkit includes custom implants built on the open-source red teaming framework Mythic. These implants feature anti-analysis techniques and validate victim systems before dropping more sophisticated payloads. Stealth Falcon also deploys the Horus Agent, a tailor-made Mythic-based implant, named after the Egyptian falcon-headed deity. Additionally, Stealth Falcon uses several previously unseen custom tools, such as keyloggers, stealth backdoors, and a Domain Controller Credential Dumper.
The attack flow begins with a phishing email containing a malicious URL file, typically embedded in a ZIP archive and disguised as a legitimate document. This file exploits CVE-2025-33053 by abusing iediagcmd.exe to execute a rogue route.exe from the adversary’s WebDAV server. The initial stage involves the Horus Loader, a C++-based loader protected by Code Virtualizer. It uses advanced anti-analysis techniques, such as manual mapping of kernel32.dll and ntdll.dll, and scans for 100+ antivirus processes from 17 vendors to avoid detection. To distract the victim, it decrypts and opens a decoy PDF. The loader then employs IPfuscation to decode the payload from IPv6 addresses, injecting it into msedge.exe using system calls like ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread.
The final payload, dubbed Horus Agent, is heavily obfuscated with custom OLLVM techniques, including string encryption, control flow flattening, and API hashing for dynamic import resolution. It communicates with its C2 infrastructure over AES-encrypted HTTP, protected by HMAC-SHA256, using up to four domains and featuring a killswitch date of December 31, 2099.
Supported functionalities include system reconnaissance and covert shellcode injection. The infection chain also incorporates Spayload, a C++ implant derived from Mythic, offering sophisticated post-exploitation capabilities.
Due to ongoing exploitation, CISA has added CVE-2025-33053 to its KEV catalog, mandating that FCEB agencies apply the patch by July 1, 2025. To promptly respond to a threat shortly after the CVE-2025-33053 disclosure, Microsoft released a patch on June 10, 2025. As potential CVE-2025-33053 mitigation measures to reduce the risks of exploitation attempts, defenders recommend updating Windows systems to the latest fixed version, training staff to spot spear-phishing attempts, monitoring WebDAV traffic to suspicious domains, and using feasible security solutions to detect LOLBin abuse and unauthorized process injection.
Stealth Falcon’s use of CVE-2025-33053 demonstrates the group’s advanced capabilities and strategic focus on high-value targets across the Middle East. The vulnerability entails critical risks to organizations due to the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration. Immediate patching and continuous threat monitoring are paramount to defending against such critical threats. SOC Prime curates a complete product suite built on zero-trust principles and backed by AI, automation, and actionable threat intelligence to empower global organizations with everything they need to outscale cyber threats.
