A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory. Attackers leveraged a previously unknown method to run files from a WebDAV server by altering the working directory of a legitimate Windows tool while relying on advanced anti-analysis techniques for detection evasion.
Vulnerability exploitation remains one of the most common initial attack vectors. In 2025, In 2025, attackers have been leveraging vulnerabilities for initial access 34% more, leading to more security breaches than the year before.
Advanced hacking groups frequently rely on a fusion of sophisticated adversarial techniques, such as zero-day exploits, custom malware, and stealth tactics, to pose severe risks to high-profile organizations worldwide, like the latest campaign by Stealth Falcon.
Register for SOC Prime Platform to instantly reach a global active threats feed, offering real-time threat intel and curated Sigma rules to help businesses and individual researchers identify and preempt attacks that weaponize zero-day flaws. Security teams can explore an extensive collection of context-enriched Sigma rules tagged by “CVE,” backed by an AI-powered product suite tailored for strengthening defenses at scale.
All detections can be used across multiple SIEM, EDR, and Data Lake technologies and are aligned with the MITRE ATT&CK framework to facilitate threat investigation. SOC Prime Platform equips security teams with high-quality detection content enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag:
CVE-2025-33053 Analysis
Check Point researchers have identified a new campaign by the APT group known as Stealth Falcon, which leveraged a URL file to weaponize a zero-day exploit. Tracked as CVE-2025-33053, this flaw with a high CVSS score reaching 8.8, enables unauthorized attackers to exploit external control of file names or paths in WebDAV to execute code remotely over a network.
Stealth Falcon has been known for cyber espionage in the Middle East since at least 2012. In the latest campaign, threat actors targeted high-profile entities in the Middle East and Africa, including public and defense sectors in Turkey, Qatar, Egypt, and Yemen. Stealth Falcon continues to rely on spear-phishing emails containing links or attachments that exploit WebDAV and LOLBins to deploy malware.
Their toolkit includes custom implants built on the open-source red teaming framework Mythic. These implants feature anti-analysis techniques and validate victim systems before dropping more sophisticated payloads. Stealth Falcon also deploys the Horus Agent, a tailor-made Mythic-based implant, named after the Egyptian falcon-headed deity. Additionally, Stealth Falcon uses several previously unseen custom tools, such as keyloggers, stealth backdoors, and a Domain Controller Credential Dumper.
The attack flow begins with a phishing email containing a malicious URL file, typically embedded in a ZIP archive and disguised as a legitimate document. This file exploits CVE-2025-33053 by abusing iediagcmd.exe to execute a rogue route.exe from the adversary’s WebDAV server. The initial stage involves the Horus Loader, a C++-based loader protected by Code Virtualizer. It uses advanced anti-analysis techniques, such as manual mapping of kernel32.dll and ntdll.dll, and scans for 100+ antivirus processes from 17 vendors to avoid detection. To distract the victim, it decrypts and opens a decoy PDF. The loader then employs IPfuscation to decode the payload from IPv6 addresses, injecting it into msedge.exe using system calls like ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread.
The final payload, dubbed Horus Agent, is heavily obfuscated with custom OLLVM techniques, including string encryption, control flow flattening, and API hashing for dynamic import resolution. It communicates with its C2 infrastructure over AES-encrypted HTTP, protected by HMAC-SHA256, using up to four domains and featuring a killswitch date of December 31, 2099.
Supported functionalities include system reconnaissance and covert shellcode injection. The infection chain also incorporates Spayload, a C++ implant derived from Mythic, offering sophisticated post-exploitation capabilities.
Due to ongoing exploitation, CISA has added CVE-2025-33053 to its KEV catalog, mandating that FCEB agencies apply the patch by July 1, 2025. To promptly respond to a threat shortly after the CVE-2025-33053 disclosure, Microsoft released a patch on June 10, 2025. As potential CVE-2025-33053 mitigation measures to reduce the risks of exploitation attempts, defenders recommend updating Windows systems to the latest fixed version, training staff to spot spear-phishing attempts, monitoring WebDAV traffic to suspicious domains, and using feasible security solutions to detect LOLBin abuse and unauthorized process injection.
Stealth Falcon’s use of CVE-2025-33053 demonstrates the group’s advanced capabilities and strategic focus on high-value targets across the Middle East. The vulnerability entails critical risks to organizations due to the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration. Immediate patching and continuous threat monitoring are paramount to defending against such critical threats. SOC Prime curates a complete product suite built on zero-trust principles and backed by AI, automation, and actionable threat intelligence to empower global organizations with everything they need to outscale cyber threats.
The post CVE-2025-33053 Exploitation: A Critical WebDAV Zero-Day RCE Vulnerability Actively Weaponized by Stealth Falcon APT Group appeared first on SOC Prime.
