Check Point Research has uncovered a sophisticated cyber espionage campaign orchestrated by the Stealth Falcon APT group, which exploited a previously unknown zero-day vulnerability to target defense and government entities across the Middle East.
The vulnerability, designated CVE-2025-33053, was patched by Microsoft on June 10, 2025, following responsible disclosure by the security researchers.
The attack began with a carefully crafted .url file named "TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url" (Turkish for "Telescopic Mast Damage Report"), which was submitted to VirusTotal by a source associated with a major Turkish defense company.
This file exploited CVE-2025-33053 by manipulating the working directory of legitimate Windows tools to execute malicious code from an attacker-controlled WebDAV server.
The vulnerability leverages the standard .NET Process.Start() method's search order behavior. By redirecting the working directory to a remote WebDAV server, attackers could force legitimate Windows utilities like iediagcmd.exe to execute malicious files instead of their intended system counterparts. This technique represents an evolution from previously known DLL hijacking methods to direct executable manipulation.
Custom Malware Arsenal
The campaign deployed a custom implant called "Horus Agent," built for the Mythic command and control framework. Named after the Egyptian falcon-headed god, this represents a significant advancement from Stealth Falcon's previous use of modified Apollo agents.
The Horus Agent incorporates sophisticated anti-analysis techniques, including code virtualization, string encryption, and control flow flattening to evade detection.
 |
| Falcon infection chain | image- Check Point Research |
Check Point researchers also identified several previously undisclosed tools in Stealth Falcon's arsenal, including a domain controller credential dumper that bypasses file locks by operating on virtual disk copies, a passive backdoor service, and a custom keylogger with RC4 encryption capabilities.
Stealth Falcon's operations focus primarily on high-value targets in Turkey, Qatar, Egypt, and Yemen, with particular emphasis on government and defense sectors.
The group has been active since at least 2012 and consistently employs spear-phishing emails combined with WebDAV exploitation and living-off-the-land binaries to maintain persistence while avoiding detection.
The threat actors demonstrate sophisticated operational security by purchasing legitimate older domains through NameCheap registrar and employing commercial code obfuscation tools, making their activities harder to detect and attribute.