Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Check Point: ‘Stealth Falcon’ Exploited WebDAV Flaw

Microsoft patched a zero-day vulnerability in its web application framework exploited by an Emirati threat group as part of an espionage campaign in the Middle East and Africa.
See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups
The flaw, tracked as CVE-2025-33053, is a remote code execution vulnerability in Web Distributed Authoring and Versioning, or WebDAV. The feature is a hypertext transfer protocol extension that enables users to manage files on remote web servers.
The company patched the flaw Tuesday as part of its monthly dump of vulnerability fixes. Cybersecurity firm Check Point uncovered a hacking campaign by Stealth Falcon, a nation-state group known for cyberespionage, using the zero-day to deploy malware including keyloggers, passive backdoors, and a credential dumper. The group deployed malware across targets in Turkey, Qatar, Egypt, and Yemen, Check Point said.
Stealth Falcon, also known as FruityArmor and G0038, has suspected links to the United Arab Emirates government. It has been previously been associated with hacks targeting Emirati journalists, activists, and dissidents.
The latest campaign from Stealth Falcon began with phishing emails. In one incident observed by Check Point, hackers targeted a Turkish defense organization using the latest version of Horus Agent, a custom-built implant designed to operate with the Mythic C2 command-and-control framework.
Check Point uncovered the campaign after a victim uploaded the phishing email attachment to VirusTotal in March. On running the file, Check Point found the malicious file began to harvest diagnostic data and redirected the infected devices’ WebDAV path to an attacker-controlled server.
Once the connection was established, a malicious file named route.exe
executed from the attacker’s WebDAV server that deployed the Horus loader. On execution, it cleaned up previous utilities to evade detection and then deployed a decoy document and the final Horus Agent payload.
“Horus Agent uses what appears to be a custom OLLVM, leveraging both string encryption and control flow flattening,” Check Point said. They added that the malware is a customized version of Apollo, a .net-based Mythic agent previously used by the group between 2022 and 2023.
“The Horus variant includes the upload command, built-in in Mythic which their Apollo implant lacks. The Horus variant merges 2 custom commands, shinjectchuncked and shinjectstealth into one, using ‘stealth mode’ as a parameter,” Checkpoint. The latest Horus variant is more advanced in terms of capabilities.
In addition to Horus Agent, the attackers employed other tools, including a credential dumper to extract Active Directory credentials and a passive backdoor to monitor incoming network requests, the report added.
The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog.