Microsoft WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)
CVE number = CVE-2025-33053
A newly discovered critical zero-day remote code execution (RCE) vulnerability in Microsoft Windows, identified as CVE-2025-33053, is being actively exploited by the Stealth Falcon advanced persistent threat (APT) group, also known as FruityArmor.
Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defence sectors observed in Turkey, Qatar, Egypt, and Yemen.
The vulnerability enables RCE by manipulating the system’s working directory.
Attackers utilized a previously undocumented technique to execute files hosted on a WebDAV server by modifying the working directory of a legitimate Windows utility, all while employing sophisticated anti-analysis tactics to evade detection.
IOCs
Hashes:
| ba5beb189d6e1811605b0a4986b232108d6193dcf09e5b2a603ea4448e6f263c | url file |
| e0a44274d5eb01a0379894bb59b166c1482a23fede1f0ee05e8bf4f7e4e2fcc6 | url file |
| da3bb6e38b3f4d83e69d31783f00c10ce062abd008e81e983a9bd4317a9482aa | Horus Loader |
| ddce79afe9f67b78e83f6e530c3e03265533eb3f4530e7c89fdc357f7093a80b | Horus Agent |
| 1d95a44f341435da50878eea1ec0a1aab6ae0ee91644c497378266290a6ef1d8 | custom Apollo |
| 700b422556f070325b327325e31ddf597f98cc319f29ef8638c7b0508c632cee | keylogger loader |
| aa612f53e03539cdc8f8a94deee7bf31f0ac10734bb9301f4506b9113c691c97 | keylogger |
| 66a893728a0ac1a7fae39ee134ad4182d674e719219fbf5d9b7cd4fd4f07f535 | passive backdoor |
| cd6335101e0187c33a78a316885a2cbf4cbbd2a72daf64a086edb4a2615749fb | credential dumper loader |
| 257c63a9e21b829bb4b9f8b0e352379444b0e573176530107a3e6c279d1919da | credential dumper |
| 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15 | |
| 3259ecfb96d3d7e2d1a782b01073e02b3488a3922fd2fd35c20eeb5f44b292ec | |
| 8065c85e387654cb79a12405ff0f99fd4ddd5a5d3b9876986b82822bd10c716f | |
| 0598e1af6466b0813030d44fa64616eea7f83957d70f2f48376202c3179bd6b1 | |
| f270202cd88b045630f6d2dec6d5823aa08aa66949b9ccd20f6e924c7992fea7 | |
| 092c344330bd5cba71377dead11946f7277f2dd4af57f5b636b70b343bc7ebe0 | |
| dc7cb53c5dc2e756822328a7144c29318cb871890727eff9c8da64a01e8e782d | |
| db7364296cc8f78981797ffb2af7063bba97e2f6631c29215d59f4979f8b4fce | |
| 4e045c83cf429210e71e324adccad8818540b9805a44c8d79a8c16c3d5f6fbb6 | |
| 62797e28a334e392cb56fcc26dd07f04ac031110f0e9ed8489ec0825beea75eb | |
| dec6dda0559e381c23f1dfbe92fa4705c8455430f8278c78c170a7533b703296 | |
| 32f2773ceb6503f8a1c3e456d34ceda5c188974a115e5225a1315e7ec3f8eb5e | |
| 50a2b6c1b0a0d308e8016aece9629c1bf6ca4ecc6f4cef34c904e9c3e82355fb | |
| 9ed8f51548a004ac61b7176df12a0064dc3096088cbf3c644a9abdb5c92936f7 | |
| 9a82e21c2463d6c23a48409a862e668ed9c205468d216d2280f7debe1ab1ddd8 | |
| 46c95af6fea41b55fa0ab919ec81d38a584e32a519f85812fe79a5379457f111 | |
| c5b00e8312e801dc35652c631a14270ed4eec8f6d90d08cdde3c6e7fd1ec24b6 | |
| 3b83250383c2a892e0ca86e54fcc6aca9960fc4b425ab9853611ff3e5aa2f9c6 | |
| 8291b886cce1f0474db5b3dc269adf31d1659b7d949f62ea23608409d14b9ceb |
Domains:
| roundedbullets[.]com |
| summerartcamp[.]net |
| downloadessays[.]net |
| joinushealth[.]com |
| healthherofit[.]com |
| worryfreetransport[.]com |
| radiotimesignal[.]com |
| fastfilebackup[.]com |
| cyclingonlineshop[.]com |
| luxuryfitnesslabs[.]com |
| purvoyage[.]com |
Further information – https://research.checkpoint.com/2025/stealth-falcon-zero-day/
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.