Stealth Falcon APT Exploits Microsoft RCE Zero-Day in Mideast - Dark Reading

Vulnerabilities & ThreatsApplication SecurityCyber RiskCyberattacks & Data BreachesNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificStealth Falcon APT Exploits Microsoft RCE Zero-Day in MideastThe bug is one of 66 disclosed and patched today by Microsoft as part of its June 2025 Patch Tuesday set of security vulnerability fixes.Tara Seals,Managing Editor, News,Dark ReadingJune 10, 20256 Min ReadSource: Edo Schmidt via Alamy Stock PhotoNation-state adversaries have been exploiting a zero-day security vulnerability in Microsoft's Web Distributed Authoring and Versioning (WEBDAV), allowing one-click remote code execution (RCE) on target systems.WEBDAV is a protocol that extends the functionality of HTTP, allowing users to interact with files on a Web server in a more collaborative and feature-rich way. According to Check Point Research (CPR), the important-rated bug (CVE-2025-33053, CVSS 8.8) is being used by the Stealth Falcon advanced persistent threat (APT) group to compromise high-profile defense entities in the Middle East. Hallmarks of the campaign are "deceptive URL files, WebDAV servers, and legitimate Windows tools to silently execute custom spyware, including a new [custom] implant: Horus Agent," the researchers said, noting that Stealth Falcon's advanced tradecraft also includes living-off-the-land binaries (LOLBins).Related:'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux DistrosFortunately, CVE-2025-33053 is one of 66 patched by Microsoft in its June Patch Tuesday release today. As Dustin Childs at Trend Micro's Zero Day Initiative noted in a blog post covering the June update, the exploitation is concerning enough that the computing giant even addressed the flaw in end-of-life platforms.   "Microsoft doesn't give any indication into how widespread these attacks are, but they have taken the extraordinary step of producing patches for platforms that are officially out of support, like Windows 8 and Windows Server 2012," he wrote in the blog post. "The exploit does require a user to click on a malicious URL, but that's the only necessary step for code execution. Given that Microsoft produced updates for out-of-support OSes, I would patch this one quickly."The 66 newly disclosed CVEs for June exist in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Nuance Digital Engagement Platform, and the Windows Cryptographic Service. Ten of them are rated critical, with the balance rated important.Stealth Falcon Swoops in to Pick Off Defense TargetsAccording to CPR, which reported the WEBDAV bug to Microsoft, Stealth Falcon (aka FruityArmor) is an APT active since at least 2012. It focuses its activities within the Middle East and Africa, with recent high-profile targets in the government and defense sectors observed in Egypt, Qatar, Turkey, and Yemen. Other researchers have attributed its cyberattacks as being sponsored by the United Arab Emirates (UAE).Victims in recent instances that CPR observed received spear-phishing emails containing a link to a remote WEBDAV server that, when clicked, exploited CVE-2025-33053 and set off an infection chain that manipulated the working directory of a legitimate built-in Windows tool. Ultimately, the exploit resulted in the delivery of the Horus Agent backdoor implant, which is built to interact with the open source Mythic red-teaming framework, according to CPR's blog post today on the campaign. The use of Mythic for command-and-control (C2) is a known Stealth Falcon tactic, according to CPR.Related:Cyber Espionage Group Targets Aviation Firms to Steal Map Data"Over the years, Stealth Falcon was observed acquiring zero-day exploits and using sophisticated custom-built payloads to target entities across the Middle East in their cyber-espionage operations," according to CPR researchers. "Named after Horus, the Egyptian sky god who is often depicted as a falcon-headed man, the Horus Agent represents an evolution of the group's previously used customized Apollo implant [for Mythic]."Horus Agent's capabilities seem intentionally limited, focusing on the most essential functions in the attack, according to the CPR researchers: "fingerprinting the victim's machine to assess its value and deploying next-stage payloads if the target is deemed worthwhile," they explained. "This approach likely helps safeguard their other custom post-exploitation payloads," which include keyloggers, passive backdoors, and a credential dumper.Related:Why Security Leadership Makes or Breaks a Pen TestHorus Agent commands include:Send a text visualization of all running jobsCollect more information on the systemUpdate configuration valuesExit the programList files/folder under a directoryInject shellcode into the same process or a different processDownload a file from the C2 server"Survey," a custom system enumeration function that collects data about what services are running, battery status, usernames, processes, and network configuration dataA custom version of Mythic's "Shinject," a shellcode injection feature, which offers several process injection methods"The new Horus Agent appears to be written from scratch," according to CPR. "In addition to adding custom commands, the threat actors placed additional emphasis on the agent's and its loader's anti-analysis protections and counter-defensive measures. This suggests that they have deep knowledge of both their victims and/or the security solutions in use."Other CVEs to Prioritize Patching in the June 2025 ReleasePerhaps most notably in the June release, Microsoft patched four RCE bugs in Office where the Preview Pane is an attack vector (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, and CVE-2025-47953, all CVSS 8.4)."Most of these are also given the highest exploit index rating, which means Microsoft expects public exploitation within 30 days," Childs said. "Since these bugs run without user interaction, they are often paired with a privilege escalation bug to take over a system. And since the Preview Pane is in play, it doesn't even matter if users don't click on that dodgy mail. Don't wait to roll out Office updates this month."In addition to the zero-day under active exploit, another zero-day is listed as publicly known but not yet being used in the wild — something that could change quickly given the availability of a proof-of-concept exploit and the ability for it to be used remotely. That's CVE-2025-33073 (CVSS 8.8), a Windows SMB client elevation of privilege (EoP) vulnerability."It leads to code execution at the SYSTEM level, and it could be triggered by convincing a user to connect to an attacker-controlled malicious application server," Childs explained. "The most obvious choice here would be an SMB server. Upon connecting, the malicious server could compromise the affected system and elevate privileges."Other security vulnerabilities that teams might want to consider prioritizing include a critical Microsoft SharePoint Server RCE flaw (CVE-2025-47172, CVSS 8.8)."What makes this vulnerability especially alarming is its ability to go beyond typical database manipulation — likely enabling attackers to run operating system commands via SQL Server features like xp_cmdshell or CLR integration," says Alex Vovk, CEO and co-founder of Action1. "The combination of a familiar SQL injection flaw with remote code execution makes this vulnerability especially dangerous. Organizations with exposed SharePoint instances or large user bases should prioritize remediation."He also notes that despite Microsoft giving the bug an "exploitation less likely" rating, SQL injection attack methods are well-known in the security community, and the risk can be extreme."This vulnerability enables sophisticated attacks starting with minimal SharePoint access," he warns. "Attackers can gain code execution to extract database credentials, steal tokens, and escalate privileges — potentially reaching domain admin levels. It's especially dangerous when combined with credential theft, lateral movement, data exfiltration, and ransomware deployment. Compromised SharePoint instances may also threaten connected systems through third-party integrations.”And finally, Nick Carroll, cyber-incident response manager at Nightwing, also flags an EoP vulnerability for the Windows Common Log File System (CVE-2025-32713, CVSS 7.8) as one to patch ASAP.It's not rated critical, "which means some organizations won't prioritize patching them as quickly as they probably should," he notes. "But we see real-world attacks abusing that Windows Log File subsystem pretty regularly. In fact, Nightwing has defended against exploits in the Windows Common Log File System in real-world attacks last month related to the recently patched CVE-2025-29824, where the threat actors were abusing living-off-the-land tactics in conjunction with the exploit."Read more about:DR Global Middle East & AfricaAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals is an award-winning journalist with 25+ years of experience as a reporter, analyst, and editor in the cybersecurity, communications, and technology spaces. As managing editor, she runs the newsroom at Dark Reading, leading a team of staff writers and freelance contributors. She also heads up strategy for a variety of in-depth, multichannel news coverage initiatives. Prior to joining Dark Reading in 2022, Tara was editor-in-chief at cybersecurity stalwart Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for other titles at Virgo Publishing (now part of Informa TechTarget), as executive editor and editor-in-chief at publications focused on communications service providers, channel partners, and enterprise mobile and video technology. In 2026, she was awarded a regional Azbee award for her in-depth coverage of the ongoing North Korean fake worker cyber campaign. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family, and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASS