Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

June 11, 2025, 10:22 a.m.

Description

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file that hijacks the working-directory-based execution of legitimate Windows tools (LOLBins) to load malicious executables from a WebDAV server.

External References

https://research.checkpoint.com/2025/stealth-falcon-zero-day/
https://otx.alienvault.com/pulse/68494baf27507539fd31918c
Tags
apt
cyberespionage
webdav
keylogger
mythic
CVE-2025-33053
2025-06-11
zeroday

Date

  • Created: June 11, 2025, 9:26 a.m.
  • Published: June 11, 2025, 9:26 a.m.
  • Modified: June 11, 2025, 10:22 a.m.

Indicators

  • f270202cd88b045630f6d2dec6d5823aa08aa66949b9ccd20f6e924c7992fea7
  • e0a44274d5eb01a0379894bb59b166c1482a23fede1f0ee05e8bf4f7e4e2fcc6
  • dec6dda0559e381c23f1dfbe92fa4705c8455430f8278c78c170a7533b703296
  • ddce79afe9f67b78e83f6e530c3e03265533eb3f4530e7c89fdc357f7093a80b
  • dc7cb53c5dc2e756822328a7144c29318cb871890727eff9c8da64a01e8e782d
  • db7364296cc8f78981797ffb2af7063bba97e2f6631c29215d59f4979f8b4fce
  • da3bb6e38b3f4d83e69d31783f00c10ce062abd008e81e983a9bd4317a9482aa
  • cd6335101e0187c33a78a316885a2cbf4cbbd2a72daf64a086edb4a2615749fb
  • c5b00e8312e801dc35652c631a14270ed4eec8f6d90d08cdde3c6e7fd1ec24b6
  • ba5beb189d6e1811605b0a4986b232108d6193dcf09e5b2a603ea4448e6f263c
  • aa612f53e03539cdc8f8a94deee7bf31f0ac10734bb9301f4506b9113c691c97
  • 9ed8f51548a004ac61b7176df12a0064dc3096088cbf3c644a9abdb5c92936f7
  • 9a82e21c2463d6c23a48409a862e668ed9c205468d216d2280f7debe1ab1ddd8
  • 8291b886cce1f0474db5b3dc269adf31d1659b7d949f62ea23608409d14b9ceb
  • 8065c85e387654cb79a12405ff0f99fd4ddd5a5d3b9876986b82822bd10c716f
  • 700b422556f070325b327325e31ddf597f98cc319f29ef8638c7b0508c632cee
  • 62797e28a334e392cb56fcc26dd07f04ac031110f0e9ed8489ec0825beea75eb
  • 66a893728a0ac1a7fae39ee134ad4182d674e719219fbf5d9b7cd4fd4f07f535
  • 50a2b6c1b0a0d308e8016aece9629c1bf6ca4ecc6f4cef34c904e9c3e82355fb
  • 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15
  • 4e045c83cf429210e71e324adccad8818540b9805a44c8d79a8c16c3d5f6fbb6
  • 46c95af6fea41b55fa0ab919ec81d38a584e32a519f85812fe79a5379457f111
  • 3b83250383c2a892e0ca86e54fcc6aca9960fc4b425ab9853611ff3e5aa2f9c6
  • 32f2773ceb6503f8a1c3e456d34ceda5c188974a115e5225a1315e7ec3f8eb5e
  • 3259ecfb96d3d7e2d1a782b01073e02b3488a3922fd2fd35c20eeb5f44b292ec
  • 257c63a9e21b829bb4b9f8b0e352379444b0e573176530107a3e6c279d1919da
  • 1d95a44f341435da50878eea1ec0a1aab6ae0ee91644c497378266290a6ef1d8
  • 092c344330bd5cba71377dead11946f7277f2dd4af57f5b636b70b343bc7ebe0
  • 0598e1af6466b0813030d44fa64616eea7f83957d70f2f48376202c3179bd6b1
  • worryfreetransport.com
  • summerartcamp.net
  • roundedbullets.com
  • radiotimesignal.com
  • purvoyage.com
  • luxuryfitnesslabs.com
  • joinushealth.com
  • healthherofit.com
  • fastfilebackup.com
  • downloadessays.net
  • cyclingonlineshop.com
Download all indicators here!

Attack Patterns

  • Mythic - S0699

Additional Informations

  • Defense
  • Qatar
  • Yemen
  • Egypt
  • Türkiye