Stealth Falcon APT Exploits Microsoft RCE Zero-Day

Nation-state adversaries have been exploiting a zero-day security vulnerability in Microsoft's Web Distributed Authoring and Versioning (WEBDAV), allowing one-click remote code execution (RCE) on target systems. WEBDAV is a protocol that extends the functionality of HTTP, allowing users to interact with files on a Web server in a more collaborative and feature-rich way. According to Check Point Research (CPR), the important-rated bug (CVE-2025-33053, CVSS 8.8) is being used by the Stealth Falcon advanced persistent threat (APT) group to compromise high-profile defense entities in the Middle East. Hallmarks of the campaign are "deceptive URL files, WebDAV servers, and legitimate Windows tools to silently execute custom spyware, including a new [custom] implant: Horus Agent," the researchers said, noting that Stealth Falcon's advanced tradecraft also includes living-off-the-land binaries (LOLBins). Fortunately, CVE-2025-33053 is one of 66 patched by Microsoft in its June Patch Tuesday release today. As Dustin Childs at Trend Micro's Zero Day Initiative noted in a blog post covering the June update, the exploitation is concerning enough that the computing giant even addressed the flaw in end-of-life platforms. "Microsoft doesn't give any indication into how widespread these attacks are, but they have taken the extraordinary step of producing patches for platforms that are officially out of support, like Windows 8 and Windows Server 2012," he wrote in the blog post. "The exploit ...