A sophisticated cyber-espionage campaign coordinated by the Stealth Falcon advanced persistent threat group has successfully weaponized a previously unknown Windows vulnerability, designated CVE-2025-33053, to infiltrate a major Turkish defense organization through a carefully organized attack chain.
The zero-day exploit targets Windows WebDAV functionality, a file interaction protocol over HTTP that Microsoft deprecated in 2023 but remains present across numerous systems worldwide.
Deprecated Windows WebDAV protocol becomes weaponized attack vector despite Microsoft discontinuation, exposing widespread system vulnerabilities globally.
The attack commenced with phishing emails containing malicious shortcut files disguised as PDF documents referencing military equipment damage, exploiting social engineering tactics to guarantee victim engagement. Upon execution, the .url file utilized CVE-2025-33053 to establish connections with attacker-controlled WebDAV servers, afterward loading malware through manipulation of Windows’ built-in file execution search order. This methodology permitted threat actors to execute malicious code without dropping suspicious files directly onto target systems, greatly amplifying evasion capabilities.
Microsoft addressed the vulnerability during June 2025’s Patch Tuesday update, releasing fixes for CVE-2025-33053 alongside 66 additional security flaws after confirming active exploitation in the wild. The update included patches for 10 critical bugs that posed significant risks to system security. Although WebDAV being disabled by default in recent Windows versions, both legacy and updated systems remained vulnerable to exploitation, demonstrating the persistent security risks posed by deprecated features. The 50GB size limit of modern PST files further complicated system security and backup procedures.
Stealth Falcon’s campaign demonstrated remarkable sophistication through deployment of custom-built implants, including the Horus Agent, alongside legitimate Windows tools to maintain operational stealth. The attack leveraged legitimate Windows components to execute malicious operations while avoiding detection by traditional security measures.
The group’s multi-stage loaders provided greater persistence while utilizing trusted Windows processes to evade traditional antivirus detection mechanisms. Network communications directed through legitimate WebDAV protocols further obscured malicious activity within normal system behavior patterns.
The vulnerability’s placement within core Windows APIs affected multiple system versions, creating extensive exposure across critical infrastructure, government, and defense sectors globally.
Security researchers note that the attack’s combination of zero-day exploitation, social engineering, and living-off-the-land techniques represents a considerable escalation in advanced persistent threat capabilities. Organizations face continued risks from overlooked system features and misconfigurations, with security advisories emphasizing immediate patch deployment and improved monitoring for phishing campaigns targeting high-value sectors.
The breach highlights the evolving threat environment where deprecated functionalities become attack vectors for sophisticated adversaries.
