Listen to this Post
A critical zero-day vulnerability (CVE-2025-33053) is being actively exploited by APT Stealth Falcon, allowing remote code execution (RCE) through malicious `.url` attachments. Attackers leverage a WebDAV server to execute malware on vulnerable systems. Microsoft has released patches in June 2025 Patch Tuesday—apply them immediately.
Affected Systems:
- Windows 10/11
- Windows Server 2019/2022
- Microsoft Defender (prior to June 2025 updates)
You Should Know:
1. Mitigation Steps
- Block `.url` Attachments:
Set-TransportRule -Name "Block URL Attachments" -AttachmentExtensionMatchesPatterns ".url" -RejectMessageReasonText "Malicious .url files blocked"
- Disable WebDAV Client:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WebClient" /v Start /t REG_DWORD /d 4 /f
- Apply Microsoft Patch:
Install-Module -Name PSWindowsUpdate -Force Install-WindowsUpdate -KBArticleID KB50333053 -AcceptAll -AutoReboot
2. Detection (KQL for Microsoft Sentinel):
SecurityEvent | where EventID == 4688 | where CommandLine contains ".url" or CommandLine contains "WebDAV" | project TimeGenerated, Computer, CommandLine, AccountName
3. Hunt for Compromise (Linux/Mac):
Check for suspicious WebDAV connections:
lsof -i | grep -E "webdav|davfs" netstat -tulnp | grep -i '445|80|443'
4. YARA Rule for Malware Detection:
rule StealthFalcon_URL_Exploit {
meta:
description = "Detects CVE-2025-33053 exploit payloads"
strings:
$s1 = "rundll32.exe url.dll,OpenURL"
$s2 = "\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\@\d+\"
condition:
any of them
}
What Undercode Say:
This exploit highlights the risks of insecure file handlers and WebDAV misconfigurations. Organizations must:
– Enforce Email Filtering: Use regex to block `.url` files in emails.
– Network Segmentation: Restrict WebDAV servers to isolated VLANs.
– Logging: Enable PowerShell transcript logging (Enable-PSRemoting -Force).
– Linux Countermeasures:
sudo apt purge davfs2 Remove WebDAV client if unused sudo iptables -A INPUT -p tcp --dport 445 -j DROP Block SMB/WebDAV
– Windows Hardening:
Set-SmbServerConfiguration -EncryptData $true -Force
Expected Output:
- Patched systems with no `.url` execution via WebDAV.
- Alerts triggered for anomalous `rundll32.exe url.dll` activity.
Reference: Check Point Research – Stealth Falcon Exploit
Prediction:
APT groups will likely pivot to exploiting unpatched Exchange servers or IoT devices as `.url` patches roll out globally. Expect phishing campaigns mimicking patch notifications.
Expected Output:
- Detection of CVE-2025-33053 exploitation attempts.
- Blocked inbound `.url` attachments via transport rules.
- Disabled WebDAV services on critical endpoints.
IT/Security Reporter URL:
Reported By: 0x534c Stealth – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
