New CTI Lab: Stealth Falcon (CVE-2025-33053) – WebDAV Server Remote Code Execution
ImmerserToday, Immersive's Container 7 Research Team have released a new CTI lab covering a CVE which was patched in yesterdays patch tuesday from Microsoft! Learn how to threat hunt for it and what it looks like inside your SIEM.
Yesterday, in Microsoft's Patch Tuesday, there was a zero-day vulnerability that was patched and has been exploited in the wild! This zero-day was used by the cyber-espionage group Stealth Falcon and was reported on by Checkpoint.
After successful phishing attempts, the user will execute a .url file that exploits a vulnerability to communicate with a WebDAV server owned by attackers, which holds a particular binary. The vulnerability is present because Windows will look for binaries through the WebDAV link before searching for the legitimate one on its own PC. Therefore, the attackers can achieve remote code execution. We are releasing a lab on hunting for the execution of this vulnerability to help teams create effective threat detections.
Why should our customers care?
This is a new vulnerability that has just been patched and has already been successfully used as part of threat groups' attack chains. Therefore, it is recommended to see what sort of indicators of compromise this type of vulnerability leaves once exploited.
Who is it for?
- Incident responders
- SOC analyst
- CTI Analysts
- Threat Hunters
Here is the link to the lab: https://immersivelabs.online/labs/stealth-falcon-cve-2025-33053-webdav-server-exploitation
As part of the Container 7 team, we have also released threat detections that cover both binaries that were used in the campaigns that exploited CVE-2025-33053. You can find these here:
https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-iediagcmd-exploit.yml
https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-CustomShellHost-exploit.yml
Immerser
Immerser