Alert: Sophisticated Spear Phishing Attack Exploiting Zero-Day Vulnerability

At Synapse, we are committed to helping organisations stay ahead of emerging cyber threats. A recently identified spear phishing campaign is actively exploiting a zero-day vulnerability to infiltrate networks, evade detection, and compromise sensitive data.

Here we breakdown what you need to know…

Attack Summary

1. Initial Access – Spear Phishing

The attack begins with a targeted phishing email containing a disguised attachment. Although it appears to be a standard PDF, the file is actually a .url shortcut — a tactic designed to mislead users into opening it.

2. Delivery & Exploitation

Once the .url file is opened, it exploits a zero-day vulnerability, CVE-2025-33053, by invoking the Internet Explorer Diagnostics utility (iediagcmd.exe). This process is manipulated to connect to an attacker-controlled WebDAV server. Windows then executes a malicious version of route.exe from this location, due to its default search order behaviour — allowing the attacker to run unauthorised code under the guise of a trusted utility.

3. Payload Deployment

The loader decrypts and stages a large payload concealed within a list of IPv6 addresses — a stealthy obfuscation method known as IPfuscation. This allows the payload to bypass traditional security filters and remain under the radar.

4. Execution of Horus Loader

At the core of the attack is the Horus Loader, aC++-based executable employing code virtualisation to resist reverse engineering. It is signed with an outdated certificate to further evaded detection by outdated or misconfigured security tools.

5. Defence Evasion

Before proceeding, the loader scans the environment for antivirus tools or endpoint protection platforms. Based on its findings, it adjusts its execution path to minimise the risk of discovery.

6. Post-Exploitation Activity

Once the malware is embedded in the network, the attacker escalates their actions, including:

  • Harvesting Active Directory and Domain Controller credentials using DC     Credential Dumper.
  • Deploying a passive backdoor for remote command and control.
  • Installing a keylogger to capture user credentials and other sensitive     information.

How to Protect Your Organisation

To mitigate the risk of similar attacks, our team of experts recommend the following immediate actions:

  • Block .url file extensions in email gateways and endpoint controls.
  • Apply security updates promptly, especially for Microsoft products.
  • Deploy advanced endpoint detection and response (EDR) solutions capable of     identifying obfuscation and code injection techniques.
  • Adopt a Zero Trust approach to access control and privilege management.
  • Educate employees on recognising phishing attempts and reporting suspicious     emails.

Stay Informed. Stay Secure.

This series of attacks is a reminder that attackers are continuously evolving their techniques. Proactive threat detection, layered defences, and user awareness remain critical.

If you would like guidance on securing your systems, implementing Zero Trust architecture, or improving your threat response capabilities, please get in touch with the Synapse team.

Share this post