
At Synapse, we are committed to helping organisations stay ahead of emerging cyber threats. A recently identified spear phishing campaign is actively exploiting a zero-day vulnerability to infiltrate networks, evade detection, and compromise sensitive data.
Here we breakdown what you need to know…
Attack Summary
1. Initial Access – Spear Phishing
The attack begins with a targeted phishing email containing a disguised attachment. Although it appears to be a standard PDF, the file is actually a .url shortcut — a tactic designed to mislead users into opening it.
2. Delivery & Exploitation
Once the .url file is opened, it exploits a zero-day vulnerability, CVE-2025-33053, by invoking the Internet Explorer Diagnostics utility (iediagcmd.exe). This process is manipulated to connect to an attacker-controlled WebDAV server. Windows then executes a malicious version of route.exe from this location, due to its default search order behaviour — allowing the attacker to run unauthorised code under the guise of a trusted utility.
3. Payload Deployment
The loader decrypts and stages a large payload concealed within a list of IPv6 addresses — a stealthy obfuscation method known as IPfuscation. This allows the payload to bypass traditional security filters and remain under the radar.
4. Execution of Horus Loader
At the core of the attack is the Horus Loader, aC++-based executable employing code virtualisation to resist reverse engineering. It is signed with an outdated certificate to further evaded detection by outdated or misconfigured security tools.
5. Defence Evasion
Before proceeding, the loader scans the environment for antivirus tools or endpoint protection platforms. Based on its findings, it adjusts its execution path to minimise the risk of discovery.
6. Post-Exploitation Activity
Once the malware is embedded in the network, the attacker escalates their actions, including:
- Harvesting Active Directory and Domain Controller credentials using DC Credential Dumper.
- Deploying a passive backdoor for remote command and control.
- Installing a keylogger to capture user credentials and other sensitive information.
How to Protect Your Organisation
To mitigate the risk of similar attacks, our team of experts recommend the following immediate actions:
- Block .url file extensions in email gateways and endpoint controls.
- Apply security updates promptly, especially for Microsoft products.
- Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscation and code injection techniques.
- Adopt a Zero Trust approach to access control and privilege management.
- Educate employees on recognising phishing attempts and reporting suspicious emails.
Stay Informed. Stay Secure.
This series of attacks is a reminder that attackers are continuously evolving their techniques. Proactive threat detection, layered defences, and user awareness remain critical.
If you would like guidance on securing your systems, implementing Zero Trust architecture, or improving your threat response capabilities, please get in touch with the Synapse team.
Blog & Articles
Posts