Stealth Falcon’s WebDAV Zero‑Day: How a Windows URI Handler Bug Fueled Targeted RCE Since March

Stealth Falcon’s WebDAV Zero‑Day: How a Windows URI Handler Bug Fueled Targeted RCE Since March

A state-aligned threat group known as Stealth Falcon quietly weaponized a Windows WebDAV zero‑day starting in March, chaining URI handler mis-parsing with network share semantics to execute code on fully patched systems. This post unpacks what happened, how the exploit works, who’s at risk, and how to detect and mitigate similar tradecraft in your environment.

Background

Stealth Falcon, a long-tracked APT associated with surveillance operations against journalists, dissidents, and government entities in the Middle East and beyond, has a history of leveraging Windows ecosystem edge-cases and living-off-the-land techniques. In this campaign, the group exploited a zero‑day involving Windows’ handling of WebDAV paths via specially crafted links delivered through spearphishing emails and chat apps. The activity began in March and focused on government, defense, and policy organizations, with lures themed around diplomatic cables and procurement documents. Victims reported compromise after opening seemingly benign Office documents or clicking links that invoked a WebDAV share hosted by attacker infrastructure.

Technical Analysis

The core issue exploited here lies at the intersection of Windows URI handling and the WebDAV client stack, enabling an attacker-controlled remote share to trigger code execution with minimal user interaction. The attack chain, as observed in telemetry and reporting, follows a pattern:

1) Delivery: The victim receives a link or document embedding a URI that references a remote WebDAV path (for example, a link using an Office protocol handler or a crafted file:// or http(s):// path that resolves to a WebDAV endpoint). Attackers often used shortened URLs or HTML smuggling to conceal the final resource.
2) Invocation: When the user clicks or previews the resource, Windows resolves the path and negotiates WebDAV (HTTP methods such as PROPFIND/OPTIONS) to mount a network share-like view of the attacker’s server. This can be triggered by Office, Explorer previews, or other shell helpers depending on the container application.
3) Handler and path confusion: The vulnerability class is a URI/UNC path parsing flaw combined with insufficient trust boundaries around remote WebDAV content, allowing scriptable or executable content to be invoked in contexts that should be non-executable or require stronger prompts. In some flows, file extension/zone checks are bypassed or downgraded due to the way the shell treats WebDAV resources relative to local zone policy and Mark-of-the-Web (MOTW).
4) Code execution: Attackers serve a controlled payload—commonly a signed-but-abused binary (LOLBin) with a malicious configuration, a malicious shortcut (.lnk), or a containerized script (e.g., HTA/JS/WSF) that is launched via the shell. In certain observed cases, a sideloading step follows, where a benign executable loads a malicious DLL from the remote path. This yields user-context RCE and a stable beachhead.

Artifacts seen across incidents include:
- Attacker domains presenting DAV responses and serving .lnk, .url, or containerized script files.
- Windows shell invoking WebClient (WebDAV Mini-Redirector) and subsequent child processes such as rundll32.exe, regsvr32.exe, mshta.exe, or wscript.exe.
- Abused signed binaries (LOLbins) to establish persistence or stage second‑stage implants.
- Limited telemetry prompts or misleading prompts that did not prevent execution due to the parsing/zone mishandling.

Proof of concept (safe outline): A minimal PoC would host a DAV endpoint (e.g., using Apache with mod_dav) and expose a crafted .lnk or HTA. A link embedded in an HTML email or document points to the DAV path. When opened, Windows negotiates WebDAV and renders the file in a context that can launch a script host. Disclosure-safe note: Do not deploy such PoCs outside an isolated lab and ensure payloads are inert.

Why this worked: WebDAV integrates deeply with legacy Windows shell behaviors. Small discrepancies in how URIs are normalized (e.g., mixing file://, http(s)://, UNC-like paths, and encoded characters) can cause the system to treat remote content with insufficient trust checks. The zero‑day abused these inconsistencies to collapse user friction and achieve execution.

Impact & Implications

Who’s affected: Any Windows environment with WebClient (WebDAV Mini-Redirector) enabled is potentially exposed, particularly where Office, email clients, or browsers permit invocation of external handlers or preview mechanisms. High-value targets—government, defense, policy institutes, and contractors—are at increased risk due to tailored lures and the group’s operational objectives.

Why it matters: WebDAV sits at a tricky boundary of networking and shell ergonomics. Even mature hardening baselines can be undermined if remote content is treated as semi-trusted by system components. The technique is attractive to APTs because it blends social engineering with OS-native protocols, minimizing malware on disk and leaving sparse traces. Organizations relying solely on attachment scanning or macro blocking may miss this class of path/handler exploitation.

Broader implications: Expect continued exploitation of URI/handler confusion bugs, remote share semantics (SMB/WebDAV), and LOLBins to reduce exploit complexity. As vendors tighten Office macro and MOTW policies, adversaries pivot to transport/handler edges where policies are less consistent.

Defensive Recommendations

Immediate actions:
- Patch: Apply Microsoft’s security updates addressing WebDAV/URI handler issues as soon as available. Track recent cumulative updates and out-of-band advisories for WebClient and shell components.
- Disable or restrict WebDAV: Where feasible, disable the WebClient service on endpoints that do not require WebDAV. For managed fleets, enforce via GPO/MDM. Consider segmenting outbound DAV (HTTP verbs) via proxy policy for non-approved destinations.
- Harden URI handlers: Use enterprise policy to restrict risky protocol handlers (ms-mshta, ms-excel, ms-word, etc.) and block execution of script hosts (wscript, mshta) where business need is absent. Enforce ASR rules to block Office from creating child processes and to prevent executable content from email and web clients.
- Enforce MOTW and SmartScreen: Ensure MOTW is preserved end-to-end. Validate that file downloads retain zone identifiers and that SmartScreen/WDAC policies are active.
- Application control: Deploy WDAC or AppLocker allowlists to block script interpreters and unsigned binaries from user-writable and remote paths. Disable DLL search order hijacking vectors by blocking remote DLL loads where possible.
- Network detections: Monitor DAV methods (PROPFIND/OPTIONS/PUT) to non-approved domains. Alert on WebClient network activity to internet hosts. Flag sudden spikes of WebDAV traffic and resolution of suspicious domains.
- Endpoint detections: Hunt for parent/child chains involving explorer.exe or office apps spawning mshta.exe, wscript.exe, rundll32.exe, or regsvr32.exe, especially when the command line references remote paths or WebDAV mounts. Look for module loads from WebDAV paths in EDR telemetry.
- Email and collaboration controls: Detonate links in sandbox, strip or rewrite suspicious URLs, and block HTML smuggling patterns. Educate users that clicking network-share-like links in documents can execute code.

For incident response:
- Scope: Query EDR for WebClient service usage and process trees tied to Office/email clients leading to LOLBins. Collect SRUM/ETW/EDR logs for DAV sessions and shell link executions.
- Contain: Block attacker DAV infrastructure at perimeter, rotate credentials, and review persistence points (Run keys, Scheduled Tasks, WMI).
- Forensics: Preserve $MFT, Prefetch, ShimCache, AmCache, and RAPID7/OSQuery-style artifacts for remote path executions; hash and analyze any retrieved LNK/HTA/DLLs.

Conclusion

Stealth Falcon’s campaign underscores how protocol and handler edge-cases can rival classic memory corruption in impact. As vendors harden macros and scripting defaults, expect more abuse of WebDAV, SMB, and URI normalization ambiguities. Prioritize patching, reduce attack surface by disabling unneeded services like WebClient, and tighten application control. Most importantly, tune detections for remote path execution and suspicious child-process chains from office productivity apps—these are the canaries for the next wave of handler exploits.