Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East.
The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.
"This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks," Unit 42 said. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.
The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a zero-day. There is no evidence of this security flaw being weaponized in the LANDFALL campaign.
It's assessed that the attacks involved sending via WhatsApp malicious images in the form of DNG (Digital Negative) files, with evidence of LANDFALL samples going all the way back to July 23, 2024. This is based on DNG artifacts bearing names like "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg."
LANDFALL, once installed and executed, acts as a comprehensive spy tool, capable of harvesting sensitive data, including microphone recording, location, photos, contacts, SMS, files, and call logs. The exploit chain is said to have likely involved the use of a zero-click approach to trigger exploitation of CVE-2025-21042 without requiring any user interaction.
Flowchart for LANDFALL spyware
It's worth noting that around the same time WhatsApp disclosed that a flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS score: 5.4) was chained along with CVE-2025-43300 (CVSS score: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to potentially target less than 200 users as part of a sophisticated campaign. Apple and WhatsApp have since patched the flaws.
Timeline for recent malicious DNG image files and associated exploit activity
Unit 42's analysis of the discovered DNG files show that they come with an embedded ZIP file appended to the end of the file, with the exploit being used to extract a shared object library from the archive to run the spyware. Also present in the archive is another shared object that's designed to manipulate the device's SELinux policy to grant LANDFALL elevated permissions and facilitate persistence.
The shared object that loads LANDFALL also communicates with a command-and-control (C2) server over HTTPS to enter into a beaconing loop and receive unspecified next-stage payloads for subsequent execution.
It's currently not known who is behind the spyware or the campaign. That said, Unit 42 said LANDFALL's C2 infrastructure and domain registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), although, as of October 2025, no direct overlaps between the two clusters have been detected.
"From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood," Unit 42 said.
from The Hacker News https://ift.tt/DzQauER
via IFTTT
A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues.
The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government policy on international issues." The attackers managed to gain access to the network for several weeks in April 2025.
The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server).
No further actions were recorded until April 16, when the attacks executed several curl commands to test internet connectivity, after which the Windows command-line tool netstat was executed to collect network configuration information. This was followed by setting up persistence on the host by means of a scheduled task.
The task was designed to execute a legitimate Microsoft binary "msbuild.exe" to run an unknown payload, as well as create another scheduled task that's configured to run every 60 minutes as a high-privileged SYSTEM user.
This new task, Symantec and Carbon Black said, was capable of loading and injecting unknown code into "csc.exe" that ultimately established communications with a command-and-control (C2) server ("38.180.83[.]166"). Subsequently, the attackers were observed executing a custom loader to unpack and run an unspecified payload, likely a remote access trojan (RAT) in memory.
Also observed was the execution of the legitimate Vipre AV component ("vetysafe.exe") to sideload a DLL loader ("sbamres.dll"). This component is also said to have been used for DLL side-loading in connection with Deed RAT (aka Snappybee) in prior activity attributed to Salt Typhoon (aka Earth Estries), and in attacks attributed to Earth Longzhi, a sub-cluster of APT41.
"A copy of this malicious DLL was previously used in attacks linked to the China-based threat actors known as Space Pirates," Broadcom said. "A variant of this component, with a different filename, was also used by that Chinese APT group Kelp (aka Salt Typhoon) in a separate incident."
Some of the other tools observed in the targeted network included Dcsync and Imjpuexc. It's not clear how successful the attackers were in their efforts. No additional activity was registered after April 16, 2025.
"It is clear from the activity on this victim that the attackers were aiming to establish a persistent and stealthy presence on the network, and they were also very interested in targeting domain controllers, which could potentially allow them to spread to many machines on the network," Symantec and Carbon Black said.
"The sharing of tools among groups has been a long-standing trend among Chinese threat actors, making it difficult to say which specific group is behind a set of activities."
The disclosure comes as a security researcher who goes by the online moniker BartBlaze disclosed Salt Typhoon's exploitation of a security flaw in WinRAR (CVE-2025-8088) to initiate an attack chain that sideloads a DLL responsible for running shellcode on the compromised host. The final payload is designed to establish contact with a remote server ("mimosa.gleeze[.]com").
According to a report from ESET, China-aligned groups have continued to remain active, striking entities across Asia, Europe, Latin America, and the U.S. to serve Beijing's geopolitical priorities. Some of the notable campaigns include -
The targeting of the energy sector in Central Asia by a threat actor codenamed Speccom in July 2025 via phishing emails to deliver a variant of BLOODALCHEMY and custom backdoors such as kidsRAT and RustVoralix.
The targeting of European organizations by a threat actor codenamed DigitalRecyclers in July 2025, using an unusual persistence technique that involved the use of the Magnifier accessibility tool to gain SYSTEM privileges.
The targeting of governmental entities in Latin America (Argentina, Ecuador, Guatemala, Honduras, and Panama) between June and September 2025 by a threat actor codenamed FamousSparrow that likely exploited ProxyLogon flaws in Microsoft Exchange Server to deploy SparrowDoor.
The targeting of a Taiwanese company in the defense aviation sector, a U.S. trade organization based in China, and the China-based offices of a Greek governmental entity, and an Ecuadorian government body between May and September 2025 by a threat actor codenamed SinisterEye (aka LuoYu and Cascade Panda) to deliver malware like WinDealer (for Windows) and SpyDealer (for Android) using adversary-in-the-middle (AitM) attacks to hijack legitimate software update mechanisms.
The targeting of a Japanese company and a multinational enterprise, both in Cambodia, in June 2025 by a threat actor codenamed PlushDaemon by means of AitM poisoning to deliver SlowStepper.
"PlushDaemon achieves AitM positioning by compromising network devices such as routers, and deploying a tool that we have named EdgeStepper, which redirects DNS traffic from the targeted network to a remote, attacker-controlled DNS server," ESET said.
"This server responds to queries for domains associated with software update infrastructure with the IP address of the web server that performs the update hijacking and ultimately serves PlushDaemon's flagship backdoor, SlowStepper."
Chinese Hacking Groups Target Misconfigured IIS Servers#
In recent months, threat hunters have also spotted a Chinese-speaking threat actor targeting misconfigured IIS servers using publicly exposed machine keys to install a backdoor called TOLLBOOTH (aka HijackServer) that comes with SEO cloaking and web shell capabilities.
"REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally," Elastic Security Labs researchers said in a report published late last month. Per HarfangLab, the operation has infected hundreds of servers around the world, with infections concentrated in India and the U.S.
The attacks are also characterized by attempts to weaponize the initial access to drop the Godzilla web shell, execute GotoHTTP remote access tool, use Mimikatz to harvest credentials, and deploy HIDDENDRIVER, a modified version of the open source rootkit Hidden, to conceal the presence of malicious payloads on the infected machine.
It's worth pointing out that the cluster is the latest addition to a long list of Chinese threat actors, such as GhostRedirector, Operation Rewrite, and UAT-8099, that have targeted IIS servers, indicating a surge in such activity.
"While the malicious operators appear to be using Chinese as their main language and leveraging the compromises to support search engine optimization (SEO), we notice that the deployed module offers a persistent and unauthenticated channel which allows any party to remotely execute commands on affected servers," the French cybersecurity company said.
from The Hacker News https://ift.tt/sh791wE
via IFTTT
The Good | Authorities Crack Down on Ransomware, Crypto Fraud & DPRK Laundering Ops
Three ex-employees of cybersecurity firms DigitalMint and Sygnia have been indicted for participating in BlackCat (aka ALPHV) ransomware attacks on five U.S. companies between May and November 2023.
The defendants allegedly acted as BlackCat affiliates, breaching networks, stealing data, deploying encryption malware, and demanding cryptocurrency ransoms. Victims included medical, pharmaceutical, and engineering firms. Prosecutors say the ransom demands ranged from $300,000 to $10 million, with one company paying out $1.27 million. The trio faces up to 50 years each in prison if convicted.
Also this week, the U.S. Treasury sanctioned two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen via fraudulent IT worker schemes. The designated include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with executives and bankers responsible for managing funds linked to ransomware attacks and UN sanctions violations.
OFAC says that over the last 3 years DPRK-affiliated cybercriminals have stolen more than $3 billion in cryptocurrency using malware and social engineering. The sanctions freeze U.S. assets and warn that transactions with these entities risk secondary penalties.
In Europe, authorities have arrested nine suspects involved in a cryptocurrency fraud network responsible for stealing over €600 million ($689 million) across multiple countries. The criminals allegedly created fake crypto investment platforms that promised high returns and recruited victims through social media, cold calls, and fake endorsements from celebrity investors. Victims lost their funds while the suspects laundered the stolen assets using blockchain tools. In operations coordinated by Eurojust in Cyprus, Spain, and Germany, law enforcement seized cash, crypto, and bank accounts.
The Bad | SleepyDuck Trojan Exploits Ethereum Smart Contracts to Evade Takedown
A new remote access trojan (RAT) dubbed ‘SleepyDuck’ has been masquerading as a well-used Solidity extension on the Open VSX open-source registry, researchers say. The malware uses Ethereum smart contracts to manage its command and control (C2) communications, helping it to maintain persistence even if its main server is taken down.
Initially benign when published on October 31, the infected extension, juan-bianco.solidity-vlang, became malicious after an update made the following day, by which time it had already been downloaded 14,000 times. For now, the extension remains available on Open VSX with a public warning. In total, it has been downloaded over 53,000 times.
Solidity VSCode warning (Source: Secure Annex)
Security researchers report that SleepyDuck activates when the code editor starts, a Solidity file opens, or when a compile command runs. It disguises its malicious activity through a fake webpack.init() function from extension.js, while secretly executing payloads that collect system information such as hostnames, usernames, MAC addresses, and timezones.
After it is triggered, the trojan queries the Ethereum blockchain to find the fastest RPC provider, read its C2 details, and enter a polling loop for new instructions. This blockchain-based C2 redundancy means that even if the main C2 domain (sleepyduck[.]xyz) is disabled, the malware can still fetch updated addresses or commands from the blockchain, making takedown efforts much more difficult.
In response, Open VSX has introduced new security measures, including shorter token lifetimes, automated scans, revoking any leaked credentials, and working in coordination with VS Code to block emerging threats. Best practices for developers include verifying extension publishers and installing software only from trusted repositories to avoid supply-chain compromises.
The Ugly | Iran-Based Actors Target U.S. Policy Experts in New Espionage Campaign
Between June and August, a newly identified threat cluster dubbed ‘UNK_SmudgedSerpent’ launched a series of targeted cyberattacks against U.S.-based academics and foreign policy experts focused on the Middle East. The campaign, coinciding with rising Iran-Israel tensions, uses politically-themed lures related to Iranian domestic affairs and the militarization of the Islamic Revolutionary Guard Corps (IRGC).
Researchers say the threat actors behind the campaign initiated attacks with benign email exchanges before introducing phishing links impersonating prominent U.S. foreign policy figures and think tank institutions like the Brookings Institution and Washington Institute.
The targeted victims, over 20 U.S.-based experts on Iran-related policy, were enticed to open malicious meeting documents and login pages designed to harvest their Microsoft account credentials. In some attacks, the attackers sent URLs leading to fake MS Teams login pages but pivoted to spoofed OnlyOffice sites if the victim grew suspicious.
Example of UNK_smudgedserpent phishing email (Source: Proofpoint)
Clicking the links led to the download of malicious MSI installers disguised as Microsoft Teams, which then deployed legitimate remote monitoring and management (RMM) software like PDQ Connect. Subsequent activity suggests attackers manually installed additional tools such as ISL Online, indicating possible hands-on-keyboard intrusion.
Researchers note that the operation’s tactics mirror those of known Iranian cyberespionage groups such as TA455 (aka UNC1549, Smoke Sandstorm), TA453 (aka TunnelVision, APT 35, UNC788), and TA450 (aka TEMP.Zagros).
The researchers believe UNK_SmudgedSerpent’s campaigns are part of a broader collection effort by Iranian intelligence aimed at gathering insights from Western experts on regional policy, academic analyses, and strategic technologies.
A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.
According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times.
"The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments," security researcher Kush Pandya said.
The list of malicious packages is below -
MyDbRepository (Last updated on May 13, 2023)
MCDbRepository (Last updated on June 5, 2024)
Sharp7Extend (Last updated on August 14, 2024)
SqlDbRepository (Last updated on October 24, 2024)
SqlRepository (Last updated on October 25, 2024)
SqlUnicornCoreTest (Last updated on October 26, 2024)
SqlUnicornCore (Last updated on October 26, 2024)
SqlUnicorn.Core (Last updated on October 27, 2024)
SqlLiteRepository (Last updated on October 28, 2024)
Socket said all nine rogue packages work as advertised, allowing the threat actors to build trust among downstream developers who may end up downloading them without realizing they come embedded with a logic bomb inside that's scheduled to detonate in the future.
The threat actor has been found to publish a total of 12 packages, with the remaining three working as intended without any malicious functionality. All of them have been removed from NuGet. Sharp7Extend, the company added, is designed to target users of the legitimate Sharp7 library, a .NET implementation for communicating with Siemens S7 programmable logic controllers (PLCs).
While bundling Sharp7 into the NuGet package lends it a false sense of security, it belies the fact that the library stealthily injects malicious code when an application performs a database query or PLC operation by exploiting C# extension methods.
"Extension methods allow developers to add new methods to existing types without modifying the original code – a powerful C# feature that the threat actor weaponizes for interception," Pandya explained. "Each time an application executes a database query or PLC operation, these extension methods automatically execute, checking the current date against trigger dates (hardcoded in most packages, encrypted configuration in Sharp7Extend)."
Once a trigger date is passed, the malware terminates the entire application process with a 20% probability. In the case of Sharp7Extend, the malicious logic is activated immediately following installation and continues until June 6, 2028, when the termination mechanism stops by itself.
The package also includes a feature to sabotage write operations to the PLC 80% of the time after a randomized delay of anywhere between 30 to 90 minutes. This also means that both the triggers – the random process terminations and write failures – are operational in tandem once the grace period elapses.
Certain SQL Server, PostgreSQL, and SQLite implementations associated with other packages, on the other hand, are set to trigger on August 8, 2027, (MCDbRepository) and November 29, 2028 (SqlUnicornCoreTest and SqlUnicornCore).
"This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems," Pandya said.
It's currently not known who is behind the supply chain attack, but Socket said source code analysis and the choice of the name "shanhai666" suggest that it may be the work of a threat actor, possibly of Chinese origin.
"This campaign demonstrates sophisticated techniques rarely combined in NuGet supply chain attacks," the company concluded. "Developers who installed packages in 2024 will have moved to other projects or companies by 2027-2028 when the database malware triggers, and the 20% probabilistic execution disguises systematic attacks as random crashes or hardware failures."
"This makes incident response and forensic investigation nearly impossible, organizations cannot trace the malware back to its introduction point, identify who installed the compromised dependency, or establish a clear timeline of compromise, effectively erasing the attack's paper trail."
from The Hacker News https://ift.tt/IB1EvMq
via IFTTT
Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.
This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks. However, the exploit itself — and the commercial-grade spyware used with it — have not yet been publicly reported and analyzed.
LANDFALL was embedded in malicious image files (DNG file format) that appear to have been sent via WhatsApp. This method closely resembles an exploit chain involving Apple and WhatsApp that drew attention in August 2025. It also resembles an exploit chain that likely occurred using a similar zero-day vulnerability (CVE-2025-21043) disclosed in September. Our research did not identify any unknown vulnerabilities in WhatsApp.
Importantly, our finding predates these disclosures — the LANDFALL campaign was already operating in mid-2024, using the zero-day Android/Samsung vulnerability (CVE-2025-21042) months before it was fixed.
The vulnerability has been patched since April 2025, so there is no ongoing risk to current Samsung users. In September, Samsung also patched another zero-day vulnerability (CVE-2025-21043) in the same image processing library, further protecting against this type of attack.
Our research looks back at historical exploitation that occurred before the patch, providing rare visibility into an advanced spyware operation that was publicly unreported.
Key findings:
LANDFALL is Android spyware specifically designed against Samsung Galaxy devices, used in targeted intrusion activities within the Middle East.
LANDFALL enabled comprehensive surveillance, including microphone recording, location tracking and collection of photos, contacts and call logs.
The spyware is delivered through malformed DNG image files exploiting CVE-2025-21042 — a critical zero-day vulnerability in Samsung’s image processing library, which was exploited in the wild.
The exploit chain possibly involved zero-click delivery using maliciously crafted images, similar to recent exploit chains seen on iOS and Samsung Galaxy.
The campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the Middle East, indicating possible links to private-sector offensive actors (PSOAs).
LANDFALL remained active and undetected for months.
Palo Alto Networks customers are better protected through the following products and services:
In mid-2025, following the public disclosure of an exploit chain targeting iOS devices, we searched for samples of the iOS exploit. This led to our discovery of the Android spyware that we called LANDFALL.
Specifically, Unit 42 discovered several samples of DNG image files containing Android spyware used in an exploit chain targeting Samsung Galaxy devices. Our analysis confirmed these samples exploit CVE-2025-21042 to deliver LANDFALL, possibly via zero-click exploits on messaging applications.
Beginning the Hunt: The iOS Exploit Chain and How It Made Us Wonder
In August 2025, Apple issued OS security updates for its various products to address CVE-2025-43300, a zero-day vulnerability affecting DNG image parsing that attackers reportedly exploited in the wild.
That same month, WhatsApp reported a zero-day vulnerability for CVE-2025-55177 that was chained with the image-processing vulnerability for Apple platforms in sophisticated attacks targeting iOS devices. The WhatsApp vulnerability allowed attackers to force devices to process content from arbitrary URLs.
When the two vulnerabilities were combined in an exploit chain, this enabled zero-click remote code execution through maliciously crafted images sent via WhatsApp messages.
Given the disclosure of this in-the-wild exploit chain and the absence of publicly available exploit samples, we initiated a hunt for this activity. Our search led to the discovery of several previously undetected DNG image files containing embedded Android spyware that were uploaded to VirusTotal throughout 2024 and early 2025.
Judging by their filenames (e.g., WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg and IMG-20240723-WA0000.jpg), attackers likely delivered these samples via WhatsApp. Our analysis of the embedded spyware indicates it is designed for Samsung Galaxy devices.
Malformed DNG Image Files: A New Attack Vector Trend
Our analysis of LANDFALL spyware began with our discovery of malformed DNG image files. DNG stands for Digital Negative, and it is a raw image file format based on the TIFF image format. The malformed DNG image files we discovered have an embedded ZIP archive appended to the end of the file. Figure 1 shows one of these samples in a hex editor, indicating where the ZIP archive content begins near the end of the file.
Figure 1. Example of a malformed DNG image with an embedded ZIP archive.
Our analysis indicates these DNG files exploit CVE-2025-21042, a vulnerability in Samsung's image-processing library libimagecodec.quram.so that Samsung patched in April 2025. The exploit extracts shared object library (.so) files from the embedded ZIP archive to run LANDFALL spyware. Figure 2 below shows a flowchart for this spyware.
Figure 2. Flowchart for LANDFALL spyware.
Table 1 shows the DNG image samples we discovered.
Filenames with strings like WhatsApp Image and WA000 imply attackers could have attempted to deliver the embedded Android spyware via WhatsApp. This matches earlier public reporting of similar DNG image-based exploitation through WhatsApp targeting Apple devices. Furthermore, WhatsApp researchers identified and reported a similar DNG vulnerability, CVE-2025-21043, to Samsung.
Delivering LANDFALL Spyware: Mobile Device Malware Exploit Chains
Typically, mobile device malware distributed through exploits requires a chain of exploits across different vulnerabilities for successful infection. Various studies have documented cases of at least two vulnerabilities when distributing spyware, but modern exploit chains for spyware are far more complex [PDF], linking multiple vulnerabilities to compromise mobile devices and gain privileges.
We have yet to discover any further exploits associated with this activity.
Please see the later section, How LANDFALL Fits Into the Larger Picture, for a more complete description of the known vulnerabilities involved in this and similar exploit chains.
LANDFALL Spyware Analysis
LANDFALL is Android spyware specifically designed for Samsung Galaxy devices, likely used in targeted intrusion activities within the Middle East. This modular spyware is engineered for espionage and data exfiltration.
The infection chain for LANDFALL involves an exploit for CVE-2025-21042, a vulnerability in Samsung's image-processing library tracked by the vendor as Samsung Vulnerabilities and Exposures (SVE) designator SVE-2024-1969. We believe a full attack chain would follow a pattern of potential zero-click remote code execution, beginning with the delivery of the malformed DNG images.
Two components of LANDFALL spyware are embedded within the malformed DNG images and would be extracted and executed, following a successful exploit:
Loader (b.so): An ARM64 ELF shared object (106 KB, stripped and dynamically linked) that serves as the main backdoor.
SELinux Policy Manipulator (l.so): Extracted from an XZ-compressed ELF binary, this component is designed to manipulate the device's SELinux policy to grant LANDFALL elevated permissions and aid persistence. (See Appendix A - SELinux Policy Manipulation.)
Table 2 shows the LANDFALL component files embedded within the malicious DNG samples.
SELinux policy manipulator (l.so) extracted from XZ compressed file
July 23, 2024
Table 2. LANDFALL components embedded in the DNG image files.
Our analysis indicates LANDFALL is multi-component Android spyware designed for monitoring and data exfiltration.
Our analysis focuses on the b.so component, which serves as the initial loader for a broader LANDFALL framework. In its own debug artifacts, the component refers to itself as “Bridge Head.” This will be of interest later when we discuss possible relationships between LANDFALL and known spyware groups.
LANDFALL’s Potential Capabilities
The b.so component of LANDFALL contains numerous debug and status strings, but it does not contain the logic that actually references most of these strings. This suggests that b.so would download additional components for these capabilities. Our analysis of embedded command strings and execution paths within the b.so file provides insight into the broader LANDFALL's potential capabilities.
Device Fingerprinting
OS version
Hardware ID (IMEI)
SIM/Subscriber ID (IMSI)
SIM card serial
User account
Voicemail number
Network configuration
Taking inventory of installed applications
Accessing location services
VPN status
USB debugging status
Bluetooth
Data Exfiltration
Recording microphone
Recording calls
Call history
Contacts database
SMS/messaging data
Camera photos
Arbitrary files
Databases on the device (browsing history, etc.)
Execution, Loading and Persistence
Loading native shared object (.so) modules
Loading and executing DEX files from memory and disk
Injecting processes
Executing via LD_PRELOAD
Executing arbitrary commands
Manipulating SELinux
Persistency
Modifying SELinux policy via compressed binary
Monitoring WhatsApp Media directory for additional payloads
Registering WhatsApp web client
Manipulating the file system in Android app directories
Manipulating the file system
Evasion and Defense Avoidance
Detecting TracerPid debugger
Detecting Frida instrumentation framework
Detecting Xposed framework
Dynamic library loading with namespace manipulation
Certificate pinning for C2 communications
Cleaning up WhatsApp images payload
Targeted Device Models
Galaxy S23 Series (S91[168]BXX.*)
Galaxy S24 Series (S921BXXU1AWM9, S92[168]BXX.*)
Galaxy Z Fold4 (F936BXXS4DWJ1)
Galaxy S22 (S901EXXS4CWD1)
Galaxy Z Flip4 (F721BXXU1CWAC)
Figure 3 shows an example of the targeted device model strings in a b.so sample of LANDFALL.
Figure 3. LANDFALL b.so sample in a hexadecimal editor showing targeted device model numbers.
C2 Communication
The b.so component of LANDFALL communicates with its C2 server over HTTPS using a non-standard, ephemeral TCP port. Before the HTTPS traffic, it can initiate ping traffic as detailed in the Communication With the C2 Server section of Appendix B. For HTTPS traffic, b.so initiates contact with a POST request containing detailed device and spyware information, such as:
Agent ID
Device path
User ID
Figure 4 shows an interpretation of this initial POST request, where we use curl to show how this request would be structured. Of note, LANDFALL does not use curl to generate this traffic.
Figure 4. HTTP POST request structure when b.so initially contacts the C2 server.
The initial beacon traffic is an HTTP POST request to the C2 server with the following parameters:
protocol: The protocol version (e.g., A1.5.0)
protocol_ver: The protocol version (e.g., "")
type: The message type (e.g., MSG_TYPE_GET_AGENT)
agent_id: The agent's unique identifier
upload_id: An upload identifier
command_id: A command identifier
source: The source of the request (e.g., bridge_head)
incremental_build: The incremental build version (e.g., v1.5.0)
euid: The effective user ID of the process
bh_path: The path to the b.so binary on the device
runner: The runner mode (e.g., I)
Configuration of b.so File
The b.so file's configuration is managed through a combination of hard-coded default values and an encrypted JSON object embedded within itself. This configuration includes C2 details, cryptographic keys and unique identifiers for the agent and commands.
Figure 5 shows an example of this configuration.
Figure 5. Example of LANDFALL’s configuration.
This b.so component of LANDFALL also contains a number of hard-coded configuration values. These are used as default values if they are not provided in the encrypted JSON object. We do not yet fully understand the purpose of some of these values. Table 3 shows these hard-coded default configuration values.
Field Name
Default Value
allow_wifi
true
allow_mobile
true
allow_roaming
false
socket_timeout
5
sleep_time
60 (0x3c)
sleep_time_between_retries
35 (0x23)
suicide_time
7200 (0x1c20)
live_mode_expiration
0
allow_min_battery
0
is_persistent
false
Table 3. Hard-coded default configuration values for LANDFALL malware.
C2 Infrastructure for LANDFALL Spyware
Based on our analysis of these samples, we identified six C2 servers for LANDFALL, shown below in Table 4.
IP Address
Domain
First Seen
Last Seen
194.76.224[.]127
brightvideodesigns[.]com
Feb. 7, 2025
Sept. 19, 2025
91.132.92[.]35
hotelsitereview[.]com
Feb. 3, 2025
Sept. 16, 2025
92.243.65[.]240
healthyeatingontherun[.]com
Oct. 11, 2024
Sept. 2, 2025
192.36.57[.]56
projectmanagerskills[.]com
Feb. 3, 2025
Aug. 26, 2025
46.246.28[.]75
Unknown
Unknown
Unknown
45.155.250[.]158
Unknown
Unknown
Unknown
Table 4. LANDFALL C2 servers.
How LANDFALL Fits Into the Larger Picture
LANDFALL is one example of a larger pattern of exploit chains affecting mobile devices, related to DNG image processing vulnerabilities.
The LANDFALL campaign's use of a malformed DNG file highlights a significant, recurring attack vector: the targeting of vulnerabilities within DNG image processing libraries. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms. In fact, earlier in 2025, Samsung identified another DNG flaw in the same Samsung library, CVE-2025-21043, and the parallel exploit chain on iOS was identified that leveraged CVE-2025-43300 in Apple iOS and CVE-2025-55177 in WhatsApp.
Relationship to CVE-2025-21043 (SVE-2025-1702)
Our analysis revealed a possible connection to a separate vulnerability in the same library, CVE-2025-21043 (SVE-2025-1702), which Samsung patched in its September 2025 security update. While it was not exploited in the LANDFALL samples we discovered, the similarities between the exploit for LANDFALL (CVE-2025-21042) and this vulnerability (CVE-2025-21043) are striking. Both vulnerabilities were publicly disclosed around the same time and both are connected to DNG image file processing delivered through mobile communication applications.
Apple's CVE-2025-43300
In August 2025, Apple addressed CVE-2025-43300, a zero-day vulnerability impacting DNG image parsing, which was actively exploited in the wild, to enable zero-click remote code execution through malicious images sent via mobile communication applications.
We cannot confirm whether this chain was used to deliver an equivalent of LANDFALL to iOS, or whether it is the same threat actor behind the two. However, this parallel development in the iOS ecosystem, combined with the disclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks.
Figure 6. Timeline for recent malicious DNG image files and associated exploit activity.
July 2024 – February 2025: Initial samples of malicious DNG image files carrying LANDFALL are first submitted on VirusTotal in July 2024, with additional samples appearing periodically over the next several months.
The DNG files exploit a vulnerability in Samsung’s Android image processing library (SVE-2024-1969, CVE-2025-21042)
April 2025: Samsung issues a firmware update to address the vulnerability, SVE-2024-1969, later known as CVE-2025-21042 when publicly disclosed.
August 2025: Parallel developments occur.
Apple patches a zero-day vulnerability impacting DNG image parsing, which was actively exploited in the wild (CVE-2025-43300)
WhatsApp discloses a vulnerability (CVE-2025-55177) that was chained with Apple’s DNG image parsing zero-day vulnerability (CVE-2025-43300)
We discovered DNG image files exploiting CVE-2025-21042 to deliver Android spyware that we identified as LANDFALL.
WhatsApp disclosed to Samsung CVE-2025-21043 — another DNG-related zero-day vulnerability in Samsung Galaxy devices.
September 2025: Samsung issues mobile device firmware updates for CVE-2025-21043 (SVE-2025-1702). Concurrently, it assigns CVE-2025-21042 (SVE-20254-1969) to the earlier vulnerability that previously had no CVE designator.
Potential Victims
Analysis of VirusTotal submission data for the malicious DNG files indicates potential targets in Iraq, Iran, Turkey and Morocco.
Turkey's national CERT (in Turkish, USOM) reported IP addresses used by LANDFALL's C2 servers as malicious, mobile- and APT-related, which also supports the possible targeting of victims in Turkey.
Relationship to Known Spyware Groups
While we were unable to recover every component of the LANDFALL framework, it is clear that the tool is commercial grade. It may have utilized several zero-day exploits in its infection chain.
Such tools are often developed and sold as commercial spyware and attributed to groups known as private sector offensive actors (PSOAs), who are often legitimate legal entities. Reportedly, these groups provide services to government entities.
We were not able at this time to officially attribute LANDFALL activity to a known PSOA or threat actor. Unit 42 tracks the activity related to CVE-2025-21042 and LANDFALL as CL-UNK-1054.
Two aspects are notable and worth highlighting.
First, LANDFALL's C2 infrastructure and domain registration patterns share similarities to infrastructure associated with Stealth Falcon as observed by Unit 42. These similarities are based on various publicreports, as well as Stealth Falcon activity we have analyzed for targets in the Middle East.
Second, in its own debug artifacts, the spyware component we analyzed refers to itself as “Bridge Head.” Of note, the term Bridge Head is a common nickname used by some private-sector offensive cyber companies (including NSO, Variston [PDF], Cytrox and Quadream) for first-stage loaders. However, this naming convention alone does not constitute a direct attribution link.
While this is a common name used in commercial mobile spyware to describe loaders, it draws similarities to the Heliconica framework. This framework also contains references to “BridgeHead,” as Google TAG reported about spyware vendor Variston. Google identified Variston as a Barcelona-based PSOA (provider of exploits). Further analysis from Google and other reports indicated Variston's tooling was supplied to clients in the UAE through a reseller named Protect Electronic Systems (or Protected AE).
This potential provider-client link to the UAE is noteworthy, as Microsoft and others reported that Stealth Falcon also operates heavily out of that country. Variston reportedly ceased operations in early 2025 following its public exposure.
As of October 2025, except in infrastructure, we have not observed direct overlaps between the mobile campaigns of LANDFALL and the endpoint-based activity from Stealth Falcon, nor direct strong links with Stealth Falcon. However, the similarities are worth discussion.
Conclusion
The discovery of LANDFALL spyware reveals a campaign targeting Samsung Android devices. The exploit chain involves CVE-2025-21042, a vulnerability that was patched by Samsung in April 2025. The presence of this spyware within DNG image files with WhatsApp-related naming conventions likely indicates attackers attempted to deliver the exploit through a messaging application.
From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood.
The analysis of the loader reveals evidence of commercial-grade activity. The LANDFALL spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices.
However, we have not directly analyzed the next-stage components of the spyware. Additional details on this or on the exact delivery method would provide even more insight into the malicious activity.
Palo Alto Networks customers are better protected from LANDFALL Android spyware through the following products:
The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Indicators of Compromise
Malware Samples
A list of malware samples for LANDFALL activity is listed below in Table 7.
LANDFALL's component for SELinux policy manipulation is l.so. This file provides a capability to bypass system security controls. It is decompressed from /data/data/com.samsung.ipservice/files/l to /data/data/com.samsung.ipservice/files/l.so and executed.
Rather than containing hard-coded rules, l.so implements a generic engine that can dynamically parse and load new SELinux policy statements from an external source, modifying the running policy in memory.
Appendix B: Additional Details on LANDFALL Spyware Analysis
This appendix details the observed capabilities of the loader component of LANDFALL, as well as those we infer exist in other modules of the complete LANDFALL framework that we have not yet accessed.
LANDFALL’s Bridge Head, named on the disk as b.so, is loaded by an exploit on the device. Immediately after being loaded post‑exploit, LANDFALL parses LD_PRELOAD from the environment to avoid inheriting upstream preloads. It reads the effective user ID via geteuid() and stores it globally so later branches can adjust behavior for root versus non‑root. Then it calls into the main routine.
It gathers process basics (parent pid, euid, Android build string), reads a runner flag from the environment variable R and takes a copy of it for later actions. This value (typically I for interactive or P for passive) will be reported to the command and control and determine how it launches a later staged payload. It resolves its own mapped path, selects the app-private base at /data/data/com.samsung.ipservice/files/ as its working directory and then constructs two child paths there. One path is for the staged download and one is for the final l.so used for execution.
Configuration
LANDFALL reads and XOR-decrypts a JSON configuration directly from its own file. The spyware normalizes configuration by writing internal defaults back into the parsed object: numeric fields default when missing or zero, and certain booleans are coerced to fixed values regardless of the supplied configuration. Finally, it checks that a public key (X.509 DER) is present in the configuration and exits otherwise.
Table 8 summarizes the configuration normalization performed at this stage.
Key Name
Value Type
Default
Required
allow_wifi
boolean
Enforced true (overrides false/missing to true)
No
allow_mobile
boolean
Enforced true (overrides false/missing to true)
No
allow_roaming
boolean
Default false if missing/false; true remains true
No
allow_min_battery
integer
0 if value is 0 or missing
No
sleep_time
integer (seconds)
60 if value is 0 or missing
No
sleep_time_between_retries
integer (seconds)
35 if value is 0 or missing
No
suicide_time
integer (seconds)
7200 if value is 0 or missing
No
live_mode_expiration
integer (seconds)
0 if value is 0 or missing
No
socket_timeout
integer (seconds)
5 if value is 0 or missing
No
is_persistent
boolean
Default false if missing/false; true remains true
No
bridge_head_version_major
integer
Hard-set to 2 (always)
No
bridge_head_version_minor
integer
Hard-set to 1 (always)
No
cnc_hostname
string
None; must be present
Yes
cnc_port
integer
None; must be non-zero
Yes
cnc_base_url
string
None; must be present
Yes
agent_id
string (UUID)
None; must be present
Yes
command_id
string (UUID)
None; must be present
Yes
commands
array
Must exist; read and freed (structure not retained here)
Yes
public_key
X.509 DER (bytes)
None; must be present and valid
Yes
Table 8. Keys and values for LANDFALL malware.
Communication With the C2 Server
Once configuration is complete, b.so loads the necessary network and encryption functions, sets up its SSL environment, and prepares a secure client context for future HTTPS communication. If any part of this setup fails, it exits cleanly rather than risk a partial setup.
Before entering the C2 beaconing loop, it optionally emits telemetry. If it is running as root, it formats a concise "started" line that includes:
A fixed version marker (e.g., v1.5.0)
pid
euid
Runner mode
It then sends that via a POST request to the C2 server, as shown below.
If the runner mode is I, it prepares the SELinux helper first: it locates the compressed policy helper (/data/data/com.samsung.ipservice/files/l), inflates it via an internal XZ decoder into a fresh buffer, and writes the result to data/data/com.samsung.ipservice/files/l.so. Then it beacons to the C2 server by sending ping using the hyphen‑stripped agent_id as payload. The outcome doesn’t gate the rest of the flow, and it serves as an operator telemetry.
An example of code for an I‑mode ping follows.
Only then does the main C2 beaconing loop begin. It records time zero and enforces a strict wall‑clock budget of about 7,200 seconds (suicide_time) for the entire session.
It zeros two large, reusable path buffers: one for the raw blob that may arrive from the server, and a sibling for the decompressed shared object. Both paths live under the app‑private working directory (e.g., /data/data/com.samsung.ipservice/files/). With the paths ready, it contacts the command and control server by building a compact, URL‑encoded style body of key=value pairs:
A protocol/variant tag; the beacon message type
The agent_id, command_id and a fresh upload_id (UUIDv4) for correlation
source=bridge_head
Euid
The runner flag and its on‑disk install path
When applicable, it computes a SHA-1 over part of the message and appends it. It uses the following Chrome User‑Agent string:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36
Requests are directed at the configured base path (e.g., POST /is/ HTTP/1.0). Before any application data is sent, it pins the TLS connection.
While reading the response from the C2 server, LANDFALL checks the response status code and looks through the headers to determine the message length and type. Some status codes — particularly timeouts and a masked set of 4xx/5xx (e.g., 408, 504) — are treated as transient and trigger sleep(sleep_time_between_retries) (default 35 seconds) before retrying with a fresh connection. A not‑found response (e.g., 404) is considered terminal for this run and exits the loop. If the status indicates success and a body is present, LANDFALL proceeds to staging.
Next-Stage Payloads
Staging starts by cleaning up the file system state. If an old raw blob exists at the temporary path, it removes it. It writes the raw bytes to a staging file named aa.so under the working directory, and then, attempts to decompress them using a built‑in XZ/LZMA decoder that inflates into a pre‑allocated approximately 5 MiB buffer.
On success, it writes the decompressed bytes to dec_a.so (the final .so path) under the working directory, clears the temporary aa.so and sets the file mode on dec_a.so to 777 to ensure it’s loadable in various contexts.
Example XZ inflater (trimmed):
With the shared object in place (dec_a.so), it chooses an execution strategy based on the runner flag. For interactive setups (I), it exports two environment variables and launches a benign system tool synchronously:
LD_PRELOAD=<final.so> PRELOAD_PATH=/data/data/com.samsung.ipservice/files/l.so /system/bin/id (where <final.so> is dec_a.so)
The PRELOAD_PATH points at the device path where SELinux policy content is expected, allowing the preloaded code to find and apply policy at startup. Note that this PRELOAD_PATH is only used in interactive mode, the passive running path omits it.
For passive runs (P), it launches the same tool in the background:
LD_PRELOAD=<final.so> /system/bin/id (with <final.so> is dec_a.so)
This is done so control returns quickly while the helper initializes in another process. Internally, both are dispatched via a shell wrapper (/system/bin/sh -c <cmd>). In both cases, it accepts only narrow success results:
exit code 0 or a specific 0x15; anything else is treated as failure and breaks out of the loop
On successful load, it formats and sends an “ended” line mirroring the opening message including:
Version marker
pid
incremental_build
runner
It then frees transient strings and buffers. If no payload was available, or if a transient error occurred, it checks the elapsed wall‑clock time against its approximately 7,200‑second budget. If there’s time left, it sleeps the configured interval and tries again.
Finally, when the loop finishes, either after a successful loading of the next stage or due to time budget or unrecoverable errors, it unwinds cleanly. If it is running as root, it prefers a direct _exit(status) path instead of a normal return to minimize side effects in the runtime. In all cases, it aims to leave behind only the minimum artifacts needed for the staged code to continue.
Unreferenced Capabilities
During reverse engineering, we identified multiple routines compiled into the b.so component that are not invoked by its observed control flow. These latent features appear designed for use by the follow‑on modules loaded.
It is also very probable that some of these functions are leftovers from older versions of LANDFALL. They reveal concrete behaviors oriented around WhatsApp media paths, DCIM discovery, file system staging and process hygiene on Android:
One routine prepares a “started” telemetry line and then interacts with the device’s media subsystem. It formats the line:
BH v1.5.0 started - pid: , euid=, incremental_build: v1.5.0, runner:
If its internal checks pass, it executes a broadcast to force a gallery rescan using the exact shell:
am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///sdcard/DCIM/hacked.jpg
In the same flow, it also constructs a “newest photo” probe over DCIM using:
find /sdcard/DCIM -type f -exec ls -t1 {} + | grep -v hacked| head -1
This pattern is consistent with harvesting the latest camera item while excluding an artifact it can plant. This routine is compiled in but not called by any other code in the sample.
WhatsApp media path planter. Another routine decodes a hard-coded Base64 1x1 PNG (iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJ…JRU5ErkJggg==) and searches WhatsApp’s media directories on external storage for a recent file path that matches the agent’s identifier (the UUID is first stripped of hyphens). It builds and executes a search pipeline across both default (ID 0) and multi‑user (ID 95) paths:
If such a path is returned, it writes the decoded PNG there verbatim. This looks like a cover‑artifact or covert marker stage aimed at WhatsApp images.
Another helper takes a base directory and a string and returns one matching JPEG path by executing:
It trims trailing newlines and verifies the path exists before returning.
Zygote avoidance check: A process‑hygiene helper allocates a buffer for its own cmdline and returns success only when the name does not match zygote or zygote64. It is designed to avoid Android’s special host processes.
SELinux symbol resolver and cleanup: Two small routines handle dynamic SELinux plumbing.
One dlopens /system/lib64/libselinux.so and resolves getfilecon and setfilecon into global function pointers.
The other tears this down and clears the pointers.
Both exist to support policy/file‑context work but are not referenced by the observed code path.
A more substantial routine accepts a list of file system paths. For each, it saves the current label via getfilecon, invokes an internal labeler on the path, applies ownership via chown and then restores the saved label with setfilecon. It returns distinct negative codes when chown or setfilecon fail.
There is a file probe that attempts to open a path and maps the outcome to internal status codes (success, permission denied, not found, generic error). It also resets internal library state (including any previously opened SELinux handles).
Map process‑execution outcome to message status: A tiny mapper converts the result of an internal command‑execution helper into message catalog codes (e.g., mapping a specific return (1) to CMD_STAT_* code 0x0C and 2–3 to 0x51). It standardizes reporting for helpers but is not reached by the current logic.
Building a device‑report JSON array: Another dormant routine constructs a cJSON array where each entry carries device_path, a Base64‑encoded binary field, a last_updated boolean and a textual state derived from the internal CMD_STAT_* table. It walks an input vector, reads the referenced file into memory, Base64 encodes it and appends to the array.
A small string‑templating helper finds occurrences of the token --working_dir-- inside a JSON value and replaces them with the runtime path tracked by the b.so.
Appending TracerPid to telemetry: A diagnostic helper parses /proc/self/status, extracts the TracerPid line, converts it to an integer, and, if greater than zero, appends a formatted key/value into the request body via the b.so’s string‑builder.
A staging helper concatenates an existing buffer with a pseudo‑random block derived from an input string:
It seeds a byte with rand()
It XORs each subsequent byte of the input into a rolling accumulator
It writes the accumulator bytes as a suffix
It then writes the combined buffer to a given file path via the b.so’s writer
A two‑step installer/uninstaller pair uses three config keys: persistency_origin, persistency_payload and persistency_backup. The main routine checks that all three are set, copies the backup back to the origin if needed and then deletes the payload file. It returns distinct status codes (0x4B/0x4C/0x4D) that map to the message catalog entries for “no config,” “failed move” and “failed unlink.” A sibling routine conditionally creates or truncates the backup file (fopen with mode “w”) when a global persistence flag is set.
Battery percentage via sysfs: A utility reads battery capacity from the system’s power‑supply sysfs, checking two common locations: /sys/class/power_supply/battery/capacity and /sys/class/power_supply/Battery/capacity.
Two routines set up and finalize the working directory under app‑private storage.
The first creates the directory tree, applies mode 0771 (0x1F9), temporarily adds execute to the parent and copies the resolved path into config. And, when running as root, it attempts to mount a tmpfs at that location to keep artifacts in memory
The second (cleanup/finalize) can, when root and the directory exists, run lsof | grep <working_dir> and ship the result home. It then restores the parent directory’s original mode and frees the path buffer
Process discovery by SELinux context and by cmdline: Two search helpers iterate /proc, building and reading per‑PID files.
One compares /proc/%d/attr/current against a target SELinux context and then confirms the process has PPID 1
The other compares /proc/%d/cmdline against a target cmdline
On a match, they write the PID to an out‑parameter and return success
Debug‑printing a variant array: A developer‑facing routine prints a small typed array structure. It formats type names from a table, dumps short byte arrays inside square brackets and emits a single character for a specific type, one element per line. This looks like leftover debugging and is not invoked by active code.
None of these helpers are exercised by this component’s main execution loop. Their presence is consistent with a staged architecture in which subsequently loaded shared objects, forming the complete LANDFALL framework, expand collection and persistence using capabilities already compiled into this loader.
from Unit 42 https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
via IFTTT
Imagine this: Sarah from accounting gets what looks like a routine password reset email from your organization’s cloud provider. She clicks the link, types in her credentials, and goes back to her spreadsheet. But unknown to her, she’s just made a big mistake. Sarah just accidentally handed over her login details to cybercriminals who are laughing all the way to their dark web marketplace, where they’ll sell her credentials for about $15. Not much as a one-off, but a serious money-making operation when scaled up.
Users create credentials: With dozens of standalone business apps (each with its own login) your employees must create numerous accounts. But keeping track of multiple unique usernames/passwords is a pain, so they reuse passwords or make tiny variations.
Hackers compromise credentials: Attackers snag these credentials through phishing, brute force attacks, third-party breaches, or exposed API keys. And many times, nobody even notices that it’s happened.
Hackers aggregate and monetize credentials: Criminal networks dump stolen credentials into massive databases, then sell them on underground markets. Hackers sell your company’s login details to the highest bidder.
Hackers distribute and weaponize credentials: Buyers spread these credentials across criminal networks. Bots test them against every business app they can find, while human operators cherry-pick the most valuable targets.
Hackers actively exploit credentials: Successful logins let attackers dig in, escalate privileges, and start their real work — data theft, ransomware, or whatever pays best. By the time you notice weird login patterns or unusual network activity, they could have already been inside for days, weeks, or even longer.
Criminals have no shortage of ways to get their hands on your company’s user credentials:
Phishing campaigns: Attackers craft fake emails that look legit — complete with stolen company logos and convincing copy. Even your most security-conscious employees can be fooled by these sophisticated scams.
Credential stuffing: Attackers grab passwords from old breaches, then test them everywhere. A 0.1% hacking success rate may sound tiny, but with rampant password reuse and the fact that hackers are testing millions of credentials per hour, it quickly adds up.
Third-party breaches: When LinkedIn gets hacked, attackers don't just target LinkedIn users — they test those same credentials against all kinds of other business apps. Your company may have the most robust security in the world, but you're still vulnerable if users are reusing credentials.
Leaked API keys: Developers accidentally publish credentials in GitHub repos, config files, and documentation. Automated bots scan for these 24/7, scooping them up within minutes.
Just like a car theft ring has different players — from the street-level thieves grabbing cars to the chop shop operators and overseas exporters — the credential theft ecosystem has bad actors who want different things from your stolen credentials. But knowing their game can help you better defend your organization.
Opportunistic fraudsters want quick cash. They'll drain bank accounts, make fraudulent purchases, or steal crypto. They aren’t picky – if your business credentials work on consumer sites, they'll use them.
Automated botnets are credential-testing machines that never sleep. They throw millions of username/password combos at thousands of websites, looking for anything that sticks. The name of their game is volume, not precision.
Then criminal marketplaces act as middlemen who buy stolen credentials in bulk and resell them to end users. Think of them as the eBay of cybercrime, with search functions that let buyers easily hunt for your organization's data.
Organized crime groups treat your credentials like strategic weapons. They'll sit on access for months, mapping your network and planning big-ticket attacks like ransomware or IP theft. These are the kind of professionals who turn single credential compromises into million-dollar disasters.
Once attackers get their hands on a set of working credentials, the damage starts fast and spreads everywhere:
Account takeover: Hackers waltz right past your security controls with legitimate access. They're reading emails, grabbing customer data, and sending messages that look like they're coming from your employees.
Lateral movement: One compromised account quickly becomes ten, then fifty. Attackers hop through your network, escalating privileges and mapping out your most valuable systems.
Data theft: Attackers focus on identifying your crown jewels — customer databases, financial records, trade secrets — and siphoning them off through channels that appear normal to your monitoring tools.
Resource abuse: Your cloud bill explodes as attackers spin up crypto mining operations, send spam through your email systems, or burn through API quotas for their own projects.
Ransomware deployment: If hackers are looking for a major payout, they often turn to ransomware. They encrypt everything important and demand payment, knowing you'll likely pay because restoration from backups takes forever — and is far from a cheap process.
But that’s just the beginning. You could also be looking at regulatory fines, lawsuits, massive remediation costs, and a reputation that takes years to rebuild. In fact, many organizations never fully recover from a major credential compromise incident.
The reality is that some of your company’s user credentials are likely already compromised. And the longer the exposed credentials sit out undetected, the bigger the target on your back.
Make it a priority to find your compromised credentials before the criminals use them. For example, Outpost24’s Credential Checker is a free tool that shows you how often your company's email domain appears in leak repositories, observed channels or underground marketplaces. This no-cost, no-registration check doesn’t display or save individual compromised credentials; it simply makes you aware of your level of risk. Check your domain for leaked credentials now.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/PfTrWcB
via IFTTT
