LANDFALL — a commercial-grade Android spyware exploiting a now-patched Samsung zero-day (CVE-2025-21042) through weaponized DNG images sent via WhatsApp, enabling zero-click compromise of Samsung Galaxy devices.
This isn't an isolated incident. LANDFALL is part of a larger DNG exploitation wave. Within months, attackers weaponized image parsing vulnerabilities across Samsung (CVE-2025-21042, CVE-2025-21043) and Apple (CVE-2025-43300 chained with WhatsApp CVE-2025-55177 for delivery)
It seems like DNG image processing libraries became a new attack vector of choice – suspiciously consistent across campaigns. Samsung had two zero-days in the same library, while a parallel campaign hit iOS - all exploiting the same file format. Should we expect more?
TL;DR: Hacktivism has evolved. What was once dominated by defacements and DDoS by independent actors is now a tool for nation-states running coordinated cyber and influence ops. These groups use multiple personas, blending cyber attacks with propaganda while maintaining plausible deniability.
Our research applies machine learning-based Topic Modeling and Stylometry to thousands of messages from hacktivist groups, uncovering links between seemingly independent entities, and identifying thematic overlaps and linguistic fingerprints. The results expose how intelligence agencies operate multiple fronts, shift narratives in response to geopolitical events, and exploit the perception of grassroots activism.
APT31 - a name given to an attack group that is attributed to China.
Equation Group - a name given to an APT group which is believed to be the Tailored Access Operations (TAO) unit of the NSA. The unit is now named "Computer Network Operations" (CNO).
Jian - a name that was given to a 0-Day exploit that was attributed to the Chinese-affiliated attack group.
0-Day - a vulnerability that is unknown to the public or to the relevant vendor (e.g Microsoft).
0-Day Exploit - an exploit that is directed at a zero-day
---
In this story, we claim that the Chinese APT acquired the Equation Group exploit somewhere around 2014, cloned it into their own version (Jian), and used it until was finally caught in 2017.
Interestingly, the 0-Day was reported to Microsoft by Lockheed Martin's Incident Response team. This might suggest that the Chinese APT might have used it to attack American targets.
Working hard on Cutter, an open-source, free and libre Reverse Engineering project. It's cross platform and supports tons of architectures.
A debugger was recently introduced, as well as native integration with multiple Decompilers
Oh, this looks cool! I've been wanting to work on an r2-backed project like this for a while but never committed. Will have a deeper look into Cutter soon.
This isn't an isolated incident. LANDFALL is part of a larger DNG exploitation wave. Within months, attackers weaponized image parsing vulnerabilities across Samsung (CVE-2025-21042, CVE-2025-21043) and Apple (CVE-2025-43300 chained with WhatsApp CVE-2025-55177 for delivery)
It seems like DNG image processing libraries became a new attack vector of choice – suspiciously consistent across campaigns. Samsung had two zero-days in the same library, while a parallel campaign hit iOS - all exploiting the same file format. Should we expect more?