At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Unit 42 Researchers Uncover New LANDFALL Android Spyware Exploiting Zero-Day Vulnerabilities
Unit 42 researchers have uncovered a previously unknown Android spyware family, which they have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. This specific flaw, CVE-2025-21042, is not an isolated incident but part of a broader pattern of similar issues identified across multiple mobile platforms.
The vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of ongoing attacks. However, both the exploit itself and the commercial-grade spyware associated with it have not yet been publicly reported or analysed in detail.
LANDFALL was embedded within malicious image files in the DNG format, which appear to have been distributed via WhatsApp. This delivery method closely resembles a prior exploit chain involving Apple and WhatsApp that gained attention in August 2025, as well as another exploit chain likely involving a similar zero-day vulnerability (CVE-2025-21043) disclosed in September. Importantly, our research did not identify any previously unknown vulnerabilities in WhatsApp itself.
The vulnerability has been patched since April 2025, and there is no ongoing risk to current Samsung users. In September 2025, Samsung also addressed another zero-day vulnerability (CVE-2025-21043) in the same image processing library, providing further protection against this class of attacks.
RECOMMENDATIONS
- Apply the latest Samsung security patches addressing CVE-2025-21042 and CVE-2025-21043.
- Disable automatic media downloads in messaging apps like WhatsApp.
- Avoid opening image files from unknown or untrusted sources.
- Educate users about targeted mobile spyware and image-based exploits.
- Restrict app permissions to enforce least privilege principles.
Researchers Detect New GlassWorm Outbreak Spreading Through Compromised OpenVSX Extensions
Researchers have observed a new outbreak of the GlassWorm malware family — a self-propagating worm distributed through compromised extensions on OpenVSX, an open-source alternative to Microsoft’s Visual Studio Marketplace. OpenVSX is used by VS Code–compatible editors such as VSCodium and Eclipse Theia.
This latest wave includes three additional extensions containing invisible payloads (encoded with unprintable Unicode characters) that execute via JavaScript and retrieve command-and-control (C2) instructions from transactions posted on the Solana blockchain.
The attackers leverage open-source frameworks such as RedExt as part of their command-and-control infrastructure.
RECOMMENDATIONS
- Verify the developer’s details and ensure the extension is published by a known and trusted organization or individual.
- Avoid installing extensions that request unnecessary access (e.g., system files, network access, or sensitive data).
- If an extension is open source, review its source code or check for any known issues or vulnerabilities.
- Regularly update VS Code to benefit from the latest security patches and bug fixes.
- Periodically review the extensions installed in your VS Code and remove any that are unnecessary or unfamiliar.
Google Releases Chrome Security Update to Fix Critical Vulnerabilities
Google has released an urgent security update for its Chrome browser to address five vulnerabilities that could allow remote code execution. The updated versions — 142.0.7444.134/.135 for Windows, 142.0.7444.135 for macOS, and 142.0.7444.134 for Linux — resolve critical issues in core components, including WebGPU, Views, and the V8 JavaScript engine.
Addressed vulnerabilities are as follows:
High Severity
- CVE-2025-12725: Out-of-bounds write in WebGPU
- CVE-2025-12726: Inappropriate implementation in Views
- CVE-2025-12727: Inappropriate implementation in V8
Medium Severity
- CVE-2025-12728: Inappropriate implementation in Omnibox
- CVE-2025-12729: Inappropriate implementation in Omnibox
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Researchers Uncover “Crossed Wires” Cyber-Espionage Campaign Targeting Academics and Policy Experts
Researchers have uncovered a cyber-espionage campaign named“Crossed Wires,” attributed to a previously unidentified actor,UNK_SmudgedSerpent. The campaign targeted academics and foreign policy experts, using lures related to Iranian domestic affairs.
The operation employed spoofed personas, health- and recruitment-themed domains, and deceptive collaboration portals impersonating OnlyOffice and Microsoft Teams to steal credentials and deploy remote management tools such as PDQConnect and ISL Online.
While there are notable overlaps with known threat groups Such as TA453 (Charming Kitten), TA455, and TA450 (MuddyWater) , researchers have refrained from making a definitive attribution.This suggests the possibility of shared infrastructure or contractor overlap among regionally aligned actors.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor your network for abnormal behaviors and Indicator of Compromise (IoCs)
References
https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
https://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html
