Overview
- Unit 42 publicly detailed the Landfall campaign, active since at least July 2024, which abused CVE-2025-21042 before Samsung patched the flaw in April 2025.
- Infections were delivered via booby-trapped DNG image files likely sent over messaging apps such as WhatsApp, with evidence pointing to a zero-click exploit.
- Telemetry shows samples uploaded to VirusTotal from users in Morocco, Iran, Iraq and Turkey, and Turkey’s USOM flagged related infrastructure as malicious.
- Once installed, the implant enables sweeping surveillance, including microphone recording, location tracking and access to photos, messages, contacts and call logs.
- Investigators observed infrastructure and registration similarities to the Stealth Falcon surveillance outfit, though the overlaps are insufficient for attribution.