September 22, 2023

Google’s Threat Analysis Group has discovered a Spanish based Variston IT, which claims to offer tailor-made cybersecurity solutions, to an exploitation framework that enables spyware to be installed on targeted devices.

An advisory has been published, saying the affected vulnerabilities were from 2021 and early 2022 and have since been patched by the three companies.

Google researchers became aware of the Heliconia exploitation framework after receiving an anonymous submission to its Chrome bug reporting program. After analyzing the framework, they suggested Variston IT was the likely developer.


Heliconia comprises three separate exploitation frameworks:

  • One that contains an exploit for a Chrome renderer bug that allows it to escape the walls of the app’s sandbox to run malware on the OS.
  • One that deploys a malicious PDF document containing an exploit for Windows Defender, the default antivirus engine in modern versions of Windows.
  • One that contains a set of Firefox exploits for Windows and Linux machines.

The Heliconia exploit is effective against Firefox versions 64 to 68, suggesting the exploit was used as early as December 2018, when Firefox 64 was first released.

Google said that while it has not seen the bugs actively exploited in the wild, the bugs were likely utilized as zero.

Heliconia framework, contains capabilities that were once only available to governments. These capabilities include stealthily recording audio, making, or redirecting phone calls and stealing data, such as text messages, call logs, contacts, and granular GPS location data, from a target’s device.

Leave a Reply

%d bloggers like this: