As of Thursday morning, that was the largest active security breach. The commercial-grade Android spyware, known as LANDFALL, was used through a zero-day exploit targeting Samsung mobile devices. This vulnerability, tracked as CVE-2025-21042, has been the focus of active attacks in a targeted manner across the Middle East. In particular, it endangers future targets in Iraq, Iran, Turkey, and Morocco.
The vulnerability has a CVSS score of 8.8. It is a CVE categorized as an out-of-bounds write vulnerability type in the “libimagecodec.quram.so” component. This critical vulnerability gave remote attackers the ability to run arbitrary code on all affected devices. Samsung patched this vulnerability in April 2025, but due to the exploit’s deployment in recent attacks, the new public discovery poses a continued threat.
Exploit Details and Targeted Attacks
Its deployment of LANDFALL spyware, meanwhile, would have taken expert extraction to install. This less-than-trivial process included fetching a shared object library contained inside a ZIP file, glued to the end of a DNG file. This complex method allowed the spyware to operate almost invisibly on infected devices. These attacks have been tracked using the identifier CL-UNK-1054.
Unit 42, a threat research team at Palo Alto Networks, brought attention to the ever-present risk this exploit continues to pose. Itay Cohen, a senior principal researcher within the team, indicated that there are no significant functional changes between samples of LANDFALL collected in July 2024 and those from February 2025. The most recent artifact associated with LANDFALL appeared on VirusTotal in February 2025. This means that the spyware is still operating.
“However, related exploit chains affecting Samsung and iOS devices were observed as recently as August and September, indicating that similar campaigns remained active until very recently,” – Itay Cohen.
The potential repercussions of this invasive spyware are far-reaching. When it can surveil and extract data from specific individuals or organizations, its value turns dangerous.
Samsung’s Response and Ongoing Threats
In response to the vulnerability leveraged by the LANDFALL spyware, Samsung released a patch in April 2025, several months before the sale of the exploit. Even with this remediation action happening, specialists such as Cohen warn that associated infrastructure possibly connected to LANDFALL could still be in use. These facts are deeply concerning, as they raise ominous concerns about the risks of subsequent actions by the same actors who first deployed the spyware.
“We don’t believe this specific exploit is still being used, since Samsung patched it in April 2025,” – Itay Cohen.
Cohen’s insightful commentary calls for future vigilance, post-patch. Threat actors are often several steps ahead, adjusting tactics to take advantage of new vulnerabilities.
Future Implications and Unknown Payloads
Research on the LANDFALL spyware continues. Top-level C2 architecture Critical unanswered questions remain regarding these next-stage payloads possibly delivered from C2 servers that participated in these attacks. Cohen added, information about these payloads cannot be shared publicly yet.
“At this point, we can’t share details about the next-stage payloads delivered from the C2 server,” – Itay Cohen.
Meanwhile, the risk related to these payloads is increasing. This urgency compels municipalities, businesses, and residents across the impacted areas to fortify their cybersecurity infrastructure. Unfortunately, as soon as improvements are made in mobile tech, mobile criminals’ strategies improve and become more difficult to contend with just as quickly.
