Palo Alto Networks discovered Landfall, an Android spyware exploiting a Samsung zero-day (CVE-2025-21042) to deliver malware via DNG images on WhatsApp.
🎯 Region: Middle East & North Africa
📱 Targets: Samsung Galaxy S22–S24, Fold4, Flip4
🕵️‍♂️ Capabilities: Audio recording, GPS tracking, data exfiltration
The vulnerability was patched in April, but exploitation began months before. Attribution remains uncertain.
Follow @technadu for neutral, verified #InfoSec updates.

#CyberSecurity #Android #Spyware #Samsung #ZeroDay #CVE202521042 #ThreatIntelligence #MobileSecurity #DigitalForensics #TechNews

En las últimas 24 horas, se descubre el spyware LANDFALL que compromete dispositivos Samsung a través de archivos maliciosos DNG, mientras el sistema educativo mexicano sufre una grave filtración de datos de menores; paralelamente, GitHub refuerza sus protecciones, Discord enfrenta vulnerabilidades en livestream y Trellix automatiza respuestas en SOC para mejorar la seguridad empresarial. Descubre estos y más detalles en el siguiente listado de noticias sobre seguridad informática:

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 08/11/25 📆 |====

🔍 LANDFALL: NUEVO SPYWARE DE GRADO COMERCIAL ATACA DISPOSITIVOS SAMSUNG

El spyware LANDFALL, sofisticado y de nivel comercial, aprovecha la vulnerabilidad CVE-2025-21042 en la biblioteca de procesamiento de imágenes de dispositivos Samsung con Android. Este malware se oculta en archivos DNG maliciosos, permitiendo la infiltración silenciosa y el control remoto, lo que representa un riesgo crítico para la privacidad y seguridad de los usuarios afectados. Mantente alerta y considera actualizar tus sistemas para mitigar este nuevo vector de ataque. Profundiza en los detalles técnicos y recomendaciones para protegerte aquí 👉 https://djar.co/6aXL

🎓 SISTEMA EDUCATIVO MEXICANO BAJO LA SOMBRA DE CIBERATAQUES Y FILTRACIONES MASIVAS

En un alarmante escenario, entre mayo y junio, ciberdelincuentes lograron acceder y filtrar datos personales de aproximadamente 75,000 menores y sus padres vinculados a programas de becas en la Ciudad de México. Esta brecha de seguridad expone a cientos de familias, comprometiendo no solo su información sensible sino también la confianza en las instituciones educativas. Es fundamental reforzar las medidas de ciberseguridad y el manejo responsable de datos en el sector educativo. Lee el informe completo y consejos para evitar ser víctima 👉 https://djar.co/w2tT

📱 RUNTIME ANDROID OBJECT INSTRUMENTATION: ANÁLISIS PROFUNDO DE KIFECOAT

Este exhaustivo análisis anual sobre el entorno Android destaca cómo la herramienta KnifeCoat apoya a descompiladores y facilita el acceso a dispositivos con root, mejorando significativamente las capacidades para realizar auditorías y análisis de seguridad. Esta innovación abre nuevas puertas para investigadores y profesionales que buscan entender y proteger mejor las aplicaciones y sistemas Android. Consulta el análisis detallado y sus implicaciones prácticas aquí 👉 https://djar.co/1vEi6

📡 VULNERABILIDADES EN DESERIALIZACIÓN AFECTAN TRANSMISIONES EN DISCORD LIVESTREAM

Se han detectado vulnerabilidades críticas relacionadas con la deserialización en las transmisiones en vivo de Discord, que podrían permitir a atacantes extraer datos sensibles o ejecutar código malicioso. Este hallazgo subraya la importancia de reforzar la seguridad en plataformas de streaming para proteger la integridad y privacidad de los usuarios durante eventos en tiempo real. Descubre cómo proteger tus transmisiones y los detalles técnicos de esta vulnerabilidad 👉 https://djar.co/VwhNW

☁️ CLOUD FLARE PRESENTA NUEVO MÉTODO BYOIP PARA GESTIÓN AVANZADA DE IPS EN LA NUBE

Cloudflare ha lanzado una innovadora API de autoservicio que permite a los clientes traer y gestionar sus propios rangos de IP (Bring Your Own IP - BYOIP), otorgando un control más granular sobre sus servicios en la nube. Esta herramienta mejora la flexibilidad, seguridad y personalización en la administración de redes, siendo un paso adelante para empresas que buscan optimizar su infraestructura cloud. Aprende cómo aprovechar esta nueva funcionalidad y sus beneficios aquí 👉 https://djar.co/aUcGz

🔐 MEJORAS EN SEGURIDAD DE GITHUB CON ACTUALIZACIONES EN PULL_REQUEST_TARGET Y PROTECCIONES DE RAMAS

GitHub introduce cambios importantes en la evaluación de eventos relacionados con acciones pull_request_target y en las protecciones de ramas, reforzando la seguridad en proyectos de código abierto y privados. Estas actualizaciones previenen ataques potenciales derivados de la ejecución de código no confiable, protegiendo así la integridad del desarrollo colaborativo. Infórmate sobre estos cambios y cómo adaptarte para mantener tus repositorios seguros 👉 https://djar.co/5xjp

🤖 HELIX DE TRELLIX SE INTEGRA CON HYPERAUTOMATION PARA OPTIMIZAR OPERACIONES EN SOC

La integración entre Helix y la tecnología Hyperautomation de Trellix permite automatizar la investigación y respuesta a incidentes dentro de los Centros de Operaciones de Seguridad (SOC), aumentando la eficiencia y rapidez en la detección y mitigación de amenazas. Esta sinergia tecnológica impulsa un enfoque proactivo y escalable para la protección empresarial. Conoce el funcionamiento de esta innovación y su impacto en la seguridad organizacional aquí 👉 https://djar.co/IGax

A single image file could hijack Galaxy phones.

Attackers hid a ZIP inside DNG photos sent over WhatsApp, exploiting a zero-day in Samsung’s image codec (CVE-2025-21042).

The implant — called LANDFALL — gave full spyware access.

Full report → https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html

"A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East.

The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.

"This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks," Unit 42 said. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.

The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a zero-day. There is no evidence of this security flaw being weaponized in the LANDFALL campaign. Samsung did not immediately respond to a request for comment."

https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html

#CyberSecurity #Samsung #ZeroClickFlaw #Android #Spyware

🎯 Threat Intelligence
===================

Executive summary: Unit 42 researchers identified a previously undocumented Android spyware family named LANDFALL that targeted Samsung Galaxy devices. The malware was delivered via malformed DNG image files exploiting a Samsung image‑processing zero‑day, tracked as CVE-2025-21042, and was active in the wild from mid‑2024 until Samsung issued a patch in April 2025.

Technical details:
• Malware family: LANDFALL — commercial‑grade Android spyware with comprehensive surveillance capabilities.
• Delivery vector: malformed DNG image files embedded in messaging workflows; WhatsApp is the reported delivery channel in analyzed samples.
• Vulnerability exploited: CVE-2025-21042 in Samsung’s image processing library; related issues (including CVE-2025-21043) were patched subsequently.
• Capabilities observed: microphone recording, continuous or on‑demand location collection, exfiltration of photos, contacts and call logs.

Analysis:
The operation exhibits tradecraft and infrastructure patterns consistent with private‑sector offensive actors operating in the Middle East. LANDFALL’s use of image‑based exploitation mirrors contemporaneous exploit chains seen on other mobile platforms, indicating cross‑platform technique reuse by advanced operators. The campaign’s timeline—active months before public disclosure—demonstrates stealthy targeted operations leveraging zero‑day access.

Attack Chain Analysis:
• Initial Access: crafted DNG images delivered via messaging application (samples linked to WhatsApp delivery).
• Exploitation: memory corruption in Samsung image processing library exploited by malformed DNG (CVE-2025-21042).
• Execution/Delivery: payload unpacked and persisted as Android spyware.
• Collection: microphone audio, location telemetry, photos, contacts, call logs.
• Exfiltration/C2: not publicly detailed in the report; infrastructure overlaps suggest commercial spyware tradecraft.

Detection:
Detection options reported by Unit 42 focus on indicators associated with malformed DNG artifacts, unexpected image parsing crashes, and behavioral telemetry showing unauthorized access to microphone, location, and media stores. Network and device telemetry that flags image processing exceptions correlated with post‑exploit binaries should be prioritized for forensic review.

Mitigation and response:
Samsung issued a patch for CVE-2025-21042 in April 2025, and later patched a related zero‑day (CVE-2025-21043) in September 2025. Palo Alto Networks lists Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Advanced Threat Prevention as protective layers for customers. Unit 42 recommends incident response engagement for suspected compromises.

References: CVE‑2025‑21042, CVE‑2025‑21043, LANDFALL, Unit 42 #LANDFALL #CVE-2025-21042 #Android #Samsung

🔗 Source: https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/

oh shi-

https://nvd.nist.gov/vuln/detail/CVE-2025-62526

Base Score: 7.8 HIGH

#OpenWrt

"A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East.

The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.

"This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks," Unit 42 said. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.

The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a zero-day. There is no evidence of this security flaw being weaponized in the LANDFALL campaign. Samsung did not immediately respond to a request for comment."

https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html

#CyberSecurity #Samsung #ZeroClickFlaw #Android #Spyware

🎯 Threat Intelligence
===================

Executive summary: Unit 42 researchers identified a previously undocumented Android spyware family named LANDFALL that targeted Samsung Galaxy devices. The malware was delivered via malformed DNG image files exploiting a Samsung image‑processing zero‑day, tracked as CVE-2025-21042, and was active in the wild from mid‑2024 until Samsung issued a patch in April 2025.

Technical details:
• Malware family: LANDFALL — commercial‑grade Android spyware with comprehensive surveillance capabilities.
• Delivery vector: malformed DNG image files embedded in messaging workflows; WhatsApp is the reported delivery channel in analyzed samples.
• Vulnerability exploited: CVE-2025-21042 in Samsung’s image processing library; related issues (including CVE-2025-21043) were patched subsequently.
• Capabilities observed: microphone recording, continuous or on‑demand location collection, exfiltration of photos, contacts and call logs.

Analysis:
The operation exhibits tradecraft and infrastructure patterns consistent with private‑sector offensive actors operating in the Middle East. LANDFALL’s use of image‑based exploitation mirrors contemporaneous exploit chains seen on other mobile platforms, indicating cross‑platform technique reuse by advanced operators. The campaign’s timeline—active months before public disclosure—demonstrates stealthy targeted operations leveraging zero‑day access.

Attack Chain Analysis:
• Initial Access: crafted DNG images delivered via messaging application (samples linked to WhatsApp delivery).
• Exploitation: memory corruption in Samsung image processing library exploited by malformed DNG (CVE-2025-21042).
• Execution/Delivery: payload unpacked and persisted as Android spyware.
• Collection: microphone audio, location telemetry, photos, contacts, call logs.
• Exfiltration/C2: not publicly detailed in the report; infrastructure overlaps suggest commercial spyware tradecraft.

Detection:
Detection options reported by Unit 42 focus on indicators associated with malformed DNG artifacts, unexpected image parsing crashes, and behavioral telemetry showing unauthorized access to microphone, location, and media stores. Network and device telemetry that flags image processing exceptions correlated with post‑exploit binaries should be prioritized for forensic review.

Mitigation and response:
Samsung issued a patch for CVE-2025-21042 in April 2025, and later patched a related zero‑day (CVE-2025-21043) in September 2025. Palo Alto Networks lists Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Advanced Threat Prevention as protective layers for customers. Unit 42 recommends incident response engagement for suspected compromises.

References: CVE‑2025‑21042, CVE‑2025‑21043, LANDFALL, Unit 42 #LANDFALL #CVE-2025-21042 #Android #Samsung

🔗 Source: https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/

🚨 CVE-2025-11452: HIGH severity SQL Injection in Asgaros Forum (≤3.1.0) for WordPress. Unauthenticated attackers can extract sensitive DB data via malicious cookies. Patch or use WAF immediately. Details: https://radar.offseq.com/threat/cve-2025-11452-cwe-89-improper-neutralization-of-s-30f144b7 #OffSeq #WordPress #SQLi #Vuln

Security researchers reveal active exploitation against Post SMTP WordPress plugin

Vulnerability:
CVE-2025-11833 - Lack of authorization check

Impact: Allows an attacker to take over admin accounts and compromise the entire site

Recommendation: Apply patch ASAP

#cybersecurity #PostSMTP #vulnerabilitymanagement

https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-post-smtp-to-hijack-admin-accounts/

🚨 CVE-2025-3222: CRITICAL vuln in GE Vernova Smallworld (≤5.3.3 Linux, ≤5.3.4 Windows). Improper auth lets remote attackers bypass login, risking full access. Restrict network, monitor logs, await patch. https://radar.offseq.com/threat/cve-2025-3222-cwe-287-improper-authentication-in-g-a21e94c5 #OffSeq #CVE20253222 #Critical #Infosec