LANDFALL

Also known asLANDFALL

LANDFALL is a Samsung Android-based spyware family (Android surveillance malware) discovered by Palo Alto Networks Unit 42 while hunting exploit chains related to an Apple-disclosed DNG processing exploit. Unit 42 reported the LANDFALL exploit chain used a malicious DNG file with appended ZIP content and included two .so (native) files, one used for command-and-control functionality. Check Point Research referenced related activity under the same name and assessed it was linked to exploitation of Samsung’s TIFF/DNG parsing vulnerability CVE-2025-21042, affecting targets in Iraq, Iran, Turkey, Bahrain, Morocco, and Pakistan. No additional high-confidence attribution to a specific nation-state or named threat actor is provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇮🇶 Iraq
🇮🇷 Iran
🇹🇷 Türkiye
🇧🇭 Bahrain
🇲🇦 Morocco
🇵🇰 Pakistan

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

checkpoint research blogNews

Feb 23, 2026

2025: The Untold Stories of Check Point Research - Check Point Research

PSOA-attributed activity cluster using malicious TIFF files with embedded ELF payloads targeting Android, exploiting Samsung TIFF/DNG parsing vulnerability (CVE-2025-21042).

detection engineering netNews

Nov 12, 2025

DEW #137 - AI Agents For Security By Security, Free Sigma training & JA4 for beginners

LANDFALL is a commercial-grade Android spyware used in exploit chains targeting Samsung devices, leveraging vulnerabilities in DNG file processing. The spyware is capable of exfiltrating data and maintaining command and control over infected devices.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.