LANDFALL
LANDFALL is a previously unknown, commercial-grade Android spyware family disclosed by Palo Alto Networks Unit 42. It targets Samsung Galaxy devices, particularly flagship models including the Galaxy S22, S23, S24, Z Fold4, and Z Flip4, and was observed in targeted activity primarily affecting individuals in the Middle East, with potential victimology in Iraq, Iran, Turkey, and Morocco. Unit 42 tracked the activity as CL-UNK-1054.
Delivery relied on exploitation of Samsung image-processing zero-day CVE-2025-21042 (Samsung SVE-2024-1969) in the libimagecodec.quram.so library. The spyware was embedded in malformed DNG image files containing an appended ZIP archive. These malicious DNGs appear to have been sent via WhatsApp, based on filenames and context, but Unit 42 stated they found no evidence of an unknown WhatsApp vulnerability. The exploit may have been zero-click, potentially triggering during image processing such as thumbnail generation or metadata extraction, without user interaction. Public sample metadata indicates the campaign was active from at least July 2024 until before Samsung patched the flaw in April 2025.
The malware uses a two-stage architecture. A loader/backdoor component, b.so, described by Unit 42 as the main backdoor and initial loader and referred to in debug artifacts as "Bridge Head," establishes core access and supports modular payload delivery. A second component, l.so, manipulates SELinux policy to obtain elevated permissions and support persistence. Reported capabilities include microphone and call recording, location tracking, collection of photos, contacts, call logs, SMS or messaging data, and arbitrary files, as well as arbitrary command execution, process injection, in-memory and on-disk DEX loading, LD_PRELOAD execution, and anti-analysis checks for TracerPid, Frida, and Xposed.
LANDFALL communicates with command-and-control infrastructure over HTTPS, using certificate pinning and a non-standard ephemeral TCP port. The initial beacon reportedly uses HTTP POST parameters including protocol, type, agent_id, command_id, source=bridge_head, euid, and bh_path, and some requests use the Chrome user-agent string "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36".
High-confidence infrastructure and indicators mentioned in the content include the domains brightvideodesigns[.]com, hotelsitereview[.]com, healthyeatingontherun[.]com, and projectmanagerskills[.]com, and the IP addresses 194.76.224[.]127, 91.132.92[.]35, 92.243.65[.]240, 192.36.57[.]56, 46.246.28[.]75, and 45.155.250[.]158. Turkey's USOM reportedly flagged some related IPs as malicious.
Unit 42 assessed LANDFALL as commercial-grade spyware. The reporting notes infrastructure and domain-registration similarities with patterns associated with Stealth Falcon, a group suspected of links to the UAE government, but explicitly states there were no strong direct links or definitive attribution as of October 2025.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Post navigation Previous: NuGet Sabotage: Time-Delayed Logic in 9 Packages Risks Total App Destruction on Hardcoded DatesNext: Zero-Click Samsung Zero-Day (CVE-2025-21042) Delivered LANDFALL Spyware Via Malicious DNG Images
"...exploited as a zero-day to deliver a 'commercial-grade' Android spyware dubbed LANDFALL..."
"The spyware, named Landfall by Palo Alto Networks, exploited a vulnerability identified as CVE-2025-21042..."
"...exploited as a zero-day to deliver a 'commercial-grade' Android spyware dubbed LANDFALL..."
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A threat actor exploited a zero-day vulnerability in Samsung’s Android image processing library to deploy a previously unknown spyware called 'LandFall' using malicious images sent over WhatsApp.
"The spyware, named Landfall by Palo Alto Networks, exploited a vulnerability identified as CVE-2025-21042..."
Recent activity
29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as malware targeting Samsung Galaxy users; no additional functional details provided in the content.
LANDFALL is spyware delivered via a Samsung Quram image parsing vulnerability, enabling comprehensive device surveillance including microphone recording, location tracking, photo collection, contact harvesting, and call log exfiltration.
Commercial Android spyware delivered via zero-click exploits, enabling surveillance such as call recording, location tracking, and message exfiltration on Samsung Galaxy devices.
LANDFALL is a commercial-grade spyware delivered to Android devices, notably Samsung Galaxy, using a combination of a Samsung vulnerability and a zero-click WhatsApp exploit. It allows attackers to compromise devices by sending a malicious image, enabling full device access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.