LandFall WhatsApp DNG spyware campaign targeting Samsung devices in the Middle East
Campaign
Summary
Hide ▲
Show ▼
A LandFall spyware campaign has used malicious DNG image files over WhatsApp to target Samsung devices in the Middle East, raising covert surveillance risk. The operation has been active since mid-2024 and may have relied on zero-click exploits to trigger remote code execution. It is designed for microphone recording, location tracking, and harvesting photos, contacts, and call logs. The tradecraft points to a persistent commercial spyware effort rather than a one-off lure.
Cases
Related Happenings
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
Red Menshen telecom espionage campaign
Campaign
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
Campaign
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
CampaignAbout this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
CampaignAbout this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
ZeroDayRAT mobile spyware targeting Android and iOS
Malware Activity
First: 10.02.2026 16:00
Last: 10.02.2026 16:00
Sources 1
About this happening:
**ZeroDayRAT** is a newly documented **mobile spyware** operation targeting **Android and iOS** devices, creating broad risk for persistent surveillance and financial abuse. It ca...
ZeroDayRAT mobile spyware targeting Android and iOS
Malware ActivityAbout this happening: **ZeroDayRAT** is a newly documented **mobile spyware** operation targeting **Android and iOS** devices, creating broad risk for persistent surveillance and financial abuse. It ca...
Timeline
-
11.11.2025 12:30 2 articles · 6mo ago
CISA adds CVE-2025-21042 after LandFall spyware campaign against Samsung devices
Campaign Scope UpdateCISA adds CVE-2025-21042 to the KEV catalog and requires federal agencies to apply vendor mitigations by December 1 or discontinue use if mitigations are unavailable. Palo Alto Networks says the out-of-bounds write flaw CVE-2025-21042, with a CVSS score of 9.8, was patched by Samsung in April and had been used since mid-2024 in a LandFall spyware campaign that embedded malicious DNG image files sent through WhatsApp to targets. The campaign is described as targeting victims in the Middle East and enabling covert surveillance, including microphone recording, location tracking, and collection of photos, contacts, and call logs, with possible zero-click remote code execution.
Show sources
- CISA Adds Zero-Day Bug Used in Spyware Attacks to KEV — www.infosecurity-magazine.com — 11.11.2025 12:30
- CISA Adds Zero-Day Bug Used in Spyware Attacks to KEV — www.infosecurity-magazine.com — 11.11.2025 12:30