Unit 42 found samples of an unexplored spyware type and dubbed it LANDFALL. Those samples were contained in malformed DNG (Digital Negative) image files with an appended ZIP archive.  A payload (the spyware) was extracted and executed when a vulnerable Samsung image library parsed the image.  

From submission metadata and IPs, the campaign does not seem broad mass malware and appears targeted. Victims seem to be concentrated in parts of the Middle East (Morocco, Iran, Iraq, Turkey, etc.).  

 The vulnerability (the technical core)  

Out-of-bounds write issues in Samsung image processing libimagecodec.quram.so lead to the arbitrary code execution of remote code. This flaw was given a high severity score and assigned CVE-2025-21042 (CVSS 8.8). This vulnerability means a malformed image can be used to make a device execute an arbitrary code.  

A ZIP archive was embedded in the DNG image, and when the vulnerable parser mishandled the image, it extracted and executed code from the shared library (.so) files contained in the archive. This was how LANDFALL was released and executed.  

 Delivery method — why this was dangerous  

Malicious DNG files were probably sent using WhatsApp (Unit 42 pointed the attack pattern to previous zero-click image exploits). The image parsing vulnerability meant the exploit was zero-click (the victim didn’t need to interact with the image) if the messenger or phone parsed/thumbnail generated the image automatically.

That makes it stealthy and powerful.  

 What LANDFALL can do (capabilities)  

Unit 42 and other reports show LANDFALL provided comprehensive surveillance abilities similar to commercial spyware:  

Access photos, files, contacts, call logs.  

Record audio from the microphone.  

Report precise location (GPS).  

Send data back to command-and-control servers the attacker controls.

The surveillance frameworks described here are indicative of LANDFALL's so-called "commercial-grade" capabilities.  

Affected Devices  

Unit 42's telemetry records show multiple models of Samsung Galaxy phones being affected. The reports specifically pointed to the Galaxy S22, S23, S24 series, as well as the Z Fold 4 and Z Flip 4 as some of the Fold and Flip models. The security weakness pertained to multiple versions of Samsung's image processing library and remained unaffected until Samsung issued a patch.  

 Activity Timeline and Closing the Gaps  

Unit 42's report stated the LANDFALL activity analysis started in mid-2024, with samples being captured in 2024 and early 2025 and uploaded to VirusTotal.  

In 2025, Samsung issued a patch for CVE-2025-21042. As noted by Unit 42, the vulnerability was indeed patched by Samsung in April 2025. CVE-2025-21043, another related vulnerability in the same library, was patched afterward. Any devices updated after those patches should not be vulnerable to this specific exploit.  

 Attribution  

The designation of LANDFALL as "commercial-grade" by Unit 42 implies it is likely malware produced and/or sold by a surveillance vendor, not a low-level cybercriminal. Still, there has been no public attribution or naming of the company or state involved in the attacks. It's common for researchers to hedge on attribution unless they possess solid evidence.

 Possible Indicators of Compromise (IoCs) & Relevant Evidence

In device forensics, you may encounter malformed DNG image files in which ZIP sections have been appended. 

There may also be outgoing links to some command-and-control suspicious IP addresses or domains outlined in Unit 42’s appendix. 

There may also be unexpected microphone use records, new binaries or shared libraries in apps storage, and discrepancies within apps regarding unusual battery or data usage. 

Refer to Unit 42’s technical appendix for the exact IP addresses, hashes, and filenames. YARA rules in the report also provide this information. 

 Deterrence & Detection (practical steps) 

To mitigate risks, everyone will need to take some steps (phones/regular users): 

Update your phone. Install the Samsung/Android security updates, which exclude the bug exploited by LANDFALL (as of April 2025). By performing this update, you will erase the specific vulnerability. 

Refrain from opening images from unknown senders. Even if this might be a zero-click, do not save or view untrusted images and delete any suspicious files. 

Utilize official app stores and ensure that apps (including messaging apps) are regularly updated.

If you feel your device may be compromised (unusual behavior, batteries draining rapidly, or unexplained overage data costs), conduct a factory reset after backing up your most important files, and change all important passwords on another device. If you believe you may be a high-risk target, you should get professional help.  

For organizations / security teams:  

ASAP evaluate and apply Samsung security patches, and confirm patch status on all managed devices.  

Implement mobile device threat detection/EDR, and look for the file-artifacts and behavior anomalies captured in the Unit 42 report.  

Check telemetry for the IoC domains/IPs and apply appropriate blocking.  

If you observe suspicious activity, share IOCs with your incident response teams and national CSIRTs.  

How serious is this? (risk assessment)  

It is technically serious: the combination of a zero-day, zero-click, and full surveillance is high impact for targeted individuals.  

Practically limited: it is because it was used in targeted campaigns, and not a widespread mass spying outbreak. Given that patches for this vulnerability were issued in April 2025, the immediate risk to users with updated devices is low. However, devices that are unpatched or older will remain at risk.