Google discovers a Windows exploit that points to distribution of spyware

Google discovers a Windows exploit that points to distribution of spyware
Russell Kidson
Dec 1, 2022
Updated • Dec 1, 2022
Windows
|
13

Google’s in-house Threat Analysis Group has recently uncovered an exploit framework that takes advantage of vulnerabilities in web browsers and other system utilities. TAG has also linked the exploit framework to a Spanish software company based in Barcelona. The exploit framework is known to target vulnerabilities in Microsoft Defender, Google Chrome, and Mozilla Firefox.

TAG is primarily one of Google’s expert-led lines of defense against state-sponsored attacks. However, TAG also keeps tabs on companies that let governments spy on political and moral opponents, dissidents, and journalists using tools of the surveillance trade. Officially, the Barcelona-based company claims to be nothing more than a custom security solution provider. However, the truth seems to be much more sinister. According to Google, this Spanish software company is one such commercial vendor of surveillance.

‘Continuing this work, today, we're sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions.’

These are the sentiments of TAG’s Benoit Sevens and Clement Lecigne who recently addressed the team’s findings. TAG also stated that ‘Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.’

Google unmasks Windows exploit

As TAG found, the exploit framework has three main components:

  • Heliconia Noise: A Web framework that deploys renderer bug exploits. The framework then installs malevolent agents on the target system by deploying a Chrome sandbox escape.
  • Heliconia Soft: A second web framework that carries a PDF payload that contains the Windows Defender exploit currently tracked as CVE-2021-42298.
  • Heliconia Files: A set of exploits for Windows and Linux that target Firefox. One of these is currently being tracked as CVE-2022-26485.

Yesterday, TAG stated that The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws; they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety, which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.’

In other related news, Google is apparently developing tech to replace internet cookies.

Advertisement

Related content

Microsoft is rolling out Recall to Windows 11 Copilot+ PCs via an optional update

Microsoft is rolling out Recall to Windows 11 Copilot+ PCs via an optional update

Windows 11: official Maps app is dead, but there are options
Green Screen error Windows

Windows 11: Green Screen of Death is rolling out, what you need to know
Bug in Windows 11 Update disables Windows Hello authentication for some users

Windows: Empty inetpub folder creates a new security problem
Microsoft unveils new Click to Do features for Copilot+ PCs

Microsoft unveils new Click to Do features for Copilot+ PCs
Windows 11 Moment 3

Windows 11: Security-feature VBS Enclaves is being deprecated on some systems

Tutorials & Tips

How to Capture Screenshots on Windows 10 and 11

Quick Ways to Open Device Manager in Windows 11

Here is How to Permanently Disable Windows Defender

4 Tested Ways to Install Windows 11 on Unsupported CPU


Previous Post: «
Next Post: «

Comments

  1. SamNFrodo said on April 8, 2023 at 8:22 am
    Reply

    So Google pointed Windows back at itself?

    I often feel like Sam & Frodo when they were outside Minas Morgul staring at the horde of Orcs marching…. the Horde of Orcs are not Orcs in this case. They are Windows users unaware of the chains they are in.

  2. DontBeEvil said on December 2, 2022 at 4:07 pm
    Reply

    How long before Google unmasks its own garbage? There are many poor redesigns that are useless. Everywhere there are so many unsightly circular corners. Why is their Google Play website currently so diluted? Even sorting comments is no longer possible. It resembles a single awful mobile website with no functionality.

  3. Anonymous said on December 2, 2022 at 3:00 pm
    Reply

    “TAG also keeps tabs on companies that let governments spy on political and moral opponents, dissidents, and journalists using tools of the surveillance trade.”

    Isn’t Google one of the largest of such companies ?

  4. Russ James said on December 2, 2022 at 2:49 pm
    Reply

    The writers’ About is wordier than the article.

  5. notanon said on December 1, 2022 at 9:50 pm
    Reply

    Mitigations???

    Are Windows, Chrome & Firefox patched???

    This article is incomplete.

    BTW, the “spanish” software company could be providing services to any other government/NGO in the world. Who knows how deep the rabbit hole goes?

  6. Andy Prough said on December 1, 2022 at 7:42 pm
    Reply

    There’s probably hundreds of these companies developing exploits of Chrome and Firefox security vulnerabilities. This Variston IT company must have had a falling out with the American spy community, for the NSA to allow Google to expose them like this. There’s no way a report like this gets released without the NSA checking to see if it exposes American spycraft sources and methods first.

  7. Tony said on December 1, 2022 at 7:13 pm
    Reply

    “Google discovers a Windows exploit that points to distribution of spyware”

    Too late, many systems are already infected with chrome.exe spyware. Now we have an edge.exe variant as well.

    1. John G. said on December 1, 2022 at 7:28 pm
      Reply

      +1
      No, better +10.

  8. John G. said on December 1, 2022 at 5:42 pm
    Reply

    The affected software should give thanks to this spanish company.
    Nothing new under the sun, everyday a new exploit and so forth.

    1. Frankel said on December 1, 2022 at 5:46 pm
      Reply

      Thanking an exploit hoarding company peddling them to governments of dictatorships and so called democracies? I don’t think their boots’ soles taste that good for me to give them a lick.

      1. John G. said on December 1, 2022 at 7:27 pm
        Reply

        @Frankel, welcome to the modern Europe.

    2. John G. said on December 1, 2022 at 5:44 pm
      Reply

      By the way, what a beautiful word the heliconia. What a beautiful plant with nice flowers, indeed.
      https://en.wikipedia.org/wiki/Heliconia

  9. Frankel said on December 1, 2022 at 5:41 pm
    Reply

    >In other related news, Google is apparently developing tech to replace internet cookies.

    May they fail over and over again. The cookie system needs no alternative and I will keep scrubbing their trackers and isolate them for each site as I deem fit.

    FloC, Topics, etc pp. New name, same cyber bingo BS.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Advertisement

Hot Discussions

Advertisement

Recently Updated

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

The name and logo of Ghacks are copyrights or trademarks of SOFTONIC INTERNATIONAL S.A.
Copyright SOFTONIC INTERNATIONAL S.A. © 2005- 2025 - All rights reserved