CL-UNK-1054

CL-UNK-1054 is a threat activity cluster tracked by Palo Alto Networks Unit 42 in connection with targeted attacks delivering the LANDFALL Android spyware to Samsung Galaxy devices. The activity exploited Samsung zero-day CVE-2025-21042, an out-of-bounds write in libimagecodec.quram.so that enabled remote code execution, and Samsung patched the flaw in April 2025 after in-the-wild exploitation. Unit 42 assessed the attacks likely used specially crafted DNG image files delivered via WhatsApp and may have operated as a zero-click chain requiring no user interaction. Potential targets were assessed to be in Iraq, Iran, Turkey, and Morocco, with broader targeting indications in the Middle East and North Africa. LANDFALL is described as a full-featured surveillance implant capable of collecting microphone audio, location, photos, contacts, SMS, files, and call logs. The malicious DNG files reportedly contained an appended ZIP archive used to extract shared object libraries, including components to run the spyware and manipulate SELinux policy to obtain elevated permissions and persistence. The loader communicated with command-and-control infrastructure over HTTPS, entered a beaconing loop, and received additional payloads for execution. Attribution remains unknown. Unit 42 stated it could not attribute CL-UNK-1054 or LANDFALL to a known commercial spyware vendor. The reporting notes that LANDFALL infrastructure and domain registration patterns resemble Stealth Falcon, also known as FruityArmor, but as of October 2025 there were no direct overlaps and no conclusive evidence linking the activity to that group. Reporting also noted malware component naming conventions that may resemble development cues seen in surveillance companies such as NSO, Variston, and Cytrox, but these were not presented as attribution. Known alias in the provided content: CL-UNK-1054.