Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox

The beach front in Barcelona
(Image credit: Shutterstock)

Google has tied a previously unknown spyware operation to a private company in Spain after receiving an anonymous tip-off regarding the malicious activity.

Its Threat Analysis Group (TAG) said the evidence suggests that Barcelona-based Variston IT has developed an exploit framework which leveraged zero days in Windows Defender, Firefox, and Chrome.

Google said the operation tied to Variston IT had developed the Heliconia framework which itself was split into smaller frameworks that exploited different systems and applications, like Windows and Chrome. The product gives customers all the tools needed to deploy a payload to a target device.

The frameworks included mature source code that could deploy the exploits. The first was Heliconia Noise, a web framework used to deploy an exploit for a Chrome renderer bug, followed by a sandbox escape.

Heliconia Soft was a separate web framework that dropped a malicious PDF to exploit a vulnerability in Windows Defender. The third and final framework was called Files - it consisted of a set of exploits targeting Firefox versions on both Windows and Linux systems.

The three companies targeted in the exploit, Microsoft, Mozilla, and Google, fixed the vulnerabilities in 2021 and early 2022. Google said it hadn’t detected active exploitation of the now-patched vulnerabilities, but instead predicted that they were used as zero-days in earlier attacks.

The tech giant only became aware of the Heliconia framework when it received an anonymous submission to its Chrome bug reporting programme.


The long road ahead to ransomware preparedness

Getting to the bigger truth


“The submitter filed three bugs, each with instructions and an archive that contained source code,” said Google TAG researchers in a blog post. “They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’, and ‘Files'.

"TAG analysed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.”

Heliconia Noise, for example, leaked the name of the company in a line of code that prevented the framework from generating binaries containing strings such as 'Variston'.

The same for loop in Heliconia Noise's code also leaked the aliases of the developers who worked on the project: majinbuu, janemba, and freezer - all references to characters in the Dragon Ball manga franchise.

Google said that commercial spyware is used by governments to spy on journalists, human rights activists, and political opposition through its advanced surveillance abilities. The tech giant is aiming to disrupt the threat of these types of companies to protect users and raise awareness of the industry, it said.

IT Pro has contacted Variston for comment. It appears to be registered at an address in Barcelona and was founded by Jayaraman Ramanan and Ralf Dieter Wegener in 2018, according to Datos Cif, a Spanish database containing information about companies. Deloitte is also named as its auditor.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.