Government Hackers Targeted iPhone Zero Days Using Startup Variston's Spyware

Government Hackers Targeted iPhone Zero Days Using Startup Variston's Spyware

Chinese group breached Dutch Ministry of Defense, Chinese-speaking group loots resume data, Cyberattack hits French healthcare giant, Fake story about smart toothbrush botnet gains steam, much more

Note bene: While Metacurity explores switching to alternative newsletter platforms, please know that whatever we do, you can always reach Metacurity at Also note that when we make the switch, it should be seamless for all subscribers, including premium subscribers.

black android smartphone turned on displaying icons

Google’s Threat Analysis Group (TAG) said that government hackers last year exploited three unknown vulnerabilities in Apple’s iPhone operating system to target victims with spyware developed by a European startup, Barcelona-based Variston.

TAG analyzed several government campaigns conducted with hacking tools developed by several spyware and exploit sellers, including Variston. Government hackers took advantage of three iPhone “zero-days,” which were vulnerabilities not known to Apple when they were exploited. In this case, the hacking tools were developed by Variston, a surveillance and hacking technology startup whose malware has already been analyzed twice by Google (in 2022 and 2023).

Google said it discovered the unknown Variston customer using these zero-days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target’s phone with spyware and then redirected the victim to a news article by the Indonesian newspaper Pikiran Rakyat. Google did not say who Variston’s government customer was in this case.

It is unknown who Variston sold its spyware to. According to Google, Variston collaborates “with several other organizations to develop and deliver spyware.”

Google says one of the organizations was Protected AE, which is based in the United Arab Emirates. Local business records identify the company as “Protect Electronic Systems” and say it was founded in 2016 and headquartered in Abu Dhabi. Protect's official website bills itself as “a cutting-edge cyber security and forensic company.”

According to Google, Protect “combines spyware it develops with the Heliconia framework and infrastructure, into a full package which is then offered for sale to either a local broker or directly to a government customer,” referring to Variston’s software Heliconia, which Google previously detailed in 2022.

Variston was founded in 2018 in Barcelona by Ralf Wegener and Ramanan Jayaraman, and shortly after, acquired Italian zero-day research company Truel IT, according to Spanish and Italian business records.

Separately, Google released a report called Buying Spying, an in-depth report with insights into Commercial Surveillance Vendors (CSVs). TAG actively tracks around 40 CSVs of varying levels of sophistication and public exposure. The report outlines Google’s understanding of who is involved in developing, selling, and deploying spyware, how CSVs operate, the types of products they develop and sell, and our analysis of recent activity. (Lorenzo Franceschi-Bicchierai / TechCrunch) and Buying Spying)

Related: The Keyword, Google TAG, Slashdot, TechCentral, Fortune,, Times of India, Cyberscoop, Dark Reading, Technology | The Hill, Cyber Kendra, SiliconANGLE, Security Affairs, Google, Reuters, SecurityWeek, Axios, SC Media, KRQE NEWS 13, Supercharged, Associated Press, Forbes, Cyber Kendra, SiliconANGLE,, Dark Reading, SC Magazine

The Netherlands' Military Intelligence and Security Service (MIVD) said a Chinese cyber-espionage group breached the Dutch Ministry of Defense last year and deployed malware on compromised devices.

Despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation. "The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks," said MIVD and the General Intelligence and Security Service (AIVD) in a joint report.

"The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident."

During the follow-up investigation, a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances, was also discovered on the breached network.

"Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades," the two Dutch agencies warned.

"Even fully patched FortiGate devices may therefore be infected if they were compromised before the latest patch was applied."

The malware operates stealthily and persistently, hiding itself by intercepting system calls to avoid revealing its presence. It also persists through system reboots and firmware upgrades.

The MIVD linked this incident with high confidence to an unspecified Chinese state-sponsored hacking group and added that this malicious activity is part of a broader pattern of Chinese political espionage targeting the Netherlands and its allies. (Sergiu Gatlan / Bleeping Computer)

Related:,, TLP:CLEAR MIVD Advisory Coathanger, South China Morning Post,, ITSEC News, NL Times, The Register - Security, The Record, Bloomberg,, Cyber Kendra, Reuters

In November 2023, Group-IB’s Threat Intelligence unit discovered a malicious campaign that targeted APAC (Asia Pacific region) employment agencies and retail companies dubbed ResumeLooters.

Overall, 65 websites were targeted, using SQL injection attacks and injecting cross-site scripting (XSS) scripts to steal sensitive user databases storing sensitive information like names, phone numbers, emails, and employment history. The stolen data was then sold on Telegram channels.

The researchers discovered Cross-Site Scripting (XSS) infection on genuine job search websites, aiming to load malicious scripts and display phishing forms. The earliest attacks date back to early 2023, per the file creation dates detected on the attackers’ servers.

The hackers stole over two million unique email addresses, targeting users in India, Taiwan, Thailand, and Vietnam. SQLi attacks targeted back-end user databases, while XSS techniques were used to display phishing content on sites and visitors’ devices.

Group-IB has identified ResumeLooters as the second group conducting SQL injection attacks against companies in the Asia-Pacific region, following GambleForce, which has carried out over 20 attacks so far.

The latter group typically targets India, Taiwan, Thailand, and Vietnam since over 70% of its known victims were located in the region. Researchers also identified compromised entities in Brazil, the USA, Turkey, Russia, Mexico, Italy, and other non-APAC countries.

ResumeLooters uses various penetration testing tools, including sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch. Their main vector was SQL injection via sqlmap.

Analysis of stolen HTML files shows the malicious script was executed on at least four websites, with some having XSS scripts embedded in the HTML code, mainly on devices having administrative access.

The attackers’ accounts and advertisements for data sale were discovered in hacking-themed Telegram groups with Chinese-speaking members. (Deeba Ahmed / HackRead)

Related: Group-IB, Reddit - Information Security News, Techradar, Security News | Tech Times, Infosecurity Magazine, Dark Reading, Techradar, Reddit - Information Security News

French healthcare services firm Viamedis, which manages payments for 84 healthcare organizations covering 20 million insured individuals, suffered a cyberattack that exposed the data of policyholders and healthcare professionals in the country.

The data exposed in the attack includes a beneficiary's marital status, date of birth, social security number, name of health insurer, and guarantees open to third-party payment.

Viamedis says they will be sending different notifications about what data was exposed.

Viamedis has informed impacted health organizations, filed a complaint with the public prosecutor, and notified the authorities (CNIL, ANSSI) accordingly. Currently, the company is investigating the impact of the cyberattack. (Bill Toulas / Bleeping Computer)

Related: Viamedis, Connexion France, L’Argus

Mozilla is expanding into a suite of privacy-minded tools called Mozilla Monitor Plus that aims to speed up the time it takes to remove information from so-called people finder sites.

People finding sites are run by companies that gather information not from public records and Internet history, but from the online traces left by account sign-ups, advertising, web browsing, and other things users do after clicking to agree to vague Terms of Service.

For a cost of $14 every month or $108 annually, Mozilla Monitor Plus pledges to automatically monitor such "people search" sites, along with known data breaches, for users’ information and then take care of the removal process. (Kevin Purdy / Ars Technica)

Related: Mozilla, PC Perspective,, ReadWrite, Tech News Space, Engadget, Slashdot, Engadget, xda-developers, PC Perspective, /r/Technology,, Neowin, BetaNews, The Register - Security, Slashdot, Neowin

Meta said it will begin detecting and labeling images generated by other companies' artificial intelligence services in the coming months, using a set of invisible markers built into the files.

Meta will apply the labels to any content carrying the markers that is posted to its Facebook, Instagram, and Threads services to signal to users that the images, which in many cases resemble real photos, are digital creations, the company's president of global affairs, Nick Clegg, wrote in a blog post.

Clegg said that once the new system is up and running, Meta will do the same for images created on services run by OpenAI, Microsoft, Adobe, Midjourney, Shutterstock, and Alphabet's Google.

Clegg said he felt confident the companies could label AI-generated images reliably but said tools to mark audio and video content were more complicated and still being developed.

In the interim, Meta will start requiring people to label their own altered audio and video content and will apply penalties if they fail to do so. Clegg did not describe the penalties. (Katie Paul / Reuters)

Related: Meta, CoinGape, Verdict, Techlusive, Ars Technica, NPR, The Guardian, Sky News, CNN, Associated Press, The Register, USA Today, ABC News, Silicon Angle, Computerworld, Inc., Search Engine Land

OpenAI announced that its image generator DALL-E 3 will add watermarks to image metadata as more companies roll out support for standards from the Coalition for Content Provenance and Authenticity (C2PA).

The company says watermarks from C2PA will appear in images generated on the ChatGPT website and the API for the DALL-E 3 model. Mobile users will get the watermarks by February 12th. They’ll include an invisible metadata component and a visible CR symbol, which will appear in the top left corner of each image.

People can check the provenance or which AI tool was used to make the content of any image generated by OpenAI’s platforms through websites like Content Credentials Verify. So far, only still images, not videos or text, can carry the watermark. (Emilia David / The Verge)

Related: OpenAI, Proactiveinvestors UK,, Gizmochina, VentureBeat, CoinGape, The Decoder, TechRadar, Silicon UK, Cryptopolitan

Microsoft announced a new feature for its business-oriented Entra Verified ID called Entra Verified ID with Face Check for a new layer of security for online businesses and services.

Microsoft says Face Check uses the company's Azure AI services to match a person's photo to a verified image of themselves on a passport or a driver's license. The service then gives a percentage of how the person's just-taken image compares to their verified photo. Microsoft says Face Check could be used to generate passkeys from businesses to employees or to reset a person's password.

The company says comparing a quick selfie on a smartphone to a verified government image of that person "provides a crucial layer of trust, especially in high-assurance scenarios such as accessing high-value business processes or sensitive company information."

Microsoft claims it will not store or keep any data from a Face Check action, and the business only sees the percentage match between the new photo and the verified image. Face Image is currently in a preview mode and is already being used by the IT service organization BEMO to check the identity of employees. (John Callaham / Neowin)

Related: Microsoft, Dark Reading, Redmond.mag, Venture Beat

An apparently false story appeared in Germany’s Aargauer Zeitung about how around three million smart toothbrushes have been infected by hackers and enslaved into botnets has been widely circulated on social media and in tech-oriented publications.

The report suggests this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The firm’s site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business.

Related: Tom’s Hardware, ZDNet,, Reddit, Cyber Daily, Gizmochina, Boing Boing, Slashdot

Internal documents show that Patternz, the company behind a global phone spy tool advertised as a capability for national security agencies, also pitched the product as a solution for “riot detection,” including heatmaps of New York City in the context of this capability.

There is no indication that New York or U.S. federal authorities have purchased or even received a demo of the tool, with the documents instead potentially being more aspirational. But they still show one of the use cases Patternz was at least envisioned for, and which could apply to other similar technologies using ad data as a mass surveillance tool. (Joseph Cox / 404 Media)

NinjaOne, a leading IT platform for endpoint management, security, and visibility, announced it raised a $231.5 million Series C venture funding round.

ICONIQ Growth led the round with the participation of Frank Slootman, Chairman and CEO of Snowflake, and Amit Agarwal, President of Datadog, among others. (Hannah Miller / Bloomberg)

Related: Silicon Angle, Crunchbase News, Business Wire Technology: Security News, Help Net Security, The Business Journals, FinSMEs

Entrust, the privately-held company that provides certification and verification services around payment cards, passwords, network and website access, device access, and more, is buying Onfido, an early mover in the world of identity verification using computer vision, machine learning, and other AI tool, for a figure well above $450 million.

The deal does not yet have a completion date, as it is still going through regulatory approvals. These are formally described as “early and exclusive” negotiations by the two companies. Once that process is complete, the plan will be to integrate Onfido’s tools into Entrust’s wider technology stack, Entrust CEO and president Todd Wilkinson said in an interview. (Ingrid Lunden / TechCrunch)

Related: PYMNTS, Reuters, Biometric Update, Help Net Security, Silicon Angle, The Business Journal, Verdict

Best Thing of the Day: Keeping the Big Game Safe

Cybersecurity, physical security, and information technology teams will be working in lockstep during the Super Bowl to ensure systems remain available, countering threats from hackers they expect to be particularly challenging.

Worst Thing of the Day: How Idiots Ruin Things

The Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative is in jeopardy largely due to the growing conservative backlash to CISA’s separate work in chasing down disinformation.

Closing Thought

Read more