Google’s Threat Analysis Group (TAG) has published details on a new exploit framework, which it believes has been developed by the Barcelona-based company Variston IT that claims to be a provider of custom security solutions.

Called “Heliconia,” the framework exploits n-day vulnerabilities in the Chrome and Firefox browsers, as well as the Microsoft Defender tool, fixed by Google, Microsoft and Mozilla in 2021 and 2022. The TAG team says that these bugs were likely utilized as zero-day vulnerabilities before they were fixed, although the researchers admitted that they didn’t find evidence to support this claim.

TAG became aware of the Heliconia framework after Google received an anonymous bug report describing three vulnerabilities, each with instructions and an archive that contained source code.

After analyzing the report the researchers identified three frameworks for deploying exploits listed below:

• Heliconia Noise - a web framework for deploying Chrome exploits;

• Heliconia Soft - a web framework that deploys a Windows Defender exploit via a PDF file

• Heliconia Files - contains Firefox exploits for Windows and Linux

Heliconia Noise is described as a “1-click full chain for Google Chrome without persistence reaching medium integrity,” while Heliconia Soft exploits CVE-2021-42298, a vulnerability in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021. The exploit achieves SYSTEM privileges with a single vulnerability and the only action required by the user is to download a PDF, which triggers a scan by Windows Defender, Google said.

Lastly, Heliconia Files contains a fully documented Firefox exploit chain for Windows and Linux and takes advantage of CVE-2022-26485, an RCE vulnerability in the XSLT processor disclosed in March 2022 as a zero-day flaw. According to the researchers, the Heliconia Files framework likely exploited the aforementioned vulnerability since at least 2019. The exploit is effective against Firefox versions 64 to 68, indicating it may have been in use as early as December 2018 when version 64 was first released.

“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety,” the TAG team warned.