Heliconia Exploit Framework exposed by Google TAG Team

December 2, 2022

Google’s Threat Analysis Group (TAG) has published details about a trio of newly discovered exploit frameworks named The Heliconia exploits that were likely used to exploit Chrome, Firefox, and Microsoft Defender vulnerabilities as zero days in recent years, and likely has connections to a gray-market spyware broker called Variston IT, demonstrating how this shadowy segment is flourishing.

The Heliconia threat is made up of three modules. The first is Heliconia Noise, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298, which allows privilege escalation to SYSTEM and remote code execution (RCE).

The second is Heliconia Soft, a Web framework that deploys a PDF containing a Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE; and the third is Heliconia Files, which contains a fully documented Firefox exploit

“The framework runs a Flask web server to host the exploit chain. A full infection performs requests to six different web endpoints during the different stages of the exploit chain. The file names for each endpoint are randomized during server deployment, except for the first endpoint, which is served by a URL specified in the configuration file,” the Google researchers said.

When three separate bugs were reported to Google’s Chrome bug reporting system, the TAG team became aware of the frameworks. Each bug came with a complete framework for exploiting specific bugs, as well as source code.

The sources for this piece include an article in ZDNET.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn