Barcelona-based company Veriston IT, which markets itself as offering custom cybersecurity solutions, has been linked with an exploitation framework for Chrome, Firefox, and Windows zero-days enabling spyware installation on targeted devices, as discovered by Google’s Threat Analysis Group (TAG).
The framework in question is called ‘Heliconia’ and came on TAG’s radar after an anonymous submission to their Chrome bug reporting program containing three bugs, each with instructions and an archive containing the source code. Analysis of the framework source code revealed a script which included clues indicating that Veriston IT might be the likely developer.
The capabilities of this framework are similar to the ones used by governments in high-level espionage or intelligence-gathering operations. They include recording audio, making or redirecting phone calls, and stealing text messages and call logs, in addition to contacts and GPS location data from the target device.Â

Heliconia in itself comprises three separate exploitation frameworks, each containing an exploit for Chrome, Firefox and Windows as follows:
- Heliconia Soft: Deploys a malicious PDF file containing a Windows Defender exploit.
- Heliconia Noise: Deploys an exploit for a Chrome renderer bug that allows it to bypass the program’s sandbox and run malware on the host operating system.
- Files: Multiple exploits for Windows and Linux machines. Effective for Firefox versions 64 to 68.
Google claims not to have seen these bugs being exploited in the wild, suggesting that these were likely exploited as zero days. Microsoft, Google and Mozilla fixed them in early 2021 and 2022.
TechCrunch reached out to Variston IT’s director Ralf Wegner who said he wasn’t aware of any such reports or research by Google and that the company couldn’t validate the findings. Wegner added that he’d be surprised if such an item were found in the wild.
In the News: LastPass gets hacked again, customer data leaked