Heliconia

Heliconia is a commercial exploit framework attributed to the Barcelona-based vendor Variston IT, identified publicly by Google’s Threat Analysis Group in November 2022. The framework includes three exploit packages, named Noise, Soft, and Files, targeting Chrome, Windows Defender, and Firefox respectively. Heliconia samples were submitted anonymously to Google’s Chrome bug reporting programme, allowing Google to fingerprint the framework and trace it to Variston IT through infrastructure indicators.

What it means in practice

Heliconia exploits browser and operating system vulnerabilities to install spyware on target devices. The framework’s modular structure separates exploit delivery from payload installation, allowing operators to combine browser-level exploits with separate spyware products. Google patched the affected Chrome vulnerabilities in 2021 and 2022, after Heliconia samples revealed which CVEs Variston had been exploiting. Variston has denied operating Heliconia commercially, claiming the exploit framework was internal research only.

Specific things to know

Variston IT positioned itself as a custom security solutions provider for government customers, with public marketing around penetration testing services. The TAG investigation traced Heliconia samples to specific Variston-controlled infrastructure and identified a corporate relationship between Variston and other European exploit brokers. Variston’s customer base is not fully public, but the company’s structure and the Heliconia framework’s design are consistent with the broader European spyware ecosystem that includes Intellexa, RCS Lab, and FinFisher.

Change today

Keep browsers updated automatically rather than waiting for prompts. Chrome and Firefox both push security updates aggressively, and most Heliconia-class exploits target vulnerabilities that have been patched within days of disclosure. The operational risk is the period between an exploit’s commercial deployment and the patch reaching every device, which has historically been weeks to months depending on user update behaviour.

Related articles

See our coverage of the Google TAG Heliconia analysis, the European exploit broker ecosystem, and browser-level commercial spyware vectors.