Heliconia
Variston IT (and Violet Pepper for Android) · Spain
Confidence 3/5
Technical capabilities
Heliconia is an exploitation framework targeting Chrome, Firefox, and Microsoft Defender, attributed by Google TAG to Variston IT. Per Google’s November 2022 disclosure, Heliconia was discovered through an anonymous submission to the Chrome bug reporting program. The submitter included source code that contained a pre-commit cleaning script referencing “Variston” as the project owner.
Heliconia Noise
Web framework deploying an exploit chain against a Chrome renderer bug followed by a sandbox escape. Configurable via JSON for parameters including maximum exploit serving count.
Heliconia Soft
Web framework that deploys a PDF containing a Microsoft Defender exploit. Exploits CVE-2021-42298, fixed November 2021. The exploit achieves SYSTEM privileges with a single vulnerability.
Heliconia Files
Fully documented Firefox exploit chain for Windows and Linux. Exploits CVE-2022-26485, a use-after-free vulnerability reported in March 2022 as exploited in the wild.
Violet Pepper
Per former Variston employees, Variston also developed an Android product called Violet Pepper, plus iOS exploits and hacking tools.
Documented use
- March 2023: Google researchers found Variston-made spyware used in the United Arab Emirates.
- Per former Variston employees: Variston tools were deployed in Italy, Kazakhstan, Malaysia, and the United Arab Emirates. Indonesia is also listed in some reporting.
- The primary customer relationship was with Protect Electronic Systems (Abu Dhabi).
Customer states
Confirmed deployments documented by Google TAG and supported by former employee testimony: United Arab Emirates (primary client through Protect), Italy, Kazakhstan, Malaysia, and likely Indonesia.
Legal and sanctions status
- Not on US Entity List.
- Not subject to OFAC sanctions.
- February 2024: TechCrunch reported, based on testimony from four former Variston employees, that Variston is shutting down.
- Variston operations were “burned” per former employees after Google’s November 2022 disclosure.
Technical countermeasures
- Patch Chrome, Firefox, Windows Defender: all Heliconia framework vulnerabilities were patched by Google, Microsoft, and Mozilla in 2021 and early 2022.
- Browser-based attack vectors: keep all browsers fully updated.
- Caution with PDFs: Heliconia Soft is triggered by a Defender scan on a downloaded PDF.
- Microsoft Defender: keep current.
Sources
Update log
February 28, 2026: First publication. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
