← Back to database

Predaxia Research

Heliconia

Variston IT (and Violet Pepper for Android) · Spain

Shutting down 2024
3

Confidence 3/5

VendorVariston Information Technology (Barcelona)
Country of originSpain
Founded2018
Founders/directorsRalf Wegener and Ramanan Jayaraman
DisclosureGoogle Threat Analysis Group, November 2022
Spyware productsHeliconia Noise (Chrome), Heliconia Soft (Defender), Heliconia Files (Firefox), Violet Pepper (Android)
Primary customerProtect Electronic Systems (Abu Dhabi, UAE)
StatusShutting down per former employee testimony

Technical capabilities

Heliconia is an exploitation framework targeting Chrome, Firefox, and Microsoft Defender, attributed by Google TAG to Variston IT. Per Google’s November 2022 disclosure, Heliconia was discovered through an anonymous submission to the Chrome bug reporting program. The submitter included source code that contained a pre-commit cleaning script referencing “Variston” as the project owner.

Heliconia Noise

Web framework deploying an exploit chain against a Chrome renderer bug followed by a sandbox escape. Configurable via JSON for parameters including maximum exploit serving count.

Heliconia Soft

Web framework that deploys a PDF containing a Microsoft Defender exploit. Exploits CVE-2021-42298, fixed November 2021. The exploit achieves SYSTEM privileges with a single vulnerability.

Heliconia Files

Fully documented Firefox exploit chain for Windows and Linux. Exploits CVE-2022-26485, a use-after-free vulnerability reported in March 2022 as exploited in the wild.

Violet Pepper

Per former Variston employees, Variston also developed an Android product called Violet Pepper, plus iOS exploits and hacking tools.

Documented use

  • March 2023: Google researchers found Variston-made spyware used in the United Arab Emirates.
  • Per former Variston employees: Variston tools were deployed in Italy, Kazakhstan, Malaysia, and the United Arab Emirates. Indonesia is also listed in some reporting.
  • The primary customer relationship was with Protect Electronic Systems (Abu Dhabi).

Customer states

Confirmed deployments documented by Google TAG and supported by former employee testimony: United Arab Emirates (primary client through Protect), Italy, Kazakhstan, Malaysia, and likely Indonesia.

Legal and sanctions status

  • Not on US Entity List.
  • Not subject to OFAC sanctions.
  • February 2024: TechCrunch reported, based on testimony from four former Variston employees, that Variston is shutting down.
  • Variston operations were “burned” per former employees after Google’s November 2022 disclosure.

Technical countermeasures

  • Patch Chrome, Firefox, Windows Defender: all Heliconia framework vulnerabilities were patched by Google, Microsoft, and Mozilla in 2021 and early 2022.
  • Browser-based attack vectors: keep all browsers fully updated.
  • Caution with PDFs: Heliconia Soft is triggered by a Defender scan on a downloaded PDF.
  • Microsoft Defender: keep current.
Limited public attribution. Although Google TAG’s technical attribution to Variston is well-documented through source code analysis, fewer victim cases have been forensically attributed to Heliconia compared to Pegasus, Predator, or Candiru. This is reflected in the 3/5 confidence score.

Update log

February 28, 2026: First publication. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.


There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.