Despite U.S. sanctions imposed last year, the global footprint of Intellexa’s spyware operations may be larger and more elusive than previously believed, with researchers warning that shifting domain practices could be masking continued activity in 2025.
New research from Recorded Future’s Insikt Group reveals emerging evidence that Intellexa systems are currently being deployed in Iraq. The Record, which reported these findings, operates independently from Recorded Future.
Investigators also detected indicators “likely associated” with the use of Predator spyware by an entity connected to Pakistan. The report says it remains uncertain whether the intended targets were linked to Pakistan or if the operator was simply based within the country.
Intellexa, the creator of Predator spyware, has been at the center of global surveillance controversies, with its tools reportedly used against activists, journalists, and business leaders. Three former executives of the company are currently facing trial in Greece, where numerous victims of Predator surveillance have been identified.
The report also highlights ongoing Intellexa customer activity in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Meanwhile, previous customers in Egypt, Botswana, and Trinidad and Tobago appear to have “ceased communication” since spring and summer — a shift that may reflect discontinued operations or a transition to new infrastructure.
A cluster linked to Mozambique, first identified earlier this year, continued functioning until at least late June 2025, according to the researchers.
This latest assessment builds on Insikt’s June report, which noted that Intellexa has repeatedly reconfigured its infrastructure in response to intensifying scrutiny — a strategy that complicates efforts to track its operations.
Researchers additionally uncovered several new companies suspected to be tied to Intellexa. Like many firms in the commercial spyware sector, Intellexa has long relied on shell companies and complex business networks to obscure its activities.
One newly identified company appears responsible for shipping Intellexa’s products to customers, while two more operate in the advertising sector and may be linked to a known infection vector that distributes spyware through online ads.
Two additional Intellexa-connected firms were traced to Kazakhstan and the Philippines, suggesting what researchers describe as an “expanding network footprint.”
Intellexa was added to the U.S. Commerce Department’s Entity List in July 2023, marking it as a threat to national security and foreign policy. In March 2024, the Commerce Department sanctioned founder Tal Jonathan Dilian, a former Israeli intelligence officer. Six months later, five more individuals and one affiliated entity were also sanctioned.
At the time, senior U.S. officials stressed the need for further action, pointing to Intellexa’s “opaque web of corporate entities, which are designed to avoid accountability.”
On Thursday, Amnesty International disclosed that Intellexa can remotely access Predator customer logs, allowing staff to view “details of surveillance operations and targeted individuals [which] raises questions about its own human rights due diligence processes,” according to Jurre van Bergen, Technologist at Amnesty’s Security Lab.
Van Bergen added: “If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware.”
