Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Predator spyware. Show all posts
Zero-Day Vulnerabilities and Exploits
Cyber-Espionage Tools Digital Forensics Intellexa Network Mobile Surveillance Predator spyware Spyware Attacks Threat Intelligence Zero-Click Exploits Zero-Day Vulnerabilities and Exploits

Emerging Predator Spyware Technique Enables Zero-Click Compromise


 

Intellexa is one of the most controversial and persistent players in the shadowy world of commercial cyber-espionage, even though mounting scrutiny, international sanctions, and ongoing investigations have led to increased scrutiny and investigation. 

Although it is best known for its flagship surveillance solution, the Predator spyware suite, the consortium has demonstrated that it can operate beyond the scope of regulatory control on a number of occasions. An investigation conducted by more than one party, supported by confidential internal records, leaked sales decks, training materials, and other sensitive corporate documents verified by Amnesty International, shows that Intellexa continues to conduct business at a high level, and has even expanded its activities. 

A vendor has been aggressively pursuing government and corporate clients for years, and the findings indicate the vendor is still leveraging a pipeline of high-value vulnerabilities to do so. There is one striking feature of the company: its continued reliance on zero-day exploits targeted at mobile browsers. This is reflected in the recent analysis published by Google's Threat Analysis Group, which recently identified fifteen new zero-day exploits related to Predator deployments. 

Intellexa, according to the investigators, routinely purchases unidentified bugs from independent hackers, weaponizes them in covert operations, and throws them away only once the flaws have become widely known and have been fixed. Predator's sophisticated capabilities and the troubling resilience of the spyware market that supports it are both emphasized by this cycle of acquiring, exploiting, and "burning" zero-days. 

Moreover, investigators have also discovered a parallel operation, using Aladdin, which uses online advertising to silently distribute spyware, by using online advertising as a delivery mechanism. The Aladdin ads, unlike earlier models that relied on phishing lures or user interaction, are being distributed through mainstream advertising networks and are embedded within seemingly legitimate placements on widely visited websites and mobile applications, instead of relying on phishing lures and user interaction. 

When the page is loaded and the selected target is clicked on, it is enough for the compromise to occur. There is no need to click, install, or show any warnings. These attacks are being conducted using an intricate ad delivery infrastructure that is deliberately labyrinthine, as it is routed through multiple layers of front companies and brokers in Ireland, Germany, Switzerland, Greece, Cyprus, the UAE, and Hungary, spread across a multitude of countries. 

As a result of the dispersed architecture, the operators' identities are obscurable, and regulators and security teams are unable to detect and block malicious traffic due to the dispersed architecture. As a consequence of these developments, analysts claim that the threat landscape has undergone a decisive shift: spyware operators are moving away from social-engineering tactics towards frictionless, automated exploitation channels that make successful intrusions less likely.

Even though the threat landscape is becoming more complex, experts advise that layering protections — including robust ad-blocking, restrictive script policies, DNS-based filtering tools, and diligent software patching — remain important in order to ensure that these vectors do not penetrate the network. 

There is no denying the fact that sanctioned vendors such as Intellexa have continued to operate and the rapid evolution of platforms like Aladdin underscores a sobering reality: the commercial spyware industry is adapting faster than global oversight mechanisms can keep up, leading to an ever-growing mercenary spyware industry. 

A detailed examination of the ecosystem surrounding Intellexa reveals that Predator itself has evolved into the most sophisticated and elusive mercenary spyware platform ever produced. Since at least 2019, the tool has been active. Although it was originally developed by Cytrox, it seems to be maintained and distributed by a constellation of Intellexa-linked entities, expanding the operation far beyond its original footprint. 

Predator's technological design aims to provide stealth above all else: it leaves very little forensic trace, resists conventional analysis, and makes it exceptionally difficult for independent verification to be made. With this spyware, you will have access to sweeping surveillance capabilities, such as real-time access to a device's microphone, camera, files, communications and cloud-synced data, once the spyware has been installed. 

In Predator, which is largely built around Python components, a modular architecture allows new capabilities to be added on-the-fly without re-infecting the device, a flexibility that has made it so appealing to governments looking for covert, persistent access to mobile devices. 

There is both a traditional "one-click" compromise approach supported by the platform, which involves carefully designed social engineering links, and an even more advanced "zero-click" compromise approach which does not require any interaction from the user, like network injection or proximity-based delivery. 

Although no proof has yet been provided that remote, messaging-app zero-click exploits like FORCEEDENTRY or BLASTPASS, or NSO Group's Pegasus exploits, are being used on a scale as large as Pegasus, it is clear from the documentation that Predator operators are still able to make silent access when certain conditions are met. 

In the past two years, Recorded Future's Insikt Group has collected information that indicates Predator activity is taking place in more than a dozen countries, ranging from Angola and Armenia to Botswana, the Democratic Republic of Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique and Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. As a result of additional evidence, deployments have been observed in Greece, Sudan, and Vietnam, each of which has varying degrees of involvement from the state. 

Greece has shown the greatest impact of the political fallout, with revelations that the Predator was used against journalists, opposition politicians, business leaders, and other public figures, leading to parliamentary inquiries, criminal investigations, as well as an ongoing national scandal referred to as “Predatorgate”. In addition to providing insight into Intellexa's growing arsenal of delivery methods, the leaked material confirms that a little-known vector, codenamed Triton, has been discovered. 

Triton is designed to compromise Samsung Exynos chipset-based devices by exploiting vulnerabilities in the baseband, allowing them to be compromised—sometimes forcing them to go down to 2G in order to create the conditions for infection. According to Amnesty International's researchers, it is still unclear whether Triton is still operational. However, there have been references to two other mechanisms that seem to be using radiofrequency manipulation or direct physical access techniques. These mechanisms appear to be known by the names Thor and Oberon. 

In spite of the fact that it is still unclear what the exact capabilities of these vectors are, the inclusion of Intellexa's internal materials illustrates the wide range of the group's technological ambitions. It has been reported that Intellexa is also one of the most aggressive commercial actors exploiting zero-day vulnerabilities that Google's Threat Analysis Group has documented since 2021. In 15 of these cases, Intellexa's activities have been attributed.

According to Google's researchers, the company employs both the development of their own exploit chains and the acquisition of additional vulnerabilities from outside brokers to broaden its operational reach, which is a dual approach to exploit chains. The Amnesty International report suggests that Intellexa remains fully operational even after sanctions and a sweeping investigation in Greece, with Predator's tooling becoming increasingly stealthy and resistant to forensic analysis as a result. 

A number of security experts have warned that as Predator's techniques advance, users might have to take greater precautions to protect themselves against these rapidly developing mobile exploitation frameworks, including the Advanced Protection features of Android and Apple's Lockdown Mode, in order to mitigate the risk associated with them. In spite of mounting international scrutiny, there is no sign that the overall market for commercial surveillance tools will slow down anytime soon.

A report by analysts indicates that a deep rooted financial incentive exists for the spyware industry to remain viable: governments still need powerful digital monitoring tools, and vendors are eager to satisfy that demand by designing more sophisticated products that will be able to evade the security measures currently in place. A trend of new players entering the market has largely been seen to continue until new players join the game, allowing offensive cyber tools to become more accessible and pushing existing developers to further refine their platforms to meet the demands of the new players. 

A number of regulatory efforts have been launched, most notably in the European Union, where ongoing inquiries may lead to tighter oversight over the sale and use of intrusive technologies, but experts warn that a meaningful global coordination process is still missing. Predator, for example, will remain a potential threat until stronger international mechanisms are established. 

It is not uncommon for platforms such as Predator to resurface even in the face of sanctions, public revelations, or temporary operational setbacks. This reality has been underscored by recent reports which indicate the Predator infrastructure has reemerged with increased obfuscation, more redundancy, and fewer forensic artifacts that make it harder to attribute and detect the threat. 

It is said by security experts that, even though there are no foolproof defensive strategies, an increased awareness, transparent public reporting, and well-enforced regulations can substantially limit the reach of mercenary spyware. They argue that government officials, researchers, and private-sector defense funders must move faster if they are to survive an industry that continues to innovate in the shadows without government influence.
Read more »
spyware sanctions
global spyware operations Intellexa Iraq surveillance malware Predator spyware Recorded Future Insikt Group spyware sanctions

Intellexa Spyware Activity Appears to Slow in 2025, but New Research Suggests Broader Global Footprint

 

Despite U.S. sanctions imposed last year, the global footprint of Intellexa’s spyware operations may be larger and more elusive than previously believed, with researchers warning that shifting domain practices could be masking continued activity in 2025.

New research from Recorded Future’s Insikt Group reveals emerging evidence that Intellexa systems are currently being deployed in Iraq. The Record, which reported these findings, operates independently from Recorded Future.

Investigators also detected indicators “likely associated” with the use of Predator spyware by an entity connected to Pakistan. The report says it remains uncertain whether the intended targets were linked to Pakistan or if the operator was simply based within the country.

Intellexa, the creator of Predator spyware, has been at the center of global surveillance controversies, with its tools reportedly used against activists, journalists, and business leaders. Three former executives of the company are currently facing trial in Greece, where numerous victims of Predator surveillance have been identified.

The report also highlights ongoing Intellexa customer activity in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Meanwhile, previous customers in Egypt, Botswana, and Trinidad and Tobago appear to have “ceased communication” since spring and summer — a shift that may reflect discontinued operations or a transition to new infrastructure.

A cluster linked to Mozambique, first identified earlier this year, continued functioning until at least late June 2025, according to the researchers.

This latest assessment builds on Insikt’s June report, which noted that Intellexa has repeatedly reconfigured its infrastructure in response to intensifying scrutiny — a strategy that complicates efforts to track its operations.

Researchers additionally uncovered several new companies suspected to be tied to Intellexa. Like many firms in the commercial spyware sector, Intellexa has long relied on shell companies and complex business networks to obscure its activities.

One newly identified company appears responsible for shipping Intellexa’s products to customers, while two more operate in the advertising sector and may be linked to a known infection vector that distributes spyware through online ads.

Two additional Intellexa-connected firms were traced to Kazakhstan and the Philippines, suggesting what researchers describe as an “expanding network footprint.”

Intellexa was added to the U.S. Commerce Department’s Entity List in July 2023, marking it as a threat to national security and foreign policy. In March 2024, the Commerce Department sanctioned founder Tal Jonathan Dilian, a former Israeli intelligence officer. Six months later, five more individuals and one affiliated entity were also sanctioned.

At the time, senior U.S. officials stressed the need for further action, pointing to Intellexa’s “opaque web of corporate entities, which are designed to avoid accountability.”

On Thursday, Amnesty International disclosed that Intellexa can remotely access Predator customer logs, allowing staff to view “details of surveillance operations and targeted individuals [which] raises questions about its own human rights due diligence processes,” according to Jurre van Bergen, Technologist at Amnesty’s Security Lab.

Van Bergen added: “If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware.”
Read more »
User Privacy
Insikt Group malware Mozambique Predator spyware User Privacy

Predator Spyware Campaign Resurfaces With a New Infrastructure

 

The latest discovery of new Predator spyware-related equipment suggests that the surveillance technology is still finding new clients, despite US penalties imposed on its backers since July 2023. 

In a report published earlier this month, analysts at Insikt Group claimed to have traced the sophisticated malware to operators in Mozambique for the first time. According to Insikt, Mozambique is one of many African countries where the spyware has spread, with the continent home to more than half of all known Predator users.

According to Insikt, a new discovery in the probe revealed "the first technical connection made between Predator infrastructure and corporate entities associated with the Intellexa Consortium," referring to the group believed to be backing Predator. The United States sanctioned several entities, including Intellexa.

The disclosure stems from an Insikt investigation into entities associated with Dvir Horef Hazan, a Czech bistro owner, entrepreneur, and programmer who, according to a Czech news source, worked for Intellexa. A Greek law enforcement investigation into the alleged Predator targeting of journalist Thanasis Koukakis revealed that Intellexa moved over €3 million (around $3.5 million) to Hazan and his businesses. 

The details of Hazan's alleged work for Intellexa are unclear, but Insikt claims to have identified a link between Predator's multi-tiered architecture and a Czech company that is indirectly tied to Hazan.

The researchers claim that Predator's basic infrastructure has stayed mostly unaltered, however there is evidence that operators have modified the spyware to make it trickier to detect on a device. Insikt's recent data support previous reports that Predator activities continued following the US government's steps in July 2023. 

Initially, the Commerce Department placed Intellexa and a subsidiary unit, Cytrox, on the Entity List, which limits how companies conduct business with the United States and tarnish their reputation. Then, in 2024, federal agencies acted twice to ban Predator-related organisations.
Read more »
Smartphone
Google Play Google Play fake apps Malicious Apps Mobile Security Mobile Spyware Pegasus Spyware Predator spyware Smartphone

How to Spot and Avoid Malicious Spyware Apps on Your Smartphone

 

Spyware apps masquerading as legitimate software are a growing threat on app stores, particularly Google Play. These malicious apps can steal personal data, commit financial fraud, and install malware on unsuspecting users’ devices. A Zscaler report found 200 spyware apps on Google Play in a single year, with over 8 million downloads, highlighting the extent of the issue. 

These apps, often called trojans, execute attacks after installation. They can steal login credentials, inject malware, enable cryptojacking, and even deploy ransomware. While third-party app stores are known for hosting dangerous software, even official platforms like Google Play have security gaps that allow these threats to slip through. Social engineering tactics, such as phishing emails and SMS messages, also contribute to the spread of these fake apps. 

Smartphones are ideal targets for cybercriminals because users store vast amounts of personal information on them. Many people, especially those unfamiliar with app security, struggle to identify spyware. Once installed, these apps can lead to severe consequences, including data breaches, identity theft, and unauthorized financial transactions. Some spyware apps even contain rootkits, allowing hackers to control devices remotely. 

To avoid downloading malicious spyware apps, users should look for warning signs. Fake apps often have distorted logos, grammatical errors in their descriptions, and a lack of official contact information. Checking the number of downloads, reading user reviews for inconsistencies, and monitoring permission requests can also help spot fraudulent apps. If an app requests unnecessary access—such as a calculator app asking for location data—it is likely unsafe. Activating Google Play Protect and avoiding apps that promise unrealistic features can further enhance security. 

The increasing prevalence of spyware is due to rapid technological advancements that make it easier for cybercriminals to steal data. Sophisticated spyware tools like Predator and Pegasus can execute zero-click attacks, meaning users don’t even need to download an app to be compromised. Such spyware has been exploited by criminals and government agencies alike to target journalists, activists, and even businesses. 

Ultimately, online security threats are everywhere, and spyware in app stores is just one part of the problem. Practicing caution, verifying app legitimacy, and understanding the risks can help users stay protected. By staying vigilant and making informed choices, individuals can safeguard their data and minimize the risk of falling victim to spyware attacks.
Read more »
Technology
Intellexa Predator Predator spyware Spyware Spyware technology Technology

Researchers Details the Licensing Model of Predator Spyware


A recent analysis of the sophisticated commercial spyware, Predator, reveals that its ability to persist between reboots is offered as an “add-on-feature” and is dependent upon the license options selected by the user, according to a recent analysis.

Predator is the result of a collaboration known as the Intellexa Alliance, which also comprises Senpai Technologies, Nexa Technologies, and Cytrox (later bought by WiSpear). In July 2023, the United States put Cytrox and Intellexa on its Entity List due to their "trafficking in cyber exploits used to gain access to information systems."

In regards to the issue, Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report, "In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS[…]However, by April 2022, that capability was being offered to their customers."

The cybersecurity vendor first revealed the inner workings of Predator and its harmonic connection with another loader component named Alien more than six months ago. 

"Alien is crucial to Predator's successful functioning, including the additional components loaded by Predator on demand[…]The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims," Malhotra told cybersecurity firm Hackernews in an interview. 

Predator is a "remote mobile extraction system" that can target both Android and iOS. It is sold on a licensing model that can cost millions of dollars, depending on the number of concurrent infections and the exploit used for initial access. This puts Predator out of the reach of script kiddies and inexperienced criminals.

Spyware like Predator and Pegasus, which are designed by the NSO Group, often depend on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. However, if Apple and Google keep patching the security holes, these attack chains can become useless and they will have to start over.

It is significant to note that the organizations that create mercenary surveillance tools can also obtain whole or partial exploit chains from brokers and transform them into a functional exploit that can be used to successfully compromise target devices.

Another noteworthy aspect of Intellexa’s business model is that it gives the task of building the attack infrastructure, giving them some degree of plausible deniability if the campaigns are discovered—which is an inevitable outcome.

"The delivery of Intellexa's supporting hardware is done at a terminal or airport," the researchers said. "This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry's jargon ('Incoterms'). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located."

Furthermore, because the operations are intrinsically connected to the license, which is by default limited to a single phone country code prefix, Intellexa has "first-hand knowledge" of whether their customers are conducting surveillance activities outside of their own borders.  

Read more »
Subscribe to: Comments (Atom)