Full Report
The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity. The post Predator spyware activity surfaces in new places with new tricks appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Predator Spyware
## Overview
Predator is commercial spyware developed by Intellexa (also known as the Intellexa Consortium). It continues to be active despite sanctions and public exposure, with new infrastructure and evasion techniques being documented by Recorded Future's Insikt Group, indicating the developer adapts to pressure.
## Technical Details
- Type: Malware (Spyware)
- Platform: Not explicitly detailed in the summary, but typically targets mobile and/or desktop operating systems based on commercial spyware capabilities.
- Capabilities: Information gathering, surveillance, and evasion of detection.
- First Seen: Information not detailed in the provided text, but activity is current (June 2025 reporting).
## MITRE ATT&CK Mapping
The provided text describes evasion techniques and ongoing malicious operations, fitting several high-level tactics:
- **TA0011 - Command and Control** (Inferred due to C2 infrastructure being tracked)
- T1071 - Application Layer Protocol (Inferred, C2 communication methods)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by efforts to hide activity)
## Functionality
### Core Capabilities
- Surveillance and data exfiltration capabilities inherent to spyware tools.
- Continuation of operations despite external pressures (sanctions, public exposure).
### Advanced Features
- **Evasion Techniques:** Use of fake websites categorized into four main types to hide activity:
1. Fake 404 error pages.
2. Counterfeit login or registration pages.
3. Sites indicating they are under construction.
4. Websites pretending to be associated with specific entities (e.g., conferences).
- **Adaptation to Sanctions:** Reliance on a vast network of vendors, subsidiaries, and other companies to complicate tracing and disruption efforts.
- **Geographic Expansion:** Identified customer activity in new locations, including Mozambique and connections to a Czech entity and an Eastern European cluster showing possible development activity.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not provided in the article]
- Network Indicators: [None explicitly provided, vendors/subsidiaries mentioned but names are not listed as IOCs, and C2 infrastructure tracking is ongoing.]
- Behavioral Indicators: Accessing victim systems via infrastructure linked to Intellexa; exhibiting communication patterns associated with the four categories of fake websites mentioned.
## Associated Threat Actors
- **Intellexa / Intellexa Consortium** (The developer and primary actor associated with deploying/selling the tool).
- Known customer locations/regions include: Mozambique, Czech Republic, and an undisclosed Eastern European country cluster.
## Detection Methods
- Signature-based detection: [Not explicitly detailed]
- Behavioral detection: Detecting network traffic patterns or interactions with the identified fake website categories (404 pages, login facades, etc.).
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Focusing efforts to increase the complexity of corporate structures used by Intellexa to make operations harder to trace and disrupt (Counter-measure against vendor/subsidiary reliance).
- Monitoring for network communication terminating at infrastructure linked to Intellexa domains or IP addresses (once identified).
- Security hardening against phishing/social engineering related to the fake website evasion techniques.
## Related Tools/Techniques
- **Intellexa Products:** The article specifically names Predator spyware developed by Intellexa. (Presumably related to other spyware/surveillance tools offered by the same company).