Full Report
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil society and political targets.
Analysis Summary
# Threat Actor: PREATOR Spyware Operators (Associated with Intellexa Consortium)
## Attribution & Identity
The threat actor group operates the **Predator** mobile spyware, which originated with **Cytrox** and is now operated under the **Intellexa Consortium**. US government sanctions have been imposed against the Intellexa Consortium. A connection was also found between high-tier Predator infrastructure and a **Czech entity previously associated with the Intellexa Consortium**.
## Activity Summary
Despite a recent apparent decline following public exposure, sanctions, and international efforts (like the Pall Mall process), Predator activity has shown a **resurgence** in recent months, demonstrating operator persistence. New infrastructure has been identified, tied to previously known operators and a **new customer identified in Mozambique**, marking the first public link between Predator and that country. Operators have made changes to infrastructure designed to evade detection.
## Tactics, Techniques & Procedures
- Deploys sophisticated mercenary spyware (Predator) targeting both Android and iPhone devices.
- Provides complete access to device data (microphone, camera, contacts, messages, photos, videos).
- Utilizes a modular, Python-based design, leaving minimal evidence on infected devices.
- Sophisticated deployment methods, potentially including spearphishing.
- Likely leveraging stolen credentials to access cloud backups as defenders eliminate other vulnerabilities.
- **TTPs from Appendix C:**
- Acquire Infrastructure: Domains [T1583.001]
- Acquire Infrastructure: Virtual Private Server [T1583.003]
- Acquire Infrastructure: Server [T1583.004]
- Initial Access: Spearphishing Link [T1566.002]
- Execution: Exploitation for Client Execution [T1203]
## Targeting
- Sectors: Highly sensitive positions due to the high cost/licensing model, typically reserved for high-value, strategic targets. Targets often include **civil society, political activists, politicians, and corporate executives**.
- Geography: Activity detected across several countries in the last twelve months. Over half of its identified customers are located in **Africa**. A new suspected operator presence was identified in **Mozambique**.
- Victims: Individuals and organizations in regions with a record of spyware misuse. Targets are those possessing sensitive intelligence or political opposition figures.
## Tools & Infrastructure
- Malware families used: **Predator** (sophisticated mercenary spyware).
- Infrastructure: New (and existing) victim-facing Tier 1 servers and high-tier components have been observed.
- Infrastructure Indicators (Example Domains/IPs serving as C2/residence for known operator infrastructure):
- noticiafresca[.]net (169[.]239[.]128[.]46)
- onelifestyle24[.]com (169[.]239[.]128[.]174)
- openstreetpro[.]com (45[.]86[.]231[.]222)
- pedalmastery[.]com (89[.]150[.]57[.]192)
- pinnedplace[.]com (158[.]247[.]254[.]22)
- remixspot[.]com (154[.]205[.]146[.]159)
- roadsidefoodie[.]com (169[.]239[.]129[.]100)
- secneed[.]com (79[.]141[.]164[.]56)
- secsafty[.]com (45[.]143[.]166[.]125)
- shopstodrop[.]com (185[.]243[.]114[.]170)
- speedbrawse[.]com (146[.]70[.]88[.]93)
- stableconnect[.]net (51[.]195[.]49[.]222)
- starryedge[.]com (169[.]239[.]128[.]160)
- statuepops[.]com (89[.]150[.]57[.]234)
- steepmatch[.]com (193[.]29[.]56[.]52)
- streamable-vid[.]com (195[.]54[.]160[.]224)
- strictplace[.]com (5[.]183[.]95[.]179)
- svcsync[.]com (169[.]239[.]129[.]63)
- themastersphere[.]com (38[.]54[.]2[.]238)
- traillites[.]com (138[.]199[.]153[.]155)
- trigship[.]com (185[.]236[.]202[.]161)
- unibilateral[.]com (169[.]239[.]128[.]182)
- updatepoints[.]com (46[.]246[.]96[.]198)
- wtar[.]io (45[.]86[.]231[.]100)
- zipzone[.]io (45[.]155[.]250[.]228)
## Implications
The operators behind Predator continue to evolve their infrastructure to evade detection and sanctions, posing a persistent threat. Its deployment threatens privacy, legal rights, and physical safety, particularly for political opponents and high-value corporate/government figures capable of providing strategic intelligence. The mercenary spyware market is expected to grow, leading to continued innovation in sophisticated targeting techniques.
## Mitigations
- Ensure personal and corporate devices are kept separate.
- Regularly update mobile operating systems.
- Encourage periodic device reboots (though this may not guarantee removal).
- Utilize device security features like **Lockdown Mode**.
- Implement Mobile Device Management (MDM) systems.
- Invest in security awareness training for all personnel.
- Foster a culture of minimal data exposure to reduce the impact of successful phishing or data theft.