Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices
New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philippines. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists, with no specific victims or targets currently identified in this latest activity.
Multi-tier Predator delivery network architecture (Source: Recorded Future)
Understanding Risks and Implementing Security Best Practices
The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. High-profile individuals, such as executives, are at greater risk due to the high costs of deploying such spyware. The European Union has recently taken steps to curb the abuse of mercenary spyware among its member states.
To mitigate these risks, organizations and individuals are advised to follow security best practices such as regular phone updates, device reboots, lockdown mode, Mobile Device Management systems, and separating personal from corporate devices. Security awareness training and minimal data exposure culture are also crucial. Long-term solutions include conducting risk assessments for developing dynamic security policies. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities.
Key findings from the Insikt Group's research include the identification of a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data. Despite public disclosures in September 2023, Predator's operators have continued their operations with minimal changes. Predator, alongside NSO Group’s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time.
To read the entire analysis, click here to download the report as a PDF.
Indicators of Compromise
| Domains: 02s[.]co 06g[.]co 09a[.]co 2-gis[.]kz astanapark[.]com beroxe[.]com buildneeds[.]net bw-guardian[.]com cabinet-salyk[.]kz centent-management[.]net clazc[.]com coazoa[.]com copy-note[.]net corporatebusinesssolution[.]net dzhabarzan[.]com e-kgd[.]kz ehudaldaa[.]com escortbabesluxo[.]com eventnews[.]live fast-notify[.]com fastnews[.]biz fr-monde[.]com gabzmus[.]com get-location[.]com get-location[.]net highclub[.]life informationrank[.]net jumia-egy[.]com kapital-news[.]com kejoranews[.]net kollesa[.]com krisha-kz[.]com kroal[.]com ladiesclubhouse[.]com lusofonia-mundo[.]com magnum-kz[.]com mastershop[.]biz mb-ph[.]net mmegi[.]co msbsck[.]com mujmbosnoticias[.]com mundodenoticias[.]online myfawry[.]net nospam[.]kz notify-service[.]biz nur-news[.]com olimpbets[.]kz ongsworld[.]com pelovkin[.]com people-beeline[.]com peticaonline[.]comv plastictoysworld[.]com plinkypong[.]com post-notify[.]info qazsporttv[.]com rcuples[.]com rozavetrovv[.]com schedulefestival[.]com shoxtek[.]com soccer-bw[.]com spacsaver[.]info sportnow[.]news suarapapua[.]co sustanbuild[.]com thintank[.]co tickets-kz[.]com tobupmi[.]com tohna[.]net ulstur[.]co vendaswebs[.]com vestinfo[.]net vestinfo[.]org vestinfos[.]net vinho-online[.]com vlast-news[.]com walatparez[.]com weekendcool[.]com yo-um7[.]com zakorn[.]com zikolo[.]net ztb-news[.]com IP Addresses: 2.58.15[.]58 5.39.221[.]36 5.39.221[.]47 5.39.221[.]48 5.255.88[.]172 23.137.248[.]95 37.120.222[.]115 45.129.0[.]125 45.148.244[.]5 45.86.163[.]77 45.86.163[.]93 46.246.97[.]245 46.249.49[.]230 46.30.190[.]98 79.110.52[.]179 79.110.52[.]196 79.137.199[.]216 79.141.175[.]146 84.247.51[.]14 84.247.51[.]18 85.17.9[.]21 85.17.9[.]73 85.17.9[.]74 85.239.34[.]174 87.121.45[.]29 87.121.45[.]42 87.121.45[.]45 88.119.161[.]135 91.241.93[.]165 95.141.34[.]222 98.142.254[.]112 101.99.75[.]197 141.94.122[.]19 146.70.158[.]144 146.70.161[.]50 158.58.172[.]3 164.215.103[.]143 164.215.103[.]20 169.239.128[.]137 169.239.129[.]48 169.239.129[.]63 169.239.129[.]76 169.255.59[.]98 176.124.198[.]52 176.124.198[.]55 185.113.8[.]67 185.113.8[.]83 185.117.91[.]165 185.117.91[.]237 185.130.227[.]29 185.130.227[.]88 185.130.227[.]95 185.130.45[.]34 185.130.46[.]165 185.130.46[.]202 185.156.172[.]17 185.156.172[.]20 185.156.172[.]48 185.158.248[.]131 185.158.248[.]85 185.196.9[.]76 185.212.47[.]75 185.219.220[.]99 185.219.221[.]30 185.62.58[.]107 185.66.140[.]112 192.46.237[.]163 193.168.143[.]111 193.168.143[.]116 193.168.143[.]184 193.168.143[.]185 193.233.161[.]137 193.233.161[.]163 193.29.104[.]13 193.29.104[.]5 193.29.104[.]83 193.29.59[.]171 193.42.36[.]106 193.42.36[.]84 212.237.217[.]127 213.252.246[.]152 |
Predator Delivery Servers
| Domain | IP Address | First Seen | Last Seen |
| 06g[.]co | 185.130.227[.]29 | 2023-12-22 | 2024-02-21 |
| 02s[.]co | 185.130.227[.]95 | 2023-12-22 | 2024-02-21 |
| spacsaver[.]info | 45.148.244[.]5 | 2023-11-30 | 2024-02-20 |
| 09a[.]co | 5.39.221[.]36 | 2023-12-22 | 2024-02-21 |
| ongsworld[.]com | 146.70.158[.]144 | 2023-11-16 | 2024-02-21 |
| fr-monde[.]com | 169.239.129[.]76 | 2023-12-15 | 2024-02-20 |
| lusofonia-mundo[.]com | 169.239.129[.]63 | 2023-12-15 | 2024-02-17 |
| ladiesclubhouse[.]com | 169.239.129[.]48 | 2023-12-15 | 2024-02-18 |
| vinho-online[.]com | 169.239.128[.]137 | 2023-12-15 | 2024-02-17 |
| vendaswebs[.]com | 185.158.248[.]131 | 2023-11-16 | 2024-02-17 |
| mundodenoticias[.]online | 185.196.9[.]76 | 2023-11-16 | 2024-02-17 |
| mujmbosnoticias[.]com | 185.212.47[.]75 | 2023-11-02 | 2024-02-21 |
| soccer-bw[.]com | 185.130.46[.]165 | 2023-11-22 | 2024-02-17 |
| mmegi[.]co | 45.129.0[.]125 | 2023-11-22 | 2024-02-16 |
| bw-guardian[.]com | 95.141.34[.]222 | 2023-11-19 | 2024-02-17 |
| yo-um7[.]com | 185.130.46[.]202 | 2023-11-29 | 2024-02-17 |
| sustanbuild[.]com | 193.29.104[.]5 | 2023-11-25 | 2024-02-17 |
| myfawry[.]net | 2.58.15[.]58 | 2023-12-14 | 2024-02-20 |
| jumia-egy[.]com | 79.110.52[.]196 | 2023-12-14 | 2024-02-17 |
| suarapapua[.]co | 158.58.172[.]3 | 2023-12-01 | 2024-01-29 |
| kejoranews[.]net | 185.158.248[.]85 | 2023-12-07 | 2024-02-15 |
| nospam[.]kz | 176.124.198[.]52 | 2023-12-28 | 2024-02-13 |
| olimpbets[.]kz | 176.124.198[.]55 | 2023-12-28 | 2024-02-13 |
| vlast-news[.]com | 185.156.172[.]20 | 2023-12-08 | 2024-02-16 |
| ztb-news[.]com | 185.156.172[.]17 | 2023-12-08 | 2024-02-17 |
| cabinet-salyk[.]kz | 185.156.172[.]48 | 2023-12-15 | 2024-02-21 |
| zikolo[.]net | 193.168.143[.]116 | 2023-11-11 | 2024-02-14 |
| magnum-kz[.]com | 45.86.163[.]93 | 2023-12-08 | 2024-02-20 |
| tickets-kz[.]com | 45.86.163[.]77 | 2023-12-10 | 2024-02-17 |
| people-beeline[.]com | 5.39.221[.]47 | 2023-12-14 | 2024-02-17 |
| rozavetrovv[.]com | 5.39.221[.]48 | 2023-12-14 | 2024-02-17 |
| 2-gis[.]kz | 79.137.199[.]216 | 2023-12-28 | 2024-02-20 |
| e-kgd[.]kz | 85.17.9[.]21 | 2023-12-15 | 2024-02-17 |
| kapital-news[.]com | 85.17.9[.]73 | 2023-12-14 | 2024-02-19 |
| nur-news[.]com | 85.17.9[.]74 | 2023-12-14 | 2024-02-21 |
| astanapark[.]com | 87.121.45[.]42 | 2023-12-11 | 2024-02-16 |
| krisha-kz[.]com | 88.119.161[.]135 | 2023-11-26 | 2024-02-17 |
| ehudaldaa[.]com | 84.247.51[.]14 | 2023-12-23 | 2024-02-20 |
| ulstur[.]co | 84.247.51[.]18 | 2023-12-25 | 2024-02-20 |
| mb-ph[.]net | 193.42.36[.]106 | 2023-12-07 | 2024-02-21 |
| buildneeds[.]net | 141.94.122[.]19 | 2023-11-21 | 2024-02-17 |
| sportnow[.]news | 185.113.8[.]67 | 2023-11-11 | 2024-02-19 |
| corporatebusinesssolution[.]net | 193.168.143[.]184 | 2023-11-25 | 2024-02-09 |
| informationrank[.]net | 193.168.143[.]185 | 2023-11-25 | 2024-02-17 |
| centent-management[.]net | 193.29.59[.]171 | 2023-11-21 | 2024-02-09 |
| highclub[.]life | 46.249.49[.]230 | 2023-11-11 | 2024-02-21 |
| vestinfos[.]net | 185.130.45[.]34 | 2023-12-22 | 2024-02-09 |
| get-location[.]net | 46.246.97[.]245 | 2023-12-21 | 2024-02-08 |
| vestinfo[.]org | 79.141.175[.]146 | 2023-12-22 | 2023-12-22 |
| eventnews[.]live | 185.219.221[.]30 | 2023-12-04 | 2024-02-08 |
| get-location[.]com | 192.46.237[.]163 | 2023-12-04 | 2024-02-20 |
| vestinfo[.]net | 87.121.45[.]29 | 2023-12-04 | 2024-02-17 |
| thintank[.]co | 5.255.88[.]172 | 2023-10-25 | 2024-01-20 |
| fastnews[.]biz | 101.99.75[.]197 | 2023-11-17 | 2024-02-18 |
| plinkypong[.]com | 146.70.161[.]50 | 2023-11-29 | 2024-02-17 |
| peticaonline[.]com | 164.215.103[.]143 | 2023-11-27 | 2024-02-17 |
| escortbabesluxo[.]com | 164.215.103[.]20 | 2023-11-03 | 2024-02-13 |
| coazoa[.]com | 169.255.59[.]98 | 2023-11-01 | 2024-02-19 |
| weekendcool[.]com | 185.113.8[.]83 | 2023-11-18 | 2024-02-14 |
| qazsporttv[.]com | 185.117.91[.]237 | 2023-12-14 | 2024-02-17 |
| pelovkin[.]com | 185.117.91[.]165 | 2023-11-29 | 2024-02-14 |
| plastictoysworld[.]com | 185.130.227[.]88 | 2023-11-28 | 2024-02-17 |
| tohna[.]net | 185.219.220[.]99 | 2023-11-02 | 2024-02-10 |
| notify-service[.]biz | 185.62.58[.]107 | 2023-11-16 | 2024-02-01 |
| copy-note[.]net | 185.66.140[.]112 | 2023-11-29 | 2024-01-31 |
| zakorn[.]com | 193.168.143[.]111 | 2023-11-10 | 2024-02-17 |
| walatparez[.]com | 193.233.161[.]137 | 2023-12-09 | 2024-02-17 |
| tobupmi[.]com | 193.233.161[.]163 | 2023-11-14 | 2024-02-16 |
| gabzmus[.]com | 193.29.104[.]13 | 2023-11-14 | 2024-02-17 |
| msbsck[.]com | 193.29.104[.]83 | 2023-11-16 | 2024-02-17 |
| mastershop[.]biz | 193.42.36[.]84 | 2023-11-17 | 2024-02-11 |
| kollesa[.]com | 212.237.217[.]127 | 2023-11-10 | 2024-02-17 |
| schedulefestival[.]com | 213.252.246[.]152 | 2023-11-16 | 2024-02-18 |
| post-notify[.]info | 23.137.248[.]95 | 2023-11-17 | 2024-02-17 |
| dzhabarzan[.]com | 37.120.222[.]115 | 2023-12-08 | 2024-02-21 |
| shoxtek[.]com | 46.30.190[.]98 | 2023-11-23 | 2024-02-12 |
| fast-notify[.]com | 79.110.52[.]179 | 2023-12-09 | 2024-02-19 |
| clazc[.]com | 85.239.34[.]174 | 2023-11-24 | 2024-02-17 |
| beroxe[.]com | 87.121.45[.]45 | 2023-12-09 | 2024-02-21 |
| kroal[.]com | 91.241.93[.]165 | 2023-12-08 | 2024-02-19 |
| rcuples[.]com | 98.142.254[.]112 | 2023-11-28 | 2024-02-02 |
MITRE ATT&CK TTPs
| Tactic: Technique | ATT&CK Code |
| Resource Development: Acquire Infrastructure: Domains | T1583.001 |
| Resource Development: Acquire Infrastructure: Virtual Private Server | T1583.003 |
| Resource Development: Acquire Infrastructure: Server | T1583.004 |
| Initial Access: Spearphishing Link | T1566.002 |
| Execution: Exploitation for Client Execution | T1203 |
Related