Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices

New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware developed by Cytrox and currently managed by the Intellexa Alliance. The infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first time customers in Botswana and the Philippines have been publicly identified.. Despite being marketed for counterterrorism and law enforcement, Predator has often been used against civil society, targeting journalists, politicians, and activists. In this latest activity, no specific victims or targets have been identified.

Multi-tier Predator delivery network architecture (Source: Recorded Future)

Understanding Risks and Implementing Security Best Practices

The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. While most abuse cases involve targeting civil society, other organizations and individuals in regions known for spyware abuse should remain aware of the risk, regardless of their industry or location. Given the high deployment costs and per-infection charges, high-profile individuals, such as executives, who are expected to possess significant intelligence value are more likely to be targeted.. The European Union has recently taken steps to curb the abuse of mercenary spyware among its member states.

As the market for mercenary spyware grows with new companies and products, the risk of being targeted extends to anyone of interest to entities with access to these tools or similar capabilities. With continued profitability, increasing competition, and strengthened IT security, innovation will likely lead to more covert infection methods—such as persistence through factory resets—new targets like cloud backups, a more professionalized spyware ecosystem, and broader product portfolios. Consequently, effective mitigation strategies must involve close monitoring of the ecosystem, thorough risk assessments, and stronger regulations from policymakers.

Mitigation Strategies

To mitigate these risks, organizations and individuals are advised to follow security best practices such as regular phone updates, device reboots, lockdown mode, Mobile Device Management systems, and separating personal from corporate devices. Security awareness training and minimal data exposure culture are also crucial. Long-term solutions include conducting risk assessments for developing dynamic security policies. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities.

Key findings from Insikt Group's research include the discovery of a new multi-tiered Predator delivery infrastructure, indicating the likely continued use of Predator in at least eleven countries. This conclusion is supported by domain analysis and insights from Recorded Future Network Intelligence. Despite public disclosures in September 2023, Predator's operators have continued their operations with minimal changes. Predator, alongside NSO Group’s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time.

To read the entire analysis, click here to download the report as a PDF.

Note: This report summary was first published on March 1, 2024 and has been updated on October 30, 2024. The original analysis and findings remain unchanged.

Indicators of Compromise

Predator Delivery Servers

MITRE ATT&CK TTPs