Sold to the Highest Bidder: The Escalation of ADINT from Geolocation Tracking to Intrusion Vector

Sold to the Highest Bidder: The Escalation of ADINT from Geolocation Tracking to Intrusion Vector

The report explains how AdTech mechanisms such as RTB and SDKs have evolved into advertisement-based intelligence (ADINT) tools for passive profiling, active geolocation, and offensive zero-click intrusion. It also documents commercial surveillance vendors and products including NSO Group, Pegasus, Intellexa, Predator, Rayzone, Patternz, Babel Street, Locate X, and Insanet as examples of this expanding ecosystem. #NSOGroup #Pegasus #Intellexa #Predator #Rayzone #Patternz #BabelStreet #LocateX #Insanet

Keypoints

  • ADINT uses legitimate advertising infrastructure to collect, correlate, and operationalize user data for intelligence purposes.
  • RTB broadcasts user data such as IP address, geolocation, device identifiers, and behavioral attributes to many third parties during ad auctions.
  • Third-party SDKs can continuously harvest data from apps and inherit permissions such as location, microphone, camera, and contacts.
  • Passive ADINT profiles groups and individuals by correlating MAIDs, location patterns, and ad taxonomy interests, including sensitive sectors.
  • Active ADINT enables near real-time tracking of known targets using MAIDs and geofenced locations through products like Locate X and SDK-based collection.
  • Offensive ADINT weaponizes ad delivery to silently deploy spyware, with examples including Intellexa’s Aladdin and Insanet’s Sherlock.
  • The report shows ADINT’s growth across US, Israeli, Asian, and African markets, alongside legal and export-control pressures.

MITRE Techniques

  • [T1210 ] Exploitation of Remote Services – Used to remotely compromise targets through messaging-app and advertising delivery vectors, including zero-click intrusion and spyware deployment (‘used as a zero-click intrusion vector to install the spyware Pegasus’; ‘weaponises the ad delivery process itself to achieve zero-click device infection’).
  • [T1221 ] Template Injection – Abused in the sense of inserting malicious content into legitimate ad delivery streams to trigger infection (‘leverages RTB processes to deliver a malicious ad to a target’).
  • [T1105 ] Ingress Tool Transfer – Malicious payloads were delivered through ad infrastructure to install spyware on target devices (‘deliver malicious payloads to targeted devices’; ‘deploy spyware’).
  • [T1071.001 ] Web Protocols – The attack chain relies on web-based advertising protocols and ad exchanges to move data and content (‘Real-Time Bidding (RTB) is a programmatic advertising mechanism’; ‘using AdTech mechanisms for intelligence purposes’).
  • [T1016 ] System Network Configuration Discovery – Devices and profiles are characterized using IP address, geolocation, and device identifiers for tracking (‘transmitting user-level data, including IP address, geolocation, and device identifiers’).
  • [T1636 ] Steal Application Access Token – SDK-based and adtech collection leveraged application-granted permissions to expand data access (‘inherits those permissions by extension’; ‘access their geolocation, contact list, microphone, or camera’).

Indicators of Compromise

  • [Malware / spyware names] offensive ADINT and commercial spyware referenced in the report – Pegasus, Predator, DevilsTongue, and other 1 item
  • [Product / platform names] adtech surveillance and tracking platforms – Locate X, AdHoc, and other 3 items
  • [Company / actor names] vendors and data brokers tied to ADINT activity – NSO Group, Intellexa, and other 6 items
  • [Geographic / location references] regions and places used in targeting or market expansion context – Aleppo, Hong Kong, and other 5 items
  • [Protocol / technology names] collection infrastructure referenced for surveillance operations – RTB, SDK, and other 2 items
  • [Legal / regulatory references] enforcement and legal actions tied to collection practices – FTC, GDPR, and other 4 items


Read more: https://www.sekoia.com/blog/sold-to-the-highest-bidder-the-escalation-of-adint-from-geolocation-tracking-to-intrusion-vector