Between 2010 and 2025 commercial surveillance vendors (CSVs) evolved from niche suppliers into a lucrative, consolidated ecosystem selling sophisticated spyware—often exploited for repression and human-rights abuses despite public exposures and sanctions. The report highlights repeated reuse of advanced exploits (including zero-click techniques) by state-linked actors and emphasizes detection, mitigation, and regulatory challenges. #Predator #Pegasus
Keypoints
- CSVs expanded and industrialised between 2010–2025, offering turnkey spyware solutions that include exploit development, infection chains, C2 infrastructure, and operator interfaces.
- Commercial spyware (e.g., Pegasus, Predator, Graphite) has been widely misused against journalists, activists, dissidents, and political figures, prompting NGO and journalistic exposés and legal actions.
- CSV techniques advanced to include zero-click (0-click) and one-click (1-click) exploits, baseband/Bluetooth/Wi‑Fi attack surfaces, and complex multi-layered infrastructures to anonymize customers.
- Despite legal sanctions and reputational damage, many CSVs persist through rebranding, corporate consolidation, use of intermediaries, and opaque consortium structures (e.g., Intellexa, Nexa, FoxItech involvement).
- The infection chain commonly follows reconnaissance → delivery vector (1-click/0-click/physical) → exploit → implant → C2/exfiltration, with typosquatted delivery domains and VPS-based per-customer C2 instances observed.
- Detection is difficult but possible via network traffic analysis (beaconing, suspicious domains), system diagnostics (sysdiagnose), and tools like SpyGuard and MVT; notification emails from vendors (e.g., [email protected]) can also indicate compromise.
- Mitigations include timely OS updates, disabling unused services, using lockdown modes, separate devices for sensitive activities, burner phones for travel, VPNs, and strong operational hygiene to reduce attack surface.
MITRE Techniques
- [T1204] User Execution – One-click exploits: targets are lured to click malicious links or files delivered via SMS, email or messaging apps (“he received SMS messages containing links that promised information… If clicked, the malicious link would have chained previously unknown iOS vulnerabilities…”).
- [T1204.002] Spearphishing Link – Targeted phishing for delivery: spear-phishing messages impersonating known contacts or peers to deliver weaponized links (example: Ahmed Mansoor phishing SMS containing links about detainees).
- [T1588] Obtain Capabilities – Vulnerability acquisition and exploit development: CSVs and vulnerability brokers procure and develop zero-days and exploits for sale or inclusion in spyware toolkits (“CSV activities can include vulnerability research or acquisition, exploits development…”).
- [T1190] Exploit Public-Facing Application – Zero-click exploitation via messaging app parsing: crafted messages or files trigger vulnerabilities when processed automatically by apps (WhatsApp Graphite case: “a malicious PDF is sent. As WhatsApp processes the file to generate a preview, a zero-day vulnerability is triggered…”).
- [T1414] Hardware Additions – Baseband/Bluetooth/Wi‑Fi attack surfaces and IMSI-catcher use: exploitation of cellular baseband, Bluetooth or Wi‑Fi stacks and use of IMSI catchers for proximity attacks (“commercial surveillance vendors have reportedly explored alternative zero click attack surfaces such as on the baseband, Bluetooth, and Wi-Fi stacks…”).
- [T1622] Compromise Infrastructure – Multi-tiered C2 and anonymisation layers: attackers use layered VPS, typosquatted delivery domains and compromised or attacker-registered servers to host delivery and C2 services (“Predator operators rely on a multi-tier infrastructure… typosquatted delivery servers… C2 servers…”).
- [T1090] Proxy – Use of intermediaries and brokers to obscure procurement and delivery: intermediaries and third-party companies act as proxies to purchase or operate spyware to hide end-customer identity (“intermediaries constitute a ‘grey zone’ … Toru Group served as an intermediary…”).
- [T1621] Domain Generation Algorithms or Typosquatting – Typosquatted delivery domains for lures: domains mimicking legitimate sites used to lure victims into connecting to malicious servers (“typosquatted delivery servers… mimicking legitimate websites from their countries”).
Indicators of Compromise
- [File/Tool Names] spyware and forensic tools – examples: Predator (Cytrox/Intellexa), Pegasus (NSO Group), Graphite (Paragon), and NoviPsy (Cellebrite) (context: named commercial spyware and forensic products discussed throughout the report).
- [Domains] typosquatted delivery domains – example: typosquatted sites mimicking local news or interest sites (context: used as delivery servers for lure/payload), and generic malicious domains observed in Predator campaigns.
- [Email Addresses] threat notification senders – example: [email protected], [email protected] (context: vendor-issued device compromise alerts that can appear in victim email or logs).
- [C2 Infrastructure] VPS/hosting patterns – example: per-customer VPS instances with SSH and HTTPS (context: Predator customers running individual VPS instances often exposing SSH and port 443 managed by Nginx), and involvement of FoxItech s.r.o. servers.
- [Vulnerabilities/CVEs] exploited 0-day chains – example: CVE-2016-4657 / CVE-2016-4655 / CVE-2016-4656 (Trident) (context: exploited in Pegasus 1-click/0-click chain targeting Ahmed Mansoor), and other unnamed zero-days used by Graphite and Graphite/Paragon reported exploits.
Read more: https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/