Keypoints
- Insikt Group identified a new multi‑tier Predator delivery network built from numerous domains, VPS instances, and servers mapped to observable IP addresses.
- The infrastructure supported delivery servers active across at least eleven countries, with first sightings of customers in Botswana and the Philippines.
- Operators continue to reuse consistent tactics, techniques, and procedures despite prior public disclosures.
- Recorded domains and IPs were enumerated and correlated with first‑seen/last‑seen timestamps, showing ongoing activity from late 2023 into 2024.
- Initial access vectors include spearphishing links and exploitation for client execution to trigger the spyware payload.
- Defensive focus should include blocking/monitoring listed domains and IPs and hunting for spearphishing URLs and exploitation indicators tied to the delivery chain.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – Operators register and deploy domains for the delivery network (‘Acquire Infrastructure: Domains’).
- [T1583.003] Acquire Infrastructure: Virtual Private Server – Use of VPS instances to host delivery and staging services (‘Acquire Infrastructure: Virtual Private Server’).
- [T1583.004] Acquire Infrastructure: Server – Operators provision dedicated servers as part of the multi‑tier delivery architecture (‘Acquire Infrastructure: Server’).
- [T1566.002] Spearphishing Link – Initial access is achieved via spearphishing links used to deliver the mobile spyware installer (‘Spearphishing Link’).
- [T1203] Exploitation for Client Execution – Exploitation is leveraged to execute payloads on target devices as part of the delivery chain (‘Exploitation for Client Execution’).
Indicators of Compromise
- [Domains] Predator delivery domains used as staging/C2 and drop sites – examples: 06g[.]co, spacsaver[.]info, and 100+ other domains observed.
- [IP Addresses] IPs hosting delivery servers and mapping to domains – examples: 185.130.227[.]29, 45.148.244[.]5, and 100+ other IPs listed in the report.
Recorded Future’s analysis describes a deliberate multi‑tier delivery architecture for Predator composed of registering numerous domains and provisioning VPS and dedicated servers to host staging, delivery, and command infrastructure. The operators mapped domains to a broad set of IP addresses and rotated services across those hosts; Recorded Future provides a table of delivery domains paired with IPs and first‑seen/last‑seen timestamps that demonstrate active use from late 2023 into early 2024. Examples include delivery domains 06g[.]co (185.130.227[.]29) and spacsaver[.]info (45.148.244[.]5) among many others.
The technical delivery chain observed combines resource acquisition (domains, VPS, servers) with social engineering and exploitation: operators acquire infrastructure (T1583.*), distribute spearphishing links to targets (T1566.002) and leverage client‑side exploitation to execute the spyware payload on mobile devices (T1203). The multi‑tier design separates public‑facing delivery nodes from backend C2, making detection dependent on correlating domain/IP artifacts with behavioral indicators and timeline analysis (first/last seen) to identify active components.
For operational defenders, the report’s enumerated domains and IPs form immediate blocklists and hunt lists, while telemetry should focus on suspicious inbound URLs, exploitation attempts tied to mobile clients, and anomalous connections to the listed hosts. Correlating network logs with the provided first/last seen timestamps helps prioritize currently active infrastructure for containment and further investigation.