The Predator spyware ecosystem is not dead

Sekoia.io reports that Predator spyware infrastructure remained active after the Predator Files disclosures, with new domains and command-and-control clusters created post-publication. The investigation links these clusters to Intellexa customers tracked as Lycantrox and notes operational-security changes such as generic domains and typosquatting to avoid attribution. #Predator #Intellexa

Keypoints

Researchers observed new Predator-related infrastructure created after the Predator Files disclosures, proving ongoing use.
Exposed clusters included both exploits-related resources and command-and-control infrastructure tied to Intellexa customers (Lycantrox).
Adversaries increased use of generic, non-descriptive domains to improve plausible deniability and reduce attribution signals.
Typosquatting domains mimicking media and local services were used as lures, with examples linked to Madagascar, Indonesia, Kazakhstan, Egypt, Botswana, Mongolia, and Sudan.
One IP (169.239.129[.]76) resolved to multiple Lycantrox-related domains, linking new domains to previously observed infrastructure.
Sekoia mapped country-specific clusters (e.g., Angola, Madagascar, Indonesia, Kazakhstan, Egypt) and identified three newly observed country-related domains (Botswana, Mongolia, Sudan).
Analysts recommend continued monitoring and sharing of indicators with NGOs and partners to mitigate misuse of commercial intrusion capabilities.

MITRE Techniques

[T1203] Exploitation for Client Execution – Use of exploit-related infrastructure to achieve client execution, as described (‘exposes exploits-related and command-and-control infrastructure clusters employed by Intellexa customers.’)
[T1071] Application Layer Protocol – Command-and-control communications hosted on web-accessible infrastructure to manage deployed spyware (‘command-and-control infrastructure clusters’).
[T1583] Acquire Infrastructure – Adversaries created new domains and hosting after disclosure to replace shut-down resources (‘we found new infrastructure built after the Predator Files publications’).
[T1566.002] Phishing: Spearphishing Link – Typosquatting and lookalike domains used as lures to target journalists and local entities (‘typosquatting can be related to the French newspaper Le Monde (fr-monde[.]com)’).
[T1036] Masquerading – Use of generic, non-descriptive malicious domains to provide plausible deniability and reduce attribution (‘significant increase in the number of generic malicious domains which do not give indications on targeted entities’).

Indicators of Compromise

[Domain] typosquat and lure domains – fr-monde[.]com, kejoranews[.]net, and 11 more domains (e.g., bni-madagascar[.]com, suarapapua[.]co, vlast-news[.]com, mmegi[.]co, ulstur[.]co, sdntribune[.]co)
[IP address] infrastructure linkage – 169.239.129[.]76 (resolved for fr-monde[.]com and bni-madagascar[.]com)

Sekoia’s technical analysis focused on infrastructure discovery and correlation: researchers scanned for newly registered and previously observed domains, resolved DNS records to identify shared hosting and IP addresses (e.g., 169.239.129[.]76), and compared those results to last year’s Lycantrox-related domains to link new resources to known Predator clusters. They flagged typosquatting domains that mimic media and local services and cataloged country-specific domain patterns (Portuguese-language domains for Angola, Le Monde typosquat linked to Madagascar, West Papua media typosquats for Indonesia, .kz TLDs for Kazakhstan, and multiple Egypt-related lures), using DNS resolution and registration metadata to strengthen attribution hypotheses.

On the operational side, analysts observed a shift toward generic, non-descriptive domain registrations and reuse of hosting infrastructure to reduce obvious ties to targeted organizations; this included acquiring fresh domains after prior infrastructure was taken down and using lookalike domains for plausible deniability. The technical indicators emphasized in detection include domain name patterns (typosquatting and local-language variants), shared resolving IPs across suspected domains, and temporal correlation of domain creation dates following public disclosures.

For defenders, the recommended technical procedure is to monitor newly registered domains that mimic local media or government services, perform regular passive and active DNS correlation to detect shared IPs and hosting, track domain creation timelines relative to public disclosures, and share IOC lists with partners to enable rapid takedown and containment of C2 and exploit-related infrastructure.