Threat Research

Intellexa’s Global Corporate Web

RecordedFuture
Intellexa’s Global Corporate Web

Predator is a modular, stealthy mercenary spyware developed by Cytrox and distributed via an Intellexa-linked corporate web, enabling full access to microphones, cameras, and all device data on Android and iPhone devices. The report maps Intellexa’s fragmented corporate infrastructure, documents delivery methods including “1-click” and ad-based (“Aladdin”) vectors, and details observed deployments across multiple countries alongside mitigations and ongoing investigations. #Predator #Intellexa

Keypoints

  • Predator is a Python-based, modular mercenary spyware (originating with Cytrox) that provides operators full device access and can receive new capabilities remotely.
  • Delivery vectors include social-engineered “1-click” links and proof-of-concept “zero-click”/ad-based methods (e.g., the alleged “Aladdin” ad-injection PoC), though no confirmed fully remote zero-click Predator exploit has been observed.
  • Insikt Group and partners identified suspected Predator operators or deployments in over a dozen countries and specific evidence of abuse against journalists, politicians, and activists (notably the “Predatorgate” cases in Greece).
  • Intellexa and affiliated firms operate through a complex, rapidly changing web of shell/front companies (e.g., PULSE FZCO, Zelus Analytics, Pulse Advertise, MorningStar TEC) to facilitate sales, hosting, and shipments.
  • Export and import records link front companies (e.g., PULSE FZCO) to shipments to state customers in Botswana, Kazakhstan, and the Philippines, correlating with observed Predator infrastructure activity.
  • Observed infrastructure includes multi-tiered servers (Tier 1–Tier 5) and domains/IPs used for targeting and control; mitigation recommendations include monitoring IOCs, applying OS patches, enabling Lockdown Mode, and using ad-blocking.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – Intellexa-linked entities registered and operated numerous domains to support Predator deployments (‘domains associated with the four new entities discussed below became active in close succession between March 8 and 26, 2024.’)
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Predator-related sites and services were hosted on VPS infrastructure to run command-and-control and front websites (‘was hosted on the IP address 173[.]236[.]243[.]198 (DREAMHOST-AS, US [AS26347])’).
  • [T1583.004 ] Acquire Infrastructure: Server – The malware ecosystem used multi-tier server infrastructure for customer communications and telemetry (‘several Tier 4 servers in other clusters tied to Predator spyware customers continued to communicate with the Tier 5 infrastructure’).
  • [T1566.002 ] Spearphishing Link – “1-click” initial access relied on social-engineering messages containing malicious links that required user interaction (‘1-click attacks rely on social engineering messages with malicious links that require user interaction’).
  • [T1203 ] Exploitation for Client Execution – Exploit chains and zero-day RCEs are discussed as mechanisms enabling remote code execution on targeted smartphones (‘zero-day remote code executions (RCEs) against the latest iPhones and Android devices’).

Indicators of Compromise

  • [Domains ] Domains linked to Predator infrastructure and front companies – badinigroup[.]com (Iraq-linked Predator domains), pulse-fzco[.]com (front company/shipments), and 2 more domains
  • [IP Addresses ] Hosting and C2 infrastructure – 173[.]236[.]243[.]198 (host for multiple Intellexa-linked domains), 169[.]239[.]129[.]23 (observed Tier 1 server receiving suspected victim traffic), and 2 more IPs

Read more: https://www.recordedfuture.com/research/intellexas-global-corporate-web