The report explains how AdTech mechanisms such as RTB and SDKs have evolved into advertisement-based intelligence (ADINT) tools for passive profiling, active geolocation, and offensive zero-click intrusion. It also documents commercial surveillance vendors and products including NSO Group, Pegasus, Intellexa, Predator, Rayzone, Patternz, Babel Street, Locate X, and Insanet as examples of this expanding ecosystem. #NSOGroup #Pegasus #Intellexa #Predator #Rayzone #Patternz #BabelStreet #LocateX #Insanet
Keypoints
- ADINT uses legitimate advertising infrastructure to collect, correlate, and operationalize user data for intelligence purposes.
- RTB broadcasts user data such as IP address, geolocation, device identifiers, and behavioral attributes to many third parties during ad auctions.
- Third-party SDKs can continuously harvest data from apps and inherit permissions such as location, microphone, camera, and contacts.
- Passive ADINT profiles groups and individuals by correlating MAIDs, location patterns, and ad taxonomy interests, including sensitive sectors.
- Active ADINT enables near real-time tracking of known targets using MAIDs and geofenced locations through products like Locate X and SDK-based collection.
- Offensive ADINT weaponizes ad delivery to silently deploy spyware, with examples including Intellexa’s Aladdin and Insanet’s Sherlock.
- The report shows ADINT’s growth across US, Israeli, Asian, and African markets, alongside legal and export-control pressures.
MITRE Techniques
- [T1210 ] Exploitation of Remote Services – Used to remotely compromise targets through messaging-app and advertising delivery vectors, including zero-click intrusion and spyware deployment (‘used as a zero-click intrusion vector to install the spyware Pegasus’; ‘weaponises the ad delivery process itself to achieve zero-click device infection’).
- [T1221 ] Template Injection – Abused in the sense of inserting malicious content into legitimate ad delivery streams to trigger infection (‘leverages RTB processes to deliver a malicious ad to a target’).
- [T1105 ] Ingress Tool Transfer – Malicious payloads were delivered through ad infrastructure to install spyware on target devices (‘deliver malicious payloads to targeted devices’; ‘deploy spyware’).
- [T1071.001 ] Web Protocols – The attack chain relies on web-based advertising protocols and ad exchanges to move data and content (‘Real-Time Bidding (RTB) is a programmatic advertising mechanism’; ‘using AdTech mechanisms for intelligence purposes’).
- [T1016 ] System Network Configuration Discovery – Devices and profiles are characterized using IP address, geolocation, and device identifiers for tracking (‘transmitting user-level data, including IP address, geolocation, and device identifiers’).
- [T1636 ] Steal Application Access Token – SDK-based and adtech collection leveraged application-granted permissions to expand data access (‘inherits those permissions by extension’; ‘access their geolocation, contact list, microphone, or camera’).
Indicators of Compromise
- [Malware / spyware names] offensive ADINT and commercial spyware referenced in the report – Pegasus, Predator, DevilsTongue, and other 1 item
- [Product / platform names] adtech surveillance and tracking platforms – Locate X, AdHoc, and other 3 items
- [Company / actor names] vendors and data brokers tied to ADINT activity – NSO Group, Intellexa, and other 6 items
- [Geographic / location references] regions and places used in targeting or market expansion context – Aleppo, Hong Kong, and other 5 items
- [Protocol / technology names] collection infrastructure referenced for surveillance operations – RTB, SDK, and other 2 items
- [Legal / regulatory references] enforcement and legal actions tied to collection practices – FTC, GDPR, and other 4 items