1 malware family

Cytrox

Also known asCytrox

Cytrox is a surveillance group/vendor associated with the Predator spyware. MISP Galaxy added Cytrox as a new surveillance group. The provided content identifies Predator as Cytrox's spyware and describes it as sophisticated commercial spyware used to monitor politicians, journalists, activists, and other targets globally, including in the US and UK. Google researchers detailed an exploit chain used to install Predator surreptitiously on a device, and the content states that Predator can be used in zero-click attacks. The broader reporting in the provided content links spyware such as Predator to targeting of dissidents, journalists, activists, business leaders, government officials, and IT workers, and notes that such tools can provide access to encrypted messaging apps, keystrokes, screenshots, notifications, banking apps, emails, texts, credentials, and cloud logins. No additional aliases or sub-groups for Cytrox are directly provided beyond the name Cytrox.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

27 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics34 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1189×2

Drive-by Compromise

T1190×5

Exploit Public-Facing Application

T1566

Phishing

T1566.002

Spearphishing Link

TA0002

Execution

2 techniques

T1203×3

Exploitation for Client Execution

T1574

Hijack Execution Flow

T1574.006

Dynamic Linker Hijacking

TA0003

Persistence

2 techniques

T1078

Valid Accounts

T1546

Event Triggered Execution

TA0004

Privilege Escalation

5 techniques

T1055×2

Process Injection

T1068×2

Exploitation for Privilege Escalation

T1078

Valid Accounts

T1546

Event Triggered Execution

T1548

Abuse Elevation Control Mechanism

TA0005

Stealth

7 techniques

T1055×2

Process Injection

T1070

Indicator Removal

T1078

Valid Accounts

T1211

Exploitation for Stealth

T1564

Hide Artifacts

T1574

Hijack Execution Flow

T1574.006

Dynamic Linker Hijacking

T1620

Reflective Code Loading

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

2 techniques

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0009

Collection

3 techniques

T1005×2

Data from Local System

T1123×3

Audio Capture

T1125

Video Capture

TA0011

Command and Control

2 techniques

T1071

Application Layer Protocol

T1105

Ingress Tool Transfer

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

PredatorGoogle researchers say is the exact technique used by North Macedonian spyware developer Cytrox to install its Predator spyware. Citizen Lab previously released a report highlighting widespread government use of the Predator spyware.3May 26, 2026

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

wired com securityNews

Jan 3, 2026

How to Protect Your iPhone or Android Device From Spyware

Cytrox is known for developing Predator spyware, which is deployed via sophisticated exploit chains to compromise mobile devices. Predator has been used in targeted surveillance campaigns, often attributed to nation-state customers, against high-profile individuals.

Nov 8, 2025

Who's watching the watchers? This Mozilla fellow, and her Surveillance Watch map

Cytrox is known for developing Predator spyware, used to monitor politicians, journalists, and activists globally.

misp projectNews

Feb 4, 2022

MISP 2.4.153 released with improvements and bugs fixes

Named as a newly added surveillance group in MISP Galaxy.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping27

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.