Rayzone Group is an Israel-based commercial surveillance company. Investigative reporting linked the company to leasing telecom signaling access from operators in Jersey, Guernsey, and other networks worldwide. In related reporting on telecom surveillance activity, Citizen Lab identified two distinct surveillance threat actors, STA1 and STA2, conducting long-term espionage operations by exploiting weaknesses in the global telecommunications signaling ecosystem, including SS7 and Diameter. STA1 conducted a multi-stage location-tracking campaign in November 2024 against a high-profile Middle East subscriber, using sendRoutingInfoForSM, provideSubscriberInfo, anyTimeInterrogation, and Diameter Insert-Subscriber-Data-Request messages, while rotating operator identities across multiple countries and manipulating Diameter Origin-Host, Origin-Realm, and Route-Record fields to evade defenses and influence routing. Historical telemetry linked to STA1 showed more than 500 location-tracking attempts dating back to at least November 2022. STA2, observed in February 2025, combined SS7 probing, a SIMjacker-style zero-click binary SMS exploit using the S@T Browser, and Diameter Authentication-Information-Request and Insert-Subscriber-Data-Request messages to attempt covert location tracking via the SIM card. Historical telemetry attributed more than 15,700 location-tracking attempts to STA2 dating back to October 2022. Citizen Lab assessed that the activity was consistent with centralized, multi-tenant commercial telecom surveillance platforms supporting government intelligence activities, but did not directly attribute the campaigns to a specific government or organization. The provided content directly names Rayzone Group in connection with leased telecom signaling access, but does not directly attribute STA1 or STA2 to Rayzone. Known alias in the provided content: rayzone.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Attributed origin per open-source reporting.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.