Circles is a commercial telecom surveillance vendor referenced alongside Cognyte, Rayzone, and Defentek in a February 2024 letter from U.S. Senator Ron Wyden calling for sanctions against multiple telecom surveillance vendors capable of location tracking and interception. The provided content links Circles to the broader ecosystem of commercial mobile surveillance enabled through abuse of the global telecommunications signalling system. Citizen Lab described two surveillance threat actors, STA1 and STA2, conducting long-term espionage operations via SS7 and Diameter signalling abuse, including multi-stage location tracking, operator identity rotation across multiple countries, routing-path manipulation to evade signalling firewalls, and in STA2’s case a SIMjacker-style zero-click binary SMS exploit using the S@T Browser to turn a device into a covert location beacon. Citizen Lab assessed this activity as consistent with centralized, multi-tenant commercial telecom surveillance platforms supporting government intelligence customers, but did not directly attribute the campaigns to Circles or any specific government or organization. No additional high-confidence aliases or sub-groups for Circles are provided in the content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.