Predator
Predator is a commercial mobile spyware platform developed by Cytrox and later associated with the Intellexa consortium; the content specifically names Cytrox Holdings ZRT as the developer and describes Cytrox/Intellexa entities in North Macedonia, Hungary, Greece, Ireland, and related jurisdictions. It is repeatedly described as nation-state-grade spyware comparable to Pegasus and as part of a broader mercenary surveillance ecosystem. Citizen Lab, Meta, Google TAG, Cisco Talos, Amnesty International, and multiple media investigations are cited in connection with Predator.
The malware targets smartphones, including both Android and iPhone devices. The content states that Predator has been used against fully updated iPhones and can also target Android devices. Cisco Talos describes the Android spyware suite as comprising at least ALIEN and PREDATOR, with likely additional components named tcore and kmem. Talos states that ALIEN is not merely a loader but establishes low-level capabilities for PREDATOR, and that the suite is modular, allowing new Python-based modules to be delivered without repeated exploitation.
Reported infection vectors include malicious one-time links sent by SMS, WhatsApp, and public X posts; spoofed messages impersonating legitimate services; and exploit chains involving browser and kernel vulnerabilities. Citizen Lab reported a WhatsApp-delivered malicious link against iOS 14.6 devices in July 2021. Google researchers linked a PAC bypass technique to Cytrox Predator deployments and noted that baseband 0-days have been used to deploy Predator on smartphones. The content also describes a case in Greece where a spoofed SMS containing accurate COVID-19 vaccination appointment details delivered Predator. Predator is described in some reporting as requiring user interaction, unlike Pegasus, although other content notes advanced exploit-based deployment techniques.
Capabilities described across the sources include covert surveillance and full device compromise. The content states Predator can access messages, calls, photos, passwords, private messages, and real-time location; intercept communications; exfiltrate stored files and app data; activate the microphone and camera; and effectively turn a phone into a surveillance device. Cisco Talos adds Android-specific capabilities including arbitrary code execution, recording microphone, earpiece-call, and VoIP audio, collecting data from Signal, WhatsApp, Telegram, Chrome, contacts, calls, SMS, media, and Wi-Fi configuration files, installing attacker-controlled certificates for user-level TLS interception, hiding applications, and preventing selected apps from executing on reboot. Citizen Lab reported that on iPhone, Predator could persist across reboot by abusing Apple Shortcuts automations.
The content links Predator to widespread government use and abuse. Reported or alleged targeting includes journalists, opposition politicians, business leaders, civil society members, policy experts, U.S. officials, and senior government figures. Countries and contexts mentioned include Egypt, Greece, Serbia, Armenia, Indonesia, Madagascar, Oman, Saudi Arabia, Vietnam, the Philippines, Germany, Switzerland, Qatar, Congo, and attempted targeting of U.S. lawmakers and journalists by operators Amnesty assessed may be linked to Vietnamese authorities. Multiple reports center on the Greek Predator scandal, including targeting of Thanasis Koukakis, Nikos Androulakis, Artemis Seaford, politicians, journalists, and other public figures. Citizen Lab also reported Predator infections or targeting involving Egyptian exiles and Ahmed Eltantawy.
The malware is strongly associated with commercial spyware vendors Cytrox and Intellexa. Meta identified Cytrox as a surveillance-for-hire company and said it used infrastructure including domains mimicking legitimate news sites to target iPhone and Android users. U.S. Treasury sanctions cited in the content state that Intellexa’s Predator spyware was used to surveil U.S. officials, journalists, and policy experts, and sanctions were imposed on Intellexa consortium entities and executives including Tal Dilian and Sara Hamou. Additional sanctions later targeted other Intellexa-linked individuals and Aliada Group.
Indicators and artifacts directly mentioned in the content include Android paths /data/local/tmp/wd/pred.so and /data/local/tmp/wd/fs.db, use of an encrypted SQLite3 file named fs.db, and certificate installation into /data/misc/user/0/cacerts-added. Talos also describes execution across Android contexts including zygote64, system_server, installd, and audioserver, and use of binder hooking and ptrace/mmap-based injection. The content further notes that Lockdown Mode on Apple devices reportedly blocked Pegasus and Predator attacks, and Apple and independent researchers said they had not observed successful compromises of Lockdown Mode-enabled devices.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The report describes how adversaries exploited five different zero-day vulnerabilities to deliver ALIEN... The vulnerabilities, which were discovered in 2021, are CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 — all of which affect Google Chrome, and CVE-2021-1048 in Linux and Android. | Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant.
We assess that QUAILEGGS likely exploits the aforementioned zero-day vulnerability CVE-2021-1048. Based on Google’s root cause analysis, this vulnerability allows code injection into privileged processes... According to the Linux kernel development git logs, the vulnerability was public since August 2020 and patched in September. However, some Google Pixel phones remained vulnerable until March 2021 and Samsung devices until at least October 2021. | Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant.
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. | The report describes how adversaries exploited five different zero-day vulnerabilities to deliver ALIEN... The vulnerabilities, which were discovered in 2021, are CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 — all of which affect Google Chrome, and CVE-2021-1048 in Linux and Android.
The report describes how adversaries exploited five different zero-day vulnerabilities to deliver ALIEN... The vulnerabilities, which were discovered in 2021, are CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 — all of which affect Google Chrome, and CVE-2021-1048 in Linux and Android. | Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant.
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. | The report describes how adversaries exploited five different zero-day vulnerabilities to deliver ALIEN... The vulnerabilities, which were discovered in 2021, are CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 — all of which affect Google Chrome, and CVE-2021-1048 in Linux and Android.
"Intellexa’s Predator spyware can suppress Apple’s built-in camera and microphone indicators on compromised devices."
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Google researchers say is the exact technique used by North Macedonian spyware developer Cytrox to install its Predator spyware. Citizen Lab previously released a report highlighting widespread government use of the Predator spyware.
Intellexa’s phone spyware, dubbed Predator, to authoritarian governments. Predator can be used to hack into fully patched phones nearly invisibly, allowing the organization that deployed the spyware to obtain complete access to the target’s device, including their private messages and real-time location.
The development comes a little over a month after a Greek court sentenced Tal Dilian, the founder of the Intellexa Consortium, and three associates ... for their role in the illegal use of the vendor's Predator spyware to target politicians, business leaders, and journalists in the country.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueThe details for the vaccination appointment in the infected text message were correct, indicating that someone had reviewed the authentic earlier confirmation and drafted the infected message accordingly.
Resource Development
1 techniquethere had been an attempt to infect his phone with Predator, a piece of surveillance software developed by Cytrox, now part of Greek company Intellexa.
Initial Access
4 techniquesIf a target clicked on the malicious web links, they would have been directed to a landing page “identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston.”
The hackers used a set of vulnerabilities chained together and delivered via one-time web links sent to the targets by text message.
A 2023 investigation by news outlets working with the European Investigative Collaborations group found that Vietnamese officials tried to hack U.S. politicians and journalists using Predator spyware.
Citizen Lab said Nour was sent a malicious link over WhatsApp. When opened, the spyware can access a phone’s cameras and microphone and can exfiltrate the phone’s data.
Execution
3 techniquesFrom a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.
From a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.
Persistence
1 techniquePrivilege Escalation
4 techniquesFor example, the implant can inject code that was read earlier from “/system/fonts/NotoColorEmoji.ttf” into the system_server process memory for execution... The overall injection process is achieved using ptrace() and mmap() to inject the code into the target process.
For privilege escalation, the spyware is configured to use a method called QUAILEGGS, or, if QUAILEGGS is not present, it will use a different method called “kmem.” ... We assess that QUAILEGGS likely exploits the aforementioned zero-day vulnerability CVE-2021-1048.
Citizen Lab said the spyware can survive a reboot of an iPhone — typically clearing any spyware lurking in its memory — by creating an automation using the Shortcuts feature built into iOS.
Each of these call chains set up a process structure used to intercept specific ioctl commands, where the spyware uses the functionality of that process to abuse the SELinux context to grant different functionality to the other processes.
Stealth
7 techniquesMost of the posts on X ... 'often included links that mimicked news sites.'
For example, the implant can inject code that was read earlier from “/system/fonts/NotoColorEmoji.ttf” into the system_server process memory for execution... The overall injection process is achieved using ptrace() and mmap() to inject the code into the target process.
If tcore fails to load, the loader deletes the downloaded encrypted SQLite3 file. It first tries to delete the file, and if that fails, attempts to open the file for write operations and write zero bytes to it to wipe it clean.
The DEX file thus uses these hooks for two key purposes: Hiding Applications/packages : The plugin in the DEX can hook and filter out a specific package/application name from the list of installed packages and applications.
From a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.
Hooking the ioctl() API in the libbinder.so using an open-source library called xHook is one of the means it uses to communicate with PREDATOR... ALIEN attempts to hook the following APIs in the audio libraries being used by a process.
During the initialization, it starts the download and calls its main_exec() function by importing it using dlsym(), thus initializing the main component of the spyware.
Credential Access
3 techniquesOnce deployed, the spyware can access encrypted messaging apps, capture keystrokes, activate microphones and cameras, and exfiltrate stored files.
The Predator malware has the ability to access every message, call, photo, and password on a mobile phone, as well as the ability to open the phone’s camera and microphone – turning any device into a mobile surveillance bug.
From a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.
Discovery
1 techniqueThe spyware uses a variety of sources to gather information about the system. It will enumerate various directories on the file system and read multiple files to extract as much statically available data from the infected device.
Collection
5 techniquesOnce deployed, the spyware can access encrypted messaging apps, capture keystrokes, activate microphones and cameras, and exfiltrate stored files.
Once deployed, the spyware can access encrypted messaging apps, capture keystrokes, activate microphones and cameras, and exfiltrate stored files.
The operation involved the implantation and activation of malicious software capable of extracting sensitive data, intercepting communications, and conducting unauthorized audio and video recordings.
The operation involved the implantation and activation of malicious software capable of extracting sensitive data, intercepting communications, and conducting unauthorized audio and video recordings.
The operation involved the implantation and activation of malicious software capable of extracting sensitive data, intercepting communications, and conducting unauthorized audio and video recordings.
Command and Control
1 techniqueThe ALIEN component configuration contains the URL to download the PREDATOR component... If needed, it will download the PREDATOR component from a hosting site defined in the configuration.
Exfiltration
1 techniqueThe agency stated that the campaign was orchestrated by unidentified foreign intelligence services and aimed at covert surveillance and data exfiltration.
IOCs tracked for this family
742 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
100 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Advanced mobile spyware used in targeted surveillance operations and known for stealth and modular architecture, enabling covert monitoring and data exfiltration from mobile devices.
Commercial mobile spyware referenced as active against journalists and senior officials.
Spyware used to target mobile devices, with capabilities implied in the report context to support surveillance and data exfiltration.
Spyware from the Intellexa Consortium used illegally to surveil politicians, business leaders, and journalists in Greece.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.