Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Reign

Reign is mercenary spyware developed by Israeli spyware vendor QuaDream (also referred to as Quadream in the provided content). It is described as targeted spyware used against Apple iOS devices and is mentioned alongside Pegasus and Predator as a notable mobile spyware threat. The content links Reign to QuaDream’s reseller InReach Technologies Limited, which was reportedly established in 2017 to promote QuaDream products such as Reign outside Israel and to bypass EU dual-use export restrictions. High-confidence details in the provided material are limited: Reign is associated with QuaDream, is used in targeted intrusions against iOS devices, and is sufficiently established to be included in forensic detection efforts such as the iShutdown method for identifying signs of spyware on Apple devices. No specific technical indicators of compromise, exploit chain details, or victim sectors are provided in the content beyond its classification as targeted iOS spyware.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence1

These products, often referred to as spyware, range from software and tools that enable remote access to a computer system without the consent of the user, administrator, or owner of the computer system.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

With system access, intermediaries are able to collect, exploit, extract, intercept, retrieve, alter, delete, or transmit content.

T1203Exploitation for Client ExecutionEvidence1

Intermediaries are fundamentally different than other entities that operate within the marketplace for OCC. Intermediaries are largely found as partners within the OCC supply chain, complimenting product development through vulnerability research to complete exploit chains or as auxiliary support during technology deployment.

Collection

1 technique
T1213Data from Information RepositoriesEvidence1

With system access, intermediaries are able to collect, exploit, extract, intercept, retrieve, alter, delete, or transmit content.

Command and Control

1 technique
T1219Remote Access ToolsEvidence1

These products, often referred to as spyware, range from software and tools that enable remote access to a computer system without the consent of the user, administrator, or owner of the computer system.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

With system access, intermediaries are able to collect, exploit, extract, intercept, retrieve, alter, delete, or transmit content.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
atlanticcouncilNews
Mar 18, 2026
Mythical Beasts: Investigating the role of intermediaries in the proliferation of offensive cyber capabilities - Atlantic Council

Spyware product from Quadream discussed in the context of reseller-facilitated international sales.

Read more
citizenlabNews
Dec 8, 2025
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab

Mercenary spyware referenced as another spyware family excluded during forensic analysis of the iPhone case.

Read more
securelistNews
Jun 21, 2023
Dissecting TriangleDB, a Triangulation spyware implant

Referenced as an example of targeted spyware infecting iOS devices.

Read more
the hacker newsNews
Jan 5, 2026
Search results for Security | Breaking Cybersecurity News | The Hacker News

Reign is a commercial spyware developed by QuaDream, used to compromise iOS devices for surveillance and data exfiltration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.