Predator Spyware Resurfaces: New Infrastructure and Activity Detected in Mozambique
TL;DR
Predator spyware has resurfaced with new infrastructure and activity detected in Mozambique despite U.S. sanctions. The spyware continues to evolve, posing significant risks to global cybersecurity.
New Predator Spyware Infrastructure Revealed with Activity in Mozambique
Insikt Group has uncovered a resurgence in Predator spyware activity, highlighting its continued use despite U.S. sanctions imposed since July 2023. The analysis reveals a renewed infrastructure linked to the commercial spyware company, with a new customer identified in Mozambique. This discovery underscores the persistent use of surveillance tools, particularly in Africa, where over half of Predator’s clients are located. Additionally, connections to a Czech entity suggest that the Intellexa Consortium remains active behind the scenes.
U.S. Sanctions and Ongoing Threats
In March 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced actions against two individuals and five entities associated with the Intellexa Consortium. These entities were involved in the development and distribution of Predator spyware, which was used to target Americans, including government officials, journalists, and policy experts. The Treasury Department warned that the proliferation of commercial spyware poses growing risks to the United States, as it has been misused by foreign actors to target dissidents and journalists worldwide.
The Intellexa Consortium and Predator Spyware
Established in 2019, the Intellexa Consortium acts as a marketing umbrella for various offensive cyber companies. These companies provide commercial spyware and surveillance tools designed for targeted and mass surveillance campaigns. Predator spyware, known for its extensive data-stealing and surveillance capabilities, compromises victims’ devices through zero-click attacks.
Evolution of Predator Spyware Infrastructure
Insikt Group’s recent findings reveal a new Predator spyware infrastructure, including evasive updates and high-tier components. The infrastructure features domains likely used for delivering payloads and exploiting victims. While earlier domains mimicked legitimate sites, recent ones use random English or Portuguese words, some hinting at specific target regions like the Badinan area in Iraqi Kurdistan. These domains are registered via PublicDomainRegistry and hosted on a wider range of networks, reflecting efforts to avoid detection.
The infrastructure has evolved to include a more complex, five-tiered design. The first four tiers route traffic through multiple layers to hide the spyware’s origin, with Tier 4 often pointing to in-country IPs linked to customers. Tier 5, still somewhat mysterious, is connected to a Czech company, FoxITech, tied to the Intellexa Consortium.
Deception Tactics and Adaptations
Operators of Predator spyware now use fake websites, 404 pages, login screens, or mock event sites as part of their deception tactics. These adaptations show how Predator remains a persistent and adaptable threat in the cyber landscape.
Connections between Predator infrastructure and FoxITech s.r.o. (Source: Investigace.cz, Recorded Future)
Global Activity and Operational Costs
Since March 2024, Insikt Group has tracked Predator spyware activity in over a dozen countries. In some regions, activity ceased after public exposure, but Mozambique emerged as a new user, with several linked domains and IPs. These were tied to a still-active operator using fake news and lifestyle sites. Another short-lived cluster, likely tied to Eastern Europe, suggests possible testing or reaction to new sanctions.
Despite the continued activity, the reduced number of suspected operators compared to earlier reports suggests that public exposure, sanctions, and related measures have likely imposed operational costs on Intellexa. Moreover, while Predator operators historically maintained a consistent modus operandi, the latest findings reveal the adoption of new tactics to evade detection.
Conclusion
The resurgence of Predator spyware, despite widespread media attention and sanctions, highlights the persistent threat posed by commercial spyware. As the infrastructure evolves and new tactics are employed, it is crucial for cybersecurity professionals to remain vigilant and adapt their defense strategies accordingly.