{"id":3731,"date":"2025-12-06T03:39:32","date_gmt":"2025-12-06T03:39:32","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/12\/06\/predator-spyware-maker-intellexa-evades-sanctions-new-victims-identified\/"},"modified":"2025-12-06T03:39:32","modified_gmt":"2025-12-06T03:39:32","slug":"predator-spyware-maker-intellexa-evades-sanctions-new-victims-identified","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/06\/predator-spyware-maker-intellexa-evades-sanctions-new-victims-identified\/","title":{"rendered":"Predator Spyware Maker Intellexa Evades Sanctions, New Victims Identified"},"content":{"rendered":"
\n
\n

Spyware products from the surveillance consortium Intellexa are still thriving despite extensive US sanctions.<\/p>\n

This comes as a months-long investigation into a set of\u00a0highly sensitive\u00a0documents and other materials leaked from the company has been published by Inside Story, Haaretz and the WAV Research Collective, dubbed \u201cIntellexa\u00a0Leaks\u201d.<\/p>\n

Following publication of the investigation, three distinct but coordinated reports into the spyware consortium\u2019s activity have emerged detailing new attack vectors and victim lists.<\/p>\n

These include documents by Google Threat Intelligence Group (GTIG), Recorded Future\u2019s Insikt Group and Amnesty International\u2019s Security Lab, which also provided the technical team to the journalists working on Intellexa\u00a0Leaks, which revealed that the spyware maker continues to sell digital weapons to the highest bidders.<\/p>\n

Among the key findings, GTIG revealed that Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers.<\/p>\n

The spyware vendor, made up of several legal entities spanning across Greece, Ireland, Hungary, North Macedonia and beyond, is behind at least 15 of the 70 zero-day exploits documented by GTIG and its predecessor, Google\u2019s Threat Analysis Group (TAG), since 2021.<\/p>\n

This is despite several waves of sanctions targeting Intellexa\u2019s businesses and individuals linked to the consortium, including sanctions by the US Treasury\u2019s Office of Foreign Assets Control (OFAC) in March and September 2024, targeting seven individuals in total.<\/p>\n

Additionally, Intellexa was fined by the Greek Data Protection Authority in 2023 for failing to comply with its investigations into the company.<\/p>\n

New \u2018Zero-Click\u2019 Attack Vectors Revealed<\/strong><\/h2>\n

The report from Amnesty\u2019s Security Lab also shed light on how Predator, Intellexa\u2019s flagship product, now sometimes marketed as Helios, Nova, Green Arrow or Red Arrow, infects target devices.<\/p>\n

Traditionally, Predator relied almost exclusively on \u2018one-click\u2019 attacks to infect a device, which require a malicious link to be opened in the target\u2019s phone. This is less intrusive that leveraging \u2018zero-click\u2019 attacks typical of other spyware made by competitors like NSO Group\u2019s Pegasus.<\/p>\n

However, the Amnesty report revealed that Intellexa has recently developed a new strategic infection vector, \u2018Aladdin,\u2019 which can enable silent zero-click infection of target devices anywhere in the world.<\/p>\n

The vector, which was first exposed by Haaretz and Inside Story, exploits the commercial mobile advertising ecosystem to carry out infections.<\/p>\n

Amnesty describes the attack chain as \u201ctechnically complex to implement\u201d but \u201cconceptually simple.\u201d<\/p>\n

\u201cThe Aladdin system infects the target\u2019s phone by forcing a malicious advertisement created by the attacker to be shown on the target\u2019s phone. This malicious ad could be served on any website which displays ads, such as a trusted news website or mobile app, and would appear like any other ad that the target is likely to see. Internal company materials explain that simply viewing the advertisement is enough to trigger the infection on the target\u2019s device, without any need to click on the advertisement itself,\u201d the Amnesty report reads.<\/p>\n<\/p><\/div>\n

\"Screenshot
Screenshot of leaked document presenting \u2018Aladdin\u2019, a zero-click infection system via malicious ads based on public IP address. Source: Amnesty International<\/figcaption><\/figure>\n
\n

The Recorded Future report also revealed that two newly identified entities appearing to operate in the advertising sector may be connected to Aladdin.<\/p>\n

Amnesty\u2019s Security Lab shared the findings of leaked documents and footage showing Intellexa\u2019s deep visibility into live surveillance operations, indicating that the spyware maker retains direct access to live customer spyware systems.<\/p>\n

New Entities Linked to Intellexa Discovered<\/strong><\/h2>\n

Another key finding in Amnesty\u2019s report confirmed the previous attribution of suspected infection domains, which imitate legitimate Kazakhstani news websites, and infrastructure to\u00a0Predator.<\/p>\n

\u201cWhile no victims of Predator spyware targeting have been identified in Kazakhstan, previous investigations by the Security Lab have documented the unlawful hacking of at least four Kazakhstani youth activists with Pegasus spyware in 2021,\u201d the Amnesty report said.<\/p>\n

Based on infrastructure analysis, Recorded Future\u2019s Insikt Group assessed that Kazakhstan has, at least until August 2025, continued to use Predator spyware.<\/p>\n

The report also uncovered several newly identified Intellexa nexus entities, including some linked to the consortium\u2019s Czech cluster and one in the Philippines.<\/p>\n<\/p><\/div>\n

\"Top:
Top: Locations of companies linked to Intellexa. Bottom: Countries where there is evidence of Predator deployments and operator activity. Source: Recorded Future, Amnesty International<\/figcaption><\/figure>\n
\n

The Intellexa data examined during the investigations also showed potential new victims in Greece and Egypt and evidence that Egypt and Saudi-based clients are still active.<\/p>\n

Over the past two years, Recorded Future\u2019s Insikt Group has identified suspected Predator operators in more than a dozen countries, including in Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Greece, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, Sudan and Trinidad and Tobago and Vietnam.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Spyware products from the surveillance consortium Intellexa are still thriving despite extensive US sanctions. This comes as a months-long investigation into a set of\u00a0highly sensitive\u00a0documents and other materials leaked from the company has been published by Inside Story, Haaretz and the WAV Research Collective, dubbed \u201cIntellexa\u00a0Leaks\u201d. Following publication of the investigation, three distinct but coordinated<\/p>\n","protected":false},"author":2,"featured_media":3732,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3731","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3731-a7b45cf3-b433-4e51-a129-670000d89bb2-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3731"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3731\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3732"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3731"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}