A human rights lawyer from Pakistan’s Balochistan province obtained a suspicious hyperlink on WhatsApp from an unknown quantity, marking the primary time a civil society member within the nation was focused by Intellexa’s Predator spyware and adware, Amnesty Worldwide stated in a report.
The hyperlink, the non-profit group stated, is a “Predator assault try primarily based on the technical behaviour of the an infection server, and on particular traits of the one-time an infection hyperlink which had been in keeping with beforehand noticed Predator 1-click hyperlinks.” Pakistan has dismissed the allegations, stating “there may be not an iota of fact in it.”
The findings come from a brand new joint investigation revealed in collaboration with Israeli newspaper Haaretz, Greek information website Inside Story, and Swiss tech website Inside IT. It is primarily based on paperwork and different supplies leaked from the corporate, together with inner paperwork, gross sales and advertising materials, and coaching movies.
Intellexa is the maker of a mercenary spyware and adware software referred to as Predator that, much like NSO Group’s Pegasus, can covertly harvest delicate information from targets’ Android and iOS gadgets with out their information. The leaks present that Predator has additionally been marketed as Helios, Nova, Inexperienced Arrow, and Crimson Arrow.
Usually, this entails utilizing totally different preliminary entry vectors like messaging platforms that weaponize beforehand undisclosed flaws to stealthily set up the spyware and adware both through a zero-click or 1-click method. The assault, subsequently, requires a malicious hyperlink to be opened within the goal’s telephone with a view to set off the an infection.
Ought to the sufferer find yourself clicking the booby-trapped hyperlink, a browser exploit for Google Chrome (on Android) or Apple Safari (on iOS) is loaded to achieve preliminary entry to the gadget and obtain the primary spyware and adware payload. In keeping with information from Google Menace Intelligence Group (GTIG), Intellexa has been linked to the exploitation of the next zero-days, both developed in-house or procured from exterior entities –
One such iOS zero-day exploit chain used in opposition to targets in Egypt in 2023 concerned leveraging CVE-2023-41993 and a framework named JSKit to carry out native code execution. GTIG stated it noticed the identical exploit and framework utilized in a watering gap assault orchestrated by Russian government-backed hackers in opposition to Mongolian authorities web sites, elevating the chance that the exploits are being sourced from a third-party.
Advertising brochure presenting the capabilities of Intellexa’s spyware and adware product
“The JSKit framework is effectively maintained, helps a variety of iOS variations, and is modular sufficient to assist totally different Pointer Authentication Code (PAC) bypasses and code execution methods,” Google defined. “The framework can parse in-memory Mach-O binaries to resolve customized symbols and might finally manually map and execute Mach-O binaries straight from reminiscence.”
Screenshot of an instance PDS (Predator Supply Studio) dashboard interface used to handle targets and consider collected surveillance information
Following the exploitation of CVE-2023-41993, the assault moved to the second stage to interrupt out of the Safari sandbox and execute an untrusted third-stage payload dubbed PREYHUNTER by benefiting from CVE-2023-41991 and CVE-2023-41992. PREYHUNTER consists of two modules –
Watcher, which displays crashes, makes certain that the contaminated gadget doesn’t exhibit any suspicious habits, and proceeds to terminate the exploitation course of if such patterns are detected
Helper, which communicates with the opposite elements of the exploit through a Unix socket and deploys hooks to report VoIP conversations, run a keylogger, and seize photos from the digicam
Intellexa can also be stated to be utilizing a customized framework that facilitates the exploitation of assorted V8 flaws in Chrome – i.e., CVE-2021-38003, CVE-2023-2033, CVE-2023-3079, CVE-2023-4762, and CVE-2025-6554 – with the abuse of CVE-2025-6554 noticed in June 2025 in Saudi Arabia.
As soon as the software is put in, it collects information from messaging apps, calls, emails, gadget places, screenshots, passwords, and different on-device data and exfiltrates them to an exterior server bodily positioned within the buyer’s nation. Predator additionally comes fitted with the flexibility to activate the gadget’s microphone to silently seize ambient audio and leverage the digicam to take images.
The corporate, together with some key executives, was subjected to U.S. sanctions final 12 months for creating and distributing the surveillance software and undermining civil liberties. Regardless of continued public reporting, Recorded Future’s Insikt Group disclosed in June 2025 that it detected Predator-related exercise in over a dozen nations, primarily in Africa, suggesting “rising demand for spyware and adware instruments.”
Maybe probably the most vital revelation is that individuals working at Intellexa allegedly had the aptitude to remotely entry the surveillance techniques of a minimum of a few of its clients, together with these positioned on the premises of its governmental clients, utilizing TeamViewer.
“The truth that, a minimum of in some circumstances, Intellexa seems to have retained the aptitude to remotely entry Predator buyer logs – permitting firm workers to see particulars of surveillance operations and focused people raises questions on its personal human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty Worldwide Safety Lab, stated in a information launch.
“If a mercenary spyware and adware firm is discovered to be straight concerned within the operation of its product, then by human rights requirements, it may probably go away them open to claims of legal responsibility in circumstances of misuse and if any human rights abuses are brought on by means of spyware and adware.”
The report has additionally highlighted the totally different supply vectors adopted by Intellexa to set off the opening of the malicious hyperlink with out the necessity for the goal to manually click on on it. This consists of tactical vectors like Triton (disclosed in October 2023), Thor, and Oberon (each unknown at this stage), in addition to strategic vectors which are delivered remotely through the web or cell community.
The three strategic vectors are listed under –
Mars and Jupiter, that are community injection techniques that require cooperation between the Predator buyer and the sufferer’s cell operator or web service supplier (ISP) to stage an adversary-in-the-middle (AitM) assault by ready for the goal to open an unencrypted HTTP web site to activate the an infection or when the goal visits a home HTTPS web site that is been already intercepted utilizing legitimate TLS certificates.
Aladdin, which exploits the cell promoting ecosystem to hold out a zero-click assault that is triggered merely upon viewing the specially-crafted advert. The system is believed to have been below growth since a minimum of 2022.
“The Aladdin system infects the goal’s telephone by forcing a malicious commercial created by the attacker to be proven on the goal’s telephone,” Amnesty stated. “This malicious advert might be served on any web site which shows advertisements.”
Mapping of Intellexa’s company net linked to Czech cluster
Google stated using malicious advertisements on third-party platforms is an try and abuse the promoting ecosystem for fingerprinting customers and redirecting focused customers to Intellexa’s exploit supply servers. It additionally stated it labored with different companions to determine the businesses Intellexa created to create the advertisements and shut these accounts.
In a separate report, Recorded Future stated it found two corporations referred to as Pulse Promote and MorningStar TEC that look like working within the promoting sector and are probably tied to the Aladdin an infection vector. Moreover, there may be proof of Intellexa clients primarily based in Saudi Arabia, Kazakhstan, Angola, and Mongolia nonetheless speaking with Predator’s multi-tiered infrastructure.
“In distinction, clients in Botswana, Trinidad and Tobago, and Egypt ceased communication in June, Might, and March 2025, respectively,” it added. “This may increasingly point out that these entities discontinued their use of Predator spyware and adware round these instances; nevertheless, additionally it is attainable that they merely modified or migrated their infrastructure setups.”
