{ "id": "e38ce75b-1376-4a2a-b204-48597fffcaf4", "created_at": "2026-04-06T00:13:05.470744Z", "updated_at": "2026-04-10T03:35:28.838015Z", "deleted_at": null, "sha1_hash": "08adc175ae5f4160b1b4c062079badf5f973ec53", "title": "Global: ‘Predator Files’ spyware scandal reveals brazen targeting of civil society, politicians and officials   - Amnesty International Security Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56712, "plain_text": "Global: ‘Predator Files’ spyware scandal reveals brazen targeting\r\nof civil society, politicians and officials   - Amnesty International\r\nSecurity Lab\r\nPublished: 2023-10-09 · Archived: 2026-04-02 10:43:44 UTC\r\nShocking spyware attacks have been attempted against civil society, journalists, politicians and academics in the\r\nEuropean Union (EU), USA and Asia, according to a major new investigation by Amnesty International. Among\r\nthe targets of Predator spyware are United Nations (UN) officials, a Senator and Congressman in the USA and\r\neven the Presidents of the European Parliament and Taiwan.  The investigation is part of the ‘Predator Files’\r\nproject, in partnership with the European Investigative Collaborations (EIC) and backed by additional in-depth\r\nreporting by Mediapart and Der Spiegel.\r\nBetween February and June 2023, social media platforms X (formerly Twitter) and Facebook were used to\r\npublicly target at least 50 accounts belonging to 27 individuals and 23 institutions. The cyber-surveillance weapon\r\nused for targeting was an invasive spyware tool called Predator, which was developed and sold by the Intellexa\r\nalliance. This alliance, which has advertised itself as “EU based and regulated”, is a complex and often changing\r\ngroup of companies that develops and sells surveillance products, including Predator spyware.  \r\n  Predator is a type of highly invasive spyware. This means that once it has infiltrated a device it has unfettered\r\naccess to its microphone and camera and all its data such as contacts, messages, photos and videos, while the user\r\nis entirely unaware. Such spyware cannot, at present, be independently audited or limited in its functionality to\r\nonly those functions that are necessary and proportionate to a specific use.  \r\n “Yet again, we have evidence of powerful surveillance tools being used in brazen attacks.  The targets this time\r\naround are journalists in exile, public figures and intergovernmental officials. But let’s make no mistake: the\r\nvictims are all of us, our societies, good governance and everyone’s human rights,” said Agnes Callamard,\r\nSecretary General at Amnesty International. \r\n“The Intellexa alliance, European-based developers of Predator and other surveillance products have done nothing\r\nto limit who is able to use this spyware and for what purpose. Instead, they are lining their pockets and ignoring\r\nthe serious human rights implications at stake. In the wake of this latest scandal, surely the only effective response\r\nis for states to impose an immediate worldwide ban on highly invasive spyware.” \r\nIn a comprehensive report published today by Amnesty International’s Security Lab, those targeted – though not\r\nnecessarily infected – include the President of the European Parliament, Roberta Metsola, the President of Taiwan,\r\nTsai Ing-Wen, U.S. Congressman Michael McCaul, U.S. Senator John Hoeven, the German Ambassador to the\r\nUnited States, Emily Haber and French MEP Pierre Karleskind. Multiple officials, academics and institutions\r\nwere also targeted.  \r\nA brazen barrage of attacks\r\nhttps://securitylab.amnesty.org/latest/2023/10/predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/\r\nPage 1 of 4\n\nAmnesty International’s Security Lab has been investigating the use of the powerful and highly invasive Predator\r\nspyware and its link to the Intellexa alliance for some time.  \r\nAn attacker-controlled X (previously Twitter) account, named ‘@Joseph_Gordon16′, shared many of the\r\nidentified attack links which aimed to infect targets with the Predator spyware. One early target of this account\r\nwas Berlin-based journalist Khoa Lê Trung, who is originally from Viet Nam. Khoa is editor-in-chief of\r\nthoibao.de, a news website blocked in Viet Nam. He has faced death threats over his reporting since 2018. Viet\r\nNam has a repressive media landscape where journalists, bloggers and human rights activists are often intimidated\r\ninto silence.\r\nThe attack, though unsuccessful, is especially significant as the website and journalist are based in the EU, and all\r\nEU member states have an obligation to control the sale and transfer of surveillance technologies.  \r\n“You can’t just sell them to countries like Viet Nam. This also harms the freedom of the press and freedom of\r\nexpression for the people here in Germany,” Khoa told Amnesty International.   \r\nThe investigation found that the @Joseph_Gordon16 account had close links to Viet Nam and may have been\r\nacting on behalf of Vietnamese authorities or interest groups.\r\nIn April 2023 Amnesty International’s Security Lab began to observe the same ‘@Joseph_Gordon16’ user\r\ntargeting multiple academics and officials working on maritime issues, specifically researchers and officials\r\nresponsible for EU and UN policies on illegal or undocumented fishing. Viet Nam was given a ‘yellow card\r\nwarning’ by the European Commission in 2017 for illegal, unreported, and unregulated fishing.\r\n“We observed dozens of instances in which ‘@Joseph_Gordon16’ pasted a malicious link to Predator in public\r\nsocial media posts. Sometimes the link seemed to be a benign news outlet, such as The South China Morning Post,\r\nto lull the reader into clicking on it,” said Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab. \r\n“Our analysis demonstrated that clicking the link could lead to the reader’s device being infected with Predator.\r\nWe do not know if any device was infected, and we cannot say with absolute certainty that the perpetrator was\r\nwithin the government of Viet Nam itself, but both the interests of the account and the Viet Nam authorities were\r\nvery closely aligned.”\r\nThe investigation also uncovered evidence that a company within the Intellexa alliance signed a multi-million\r\neuro deal for “infection solutions” with Viet Nam’s Ministry of Public Security (MOPS) in early 2020, codenamed\r\n“Angler Fish”. Documents and export records also confirmed the sale of Predator to MOPS through broker\r\ncompanies.  \r\n“We believe this Predator attack infrastructure is associated with a government actor in Vietnam,” Google’s\r\nsecurity researchers who also independently analysed the malicious links, told Amnesty International.\r\nEU regulated spyware free to run wild across the world\r\nPredator can also be used in zero click attacks, meaning it can infiltrate a device without the user having clicked\r\non a link. This can be done, for example, by so-called “tactical attacks” which can infect nearby devices. Highly\r\nhttps://securitylab.amnesty.org/latest/2023/10/predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/\r\nPage 2 of 4\n\ninvasive spyware cannot currently be independently audited or limited in its functionality. It is, therefore,\r\nexceedingly difficult to investigate abuses linked to its use.  \r\nThe investigation found the presence of Intellexa alliance products in at least 25 countries across Europe, Asia, the\r\nMiddle East and Africa, and documents how they have been used to undermine human rights, press freedom, and\r\nsocial movements across the globe.  \r\nThe Intellexa alliance has corporate entities in various states including France, Germany, Greece, Ireland, Czech\r\nRepublic, Cyprus, Hungary, Switzerland, Israel, North Macedonia, and the United Arab Emirates (UAE). Amnesty\r\nInternational is calling on all these states to immediately revoke all marketing and export licences issued to the\r\nIntellexa alliance. These states must also conduct an independent, impartial, transparent investigation to determine\r\nthe extent of unlawful targeting.  \r\n“Intellexa says it is an ‘EU-based and regulated company which is, in itself, a damning indictment of how EU\r\nmember states and institutions have failed to prevent the ever-expanding reach of these surveillance products\r\ndespite a series of investigations such as the ‘Pegasus Project’ in 2021. So much so that, as this investigation\r\nhighlights, even EU officials and institutions themselves were caught in its net,” said Agnès Callamard, Amnesty\r\nInternational’s Secretary General.  \r\nThe Predator Files investigation found Intellexa alliance products had been sold to at least 25 countries including\r\nSwitzerland, Austria and Germany. Other clients include Congo, Jordan, Kenya, Oman, Pakistan, Qatar,\r\nSingapore, the UAE and Viet Nam.  \r\nThe Intellexa alliance should stop the production and sale of Predator and any other similarly invasive spyware\r\nthat does not include technical safeguards allowing for its lawful use under a human rights respecting regulatory\r\nframework. It should also provide adequate compensation or other forms of effective redress to victims of\r\nunlawful surveillance.  \r\nAmnesty International’s analysis of recent technical infrastructure linked to the Predator spyware system indicates\r\nrelated activity, in one form or another, in Angola, Egypt, Mongolia, Kazakhstan, Indonesia, Madagascar, Sudan\r\nand Viet Nam among others.  Amnesty International has published indicators of compromise to help civil society\r\ntechnologists identify and respond to this spyware. \r\nAmnesty International reached out to the entities involved for comment but received no response. However, EIC\r\ndid receive a response from the main shareholders and former executives of Nexa group. In their response they\r\nclaim that the Intellexa alliance has ceased to exist. In relation to Viet Nam, they claim that Nexa Group only\r\nhonoured part of the contract related to cybersecurity. They also claim that the entities of Intellexa alliance\r\n“scrupulously respected export regulations”, while acknowledging that they established “commercial relations”\r\nwith countries that ”were far from perfect in terms of the rule of law,” further stating that it was often a function\r\nof “political choices” from the French government. \r\nAmnesty International wrote to Viet Nam’s Ministry of Public Security for comment but did not receive a\r\nresponse. \r\nClick here for the ‘The Predator Files: Caught in the Net’ full report.  \r\nhttps://securitylab.amnesty.org/latest/2023/10/predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/\r\nPage 3 of 4\n\nAmnesty International has also published an in-depth technical analysis of the surveillance products offered by\r\nthe Intellexa Alliance on 6 October as part of the ‘Predator Files’ investigation.\r\nSource: https://securitylab.amnesty.org/latest/2023/10/predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/\r\nhttps://securitylab.amnesty.org/latest/2023/10/predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securitylab.amnesty.org/latest/2023/10/predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/" ], "report_names": [ "predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434385, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08adc175ae5f4160b1b4c062079badf5f973ec53.pdf", "text": "https://archive.orkl.eu/08adc175ae5f4160b1b4c062079badf5f973ec53.txt", "img": "https://archive.orkl.eu/08adc175ae5f4160b1b4c062079badf5f973ec53.jpg" } }