{
	"id": "4b82c91e-7cf8-4a89-b10a-b6566f9ee2df",
	"created_at": "2026-04-06T00:10:05.223067Z",
	"updated_at": "2026-04-10T03:30:46.162372Z",
	"deleted_at": null,
	"sha1_hash": "26977250193b4e7d3fa9f4bcb81da66cd88f6541",
	"title": "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 788346,
	"plain_text": "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s\r\nExploits, Victims, and Customers - The Citizen Lab\r\nArchived: 2026-04-05 16:44:08 UTC\r\nKey Findings\r\nBased on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators\r\nthat enabled us to identify at least five civil society victims of QuaDream’s spyware and exploits in North\r\nAmerica, Central Asia, Southeast Asia, Europe, and the Middle East. Victims include journalists, political\r\nopposition figures, and an NGO worker. We are not naming the victims at this time.\r\nWe also identify traces of a suspected iOS 14 zero-click exploit used to deploy QuaDream’s spyware. The\r\nexploit was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions. The\r\nsuspected exploit, which we call ENDOFDAYS, appears to make use of invisible iCloud calendar\r\ninvitations sent from the spyware’s operator to victims.\r\nWe performed Internet scanning to identify QuaDream servers, and in some cases were able to identify\r\noperator locations for QuaDream systems. We detected systems operated from Bulgaria, Czech Republic,\r\nHungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.\r\nQuaDream has had a partnership with a Cypriot company called InReach, with whom it is currently\r\nembroiled in a legal dispute. Numerous key individuals associated with both companies have prior\r\nconnections with another surveillance vendor, Verint, as well as Israeli intelligence agencies.\r\n1. Background: QuaDream and InReach\r\nQuaDream\r\nQuaDream Ltd (מ“בע קוודרים (is an Israeli company that specialises in the development and sale of advanced\r\ndigital offensive technology to government clients. The company is known for its spyware marketed under the\r\nname “Reign”, which, like NSO Group’s Pegasus spyware, reportedly utilises zero-click exploits to hack into\r\ntarget devices.\r\nRecent media reports indicate that QuaDream has sold its products to a range of government clients including\r\nSingapore, Saudi Arabia, Mexico, and Ghana, and has pitched its services to Indonesia and Morocco. Additionally,\r\nin their December 2022 Threat Report on the Surveillance-for-Hire Industry, Meta mentions that they detected\r\nactivity on their platforms that they attributed to QuaDream. The activity included the use of “about 250\r\naccounts”, which Meta assessed were being used to test the capabilities of QuaDream’s iOS and Android spyware.\r\nQuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media\r\npresence. QuaDream employees have reportedly been instructed to refrain from mentioning their employer on\r\nsocial media. However, we have been able to identify several key figures associated with the company, including\r\nits three founders (Ilan Dabelstein, Guy Geva, and Nimrod Rinsky), through a review of corporate documentation,\r\nnewspaper articles, and databases. We list these key individuals in Appendix A.\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 1 of 14\n\nQuaDream is enmeshed in a legal dispute with InReach, a Cyprus-registered company. This dispute has resulted in\r\nthe exposure of interesting details about the companies’ business. According to court documents obtained from the\r\nDistrict Court of Limassol in Cyprus (the Cypriot Case File), QuaDream sold its products outside of Israel\r\nthrough InReach, a company registered in Cyprus. While the open-source information and court documents we\r\nreviewed strongly suggest that QuaDream sold its products outside of Israel through InReach, it is essential to\r\nnote that this does not necessarily indicate that InReach was the exclusive or primary distributor for QuaDream.\r\nInReach\r\nInReach was incorporated in Cyprus in September 2017. According to assertions made by QuaDream in the\r\nCypriot Case File, InReach was set up for the sole purpose of promoting QuaDream’s products outside of Israel.\r\nAccording to the file, a “Consortium Agreement” was signed between QuaDream and InReach on 5 July 2017,\r\nand that QuaDream took the initiative to establish the consortium in order to sell their products outside Israel. The\r\nagreement stipulated that QuaDream would receive 92% of the revenues from the sales of QuaDream’s products,\r\nwith InReach keeping the remaining 8%.\r\nWe identify key individuals associated with InReach in Appendix A, through a review of corporate documents,\r\nnewspaper articles, and various databases.\r\nThe Dispute Between QuaDream and InReach\r\nOne helpful source of information about QuaDream’s activities is an ongoing legal dispute between QuaDream\r\nand InReach. The dispute has resulted in revelations regarding QuaDream’s business practices.\r\nThe relationship between QuaDream and InReach appears to be a combination of both personal and mutual\r\ninterest connections. There are notable intersections (Appendix A) between the two corporations and many of the\r\nkey individuals from both companies seem to have former connections to Verint as well as Israeli intelligence\r\nagencies.\r\nAccording to the Cypriot Case File, a dispute arose between the companies when InReach failed to transfer to\r\nQuaDream 92% of the revenues arising from sales of QuaDream’s products, starting with an invoice dated 26\r\nJune 2019. On 7 May 2020, QuaDream applied to the court in Cyprus to freeze InReach’s assets, pending\r\npotential arbitration in the Court of Arbitration in Amsterdam. To support their claim for a freezing order,\r\nQuaDream presented an English legal opinion which states that QuaDream is entitled to receive the sum of\r\nUS$6,079,814 from InReach (this amount presumably reflecting 92% of sales of QuaDream’s products that\r\nInReach had failed to transfer, starting with the June 2019 invoice).\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 2 of 14\n\nIn the application for a freezing order, QuaDream claimed that InReach attempted to conceal and divest the assets\r\nof the consortium through fraudulent means, including by opening up a secret bank account in Switzerland and\r\nthen attempting to funnel payments from customers into this new bank account, without QuaDream’s knowledge.\r\nQuaDream claimed that InReach fired Lora Plotkin (Appendix A), a QuaDream shareholder who had signing and\r\nsupervisory rights on the InReach bank account which received payments from customers, on April 17, 2020, so\r\nthat InReach could funnel payments into the secret account without QuaDream’s authorisation. The District Court\r\nof Limassol granted the freezing order to QuaDream and the dispute is ongoing.\r\n2. Analysis of a Software Component Attributable to QuaDream\r\nMicrosoft Threat Intelligence shared with the Citizen Lab two samples of iOS spyware that they call KingsPawn,\r\nand attribute to QuaDream with high confidence. (Read the Microsoft Threat Intelligence analysis of the spyware\r\nhere).\r\nWe subsequently analysed these binaries, seeking to develop indicators that could be used to identify a device\r\ncompromised with QuaDream spyware. The following section describes elements of our analysis of the spyware.\r\nSample 1 appeared to be a downloader designed to exfiltrate basic device information, and download and execute\r\nan additional payload. Sample 2 appeared to be a full featured spyware payload. Nevertheless, both Sample 1 and\r\nSample 2 shared highly distinctive commonalities, including largely identical functions for spawning processes.\r\nThe functions create (and later remove) a distinctive subfolder within the com.apple.xpc.roleaccountd.staging\r\nfolder on the phone:\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/PlugIns/fud.appex/\r\nAdditionally, both Sample 1 and Sample 2 parse the same distinctive JSON encoding of 40 kernel memory\r\noffsets that provide the location of various iOS kernel structures presumably important for the spyware’s\r\noperation. We suspect that this encoding is generated by an earlier stage in the exploit chain, and passed to\r\nSamples 1 and 2.\r\nIn addition to the high-confidence attribution by Microsoft Threat Intelligence to QuaDream, we found several\r\nreferences linkable to QuaDream in Sample 1. The second sample, Sample 2, did not contain these references.\r\nFunctionality\r\nSample 1 appeared to be an initial payload whose purpose was to download another payload. Sample 2, however,\r\nappeared to be the final spyware payload. Our analysis of Sample 2 allowed us to identify a range of functionality\r\nthat helps the implant perform its core surveillance capabilities. Like other, similar, mercenary spyware the\r\nimplant has a range of capabilities from hot-mic audio recording of calls and the environment, to more advanced\r\ncapabilities to search through the phone.\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 3 of 14\n\nSample 2 appears to have functionality for:\r\nRecording audio from phone calls\r\nRecording audio from the microphone\r\nTaking pictures through the device’s front or back camera\r\nExfiltrating and removing items from the device’s keychain\r\nHijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect that this is used to generate\r\ntwo-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the\r\nuser’s data directly from iCloud\r\nRunning queries in SQL databases on the phone\r\nCleaning remnants that might be left behind by zero-click exploits\r\nTracking the device’s location\r\nPerforming various filesystem operations including searching for files matching specified characteristics\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 4 of 14\n\nWe found that the spyware also contains a self-destruct feature that cleans up various traces left behind by the\r\nspyware itself. Our analysis of the self-destruct feature revealed a process name used by the spyware, which we\r\ndiscovered on victim devices.\r\nQuaDream Spyware Process Name Emerges\r\nA function in Sample 2 hard-codes the path to the main spyware payload (in a XOR-obfuscated string) as\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/subridged. While subridged is the name of a legitimate iOS\r\nexecutable, the legitimate subridged would not be launched from the\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/ directory. This process name has never been observed used\r\nby NSO Group’s Pegasus spyware (which also uses the /private/var/db/com.apple.xpc.roleaccountd.staging/\r\ndirectory), nor any other type of spyware of which we are aware.\r\nAnother function in Sample 2 removes entries from the /private/var/root/Library/Caches/locationd/clients.plist\r\nfile, which is a well-publicised forensic source where spyware indicators may persist. The function attempts to\r\nremove entries ending in the string “subridged” from this file.\r\nCleanup Code Highlights Suspected Zero-Click Exploits\r\nWe identified functionality within Sample 2 that deletes events from the iOS calendar. The functionality is located\r\nin two “Calendar Cleanup Functions”, which we refer to as CCF1 and CCF2. The functions appear to be executed\r\nwhen a special cleanup command is received from the spyware’s command-and-control server. The cleanup\r\ncommand includes an email address that specifies the scope of the cleanup.\r\nCCF1 enumerates (via EventKit) all calendar events in all calendars whose start date is after 728 days ago, and\r\nchecks whether the email address of the event’s organiser is equal to the supplied email address. If so, then the\r\nevent is removed via the -[EKEventStore removeEvent:span:commit:error:] function.\r\nCCF2 opens the SQLite database that stores calendar information on the phone, located at\r\n/var/mobile/Library/Calendar/Calendar.sqlitedb, using the following parameters:\r\nfile:%s?cache=shared\u0026mode=rwc\u0026_journal_mode=WAL\u0026_timeout=10000\r\nCCF2 then checks to see if the supplied email address is present in the ‘Participant’ table in the database:\r\nSELECT DISTINCT identity_id FROM Participant WHERE email = \"%s\"\r\nIf present, then these deletion queries are run:\r\nDELETE FROM Identity WHERE ROWID = %d;\r\nDELETE FROM CalendarItemChanges WHERE record IN ( SELECT owner_id FROM ParticipantChanges WHERE email\r\nDELETE FROM ParticipantChanges WHERE email = \"%[2]s\";\r\nFinally, CCF2 vacuums the database:\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 5 of 14\n\nVACUUM;\r\nPRAGMA wal_checkpoint(TRUNCATE);\r\nThe same cleanup command that triggers deletion of calendar events associated with a specific email address also\r\ncauses that same email address to be removed from the com.apple.identityservices.idstatuscache.plist file (in\r\n/private/var/mobile/Library/Preferences/). In iOS versions 14.6 and prior, this file contained a record of iCloud\r\naccounts that the device had interacted with using certain Apple services (e.g., iMessage). This file appears to\r\nhave been deprecated since iOS version 14.7, and no longer stores any information.\r\nThe Ectoplasm Factor\r\nWe noted functionality within Sample 2 that sometimes leaves traces behind on infected devices after the spyware\r\nis removed. We refer to these traces as the Ectoplasm Factor. We omit discussion of the Ectoplasm Factor from\r\nour report, as we believe this may be useful for tracking QuaDream’s spyware going forward.\r\nExfiltration\r\nThe spyware exfiltrates data via HTTPS POST requests. The spyware’s exfiltration module appears to have the\r\ncapability to use a custom root certificate for this HTTPS connection, indicating that exfiltration may involve self-signed certificates.  Separately, we observed suspected QuaDream exfiltration to servers returning self-signed\r\nKubernetes certificates.\r\n3. Target Forensics\r\nWe uncovered clues that we believe are linked to QuaDream’s iOS 14 zero-click exploit. While NSO Group was\r\ndeploying FORCEDENTRY as a zero-click, zero-day exploit against iOS 14 devices, QuaDream appears to have\r\nbeen deploying a separate zero-click, zero-day exploit against iOS 14 devices that we refer to as ENDOFDAYS.\r\nApple reportedly notified targets of both Pegasus and QuaDream hacking in a round of notifications issued on 23\r\nNovember 2021.\r\nWe shared our analysis of this attack with Apple Inc. at multiple points during our investigation.\r\nENDOFDAYS, a Possible Zero-Click Exploit\r\nWe identified two 2021 cases where targets in North America and Central Asia showed evidence that a process\r\nnamed /private/var/db/com.apple.xpc.roleaccountd.staging/subridged had run on the phone on iOS versions 14.4\r\nand 14.4.2, while these were the latest iOS versions.\r\nIn one case, we were able to examine the user’s Calendar.sqlitedb file, and also connect (via CalDAV) to their\r\niCloud calendar. The user’s Calendar.sqlitedb file showed a suspicious event added to the calendar in 2021\r\norganised by a user [REDACTED1]@icloud.com. The summary of the event was “Meeting”, and the description\r\nof the event was “Notes”. We obtained an .ics file for this event from their iCloud calendar via CalDAV. The event\r\ncontained remnants of a possible XML escape, where the CDATA opening and closing tags were embedded in\r\nkeys in the .ics file (highlighted below).\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 6 of 14\n\nDESCRIPTION]]\u003e:x\r\nATTENDEE;EMAIL=[redacted victim]...\r\nATTENDEE\u003c![CDATA[:Notes\r\nWe located a second .ics file for an event added in 2021 containing the same summary and description, and the\r\nsame possible XML injection, but organised by a different user [REDACTED2]@icloud.com. Details of this\r\nevent and organiser did not appear in the user’s Calendar.sqlitedb file, and may have been deleted by the spyware.\r\nWe suspect that the attacker’s use of closing and opening CDATA tags in the .ics could potentially facilitate the\r\ninclusion of additional XML data that would be processed by the user’s phone, in order to trigger some behaviour\r\ndesired by the attacker.  When a user is invited to an iCloud calendar event, APNs (the Apple Push Notification\r\nService) delivers a message with topic com.me.cal to the user’s devices.  The message comprises the user’s DSID\r\n(Directory Services Identifier).  This message is routed to the iPhone’s dataaccessd process, causing it to perform\r\na WebDAV sync (RFC 6578) with the iCloud calendar server to obtain a list of URLs of new calendar events to\r\nfetch. The dataaccessd process then supplies these URLs back to the iCloud calendar server in a\r\nCALDAV:calendar-multiget REPORT (RFC 4791), and the server responds with each file’s iCalendar data\r\nembedded within CDATA tags in a calendar-data XML element.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\r\n\u003cmultistatus xmlns=\"DAV:\"\u003e\r\n\u003cresponse xmlns=\"DAV:\"\u003e\r\n \u003chref\u003e/path/to/event.ics\u003c/href\u003e\r\n \u003cpropstat\u003e\r\n \u003cprop\u003e\r\n \u003cgetetag xmlns=\"DAV:\"\u003e\"...\"\u003c/getetag\u003e\r\n \u003ccalendar-data xmlns=\"urn:ietf:params:xml:ns:caldav\"\u003e\r\n \u003c![CDATA[BEGIN:VCALENDAR\r\n ...\r\nThus, the attacker’s use of closing and opening CDATA tags in the .ics could potentially allow them to inject XML\r\ndata that would be processed by the user’s phone into the response.  While we were not able to recover any XML\r\ndata from the .ics files, these files appear to have been updated once, judging by the SEQUENCE and LAST-MODIFIED fields.\r\nA Signature for ENDOFDAYS\r\nAll of the calendar events we identified used as part of the ENDOFDAYS attack can be detected by running the\r\nfollowing query on a phone’s Calendar.sqlitedb file.\r\nSELECT * FROM calendaritem WHERE summary=\"Meeting\" AND description=\"Notes\";\r\nThe malicious calendar events have additional distinctive characteristics that appear to always be the same. The\r\n.ics file contains invitations to two overlapping events that are backdated. On iOS 14, any iCloud calendar\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 7 of 14\n\ninvitation with a backdated time received by the phone is automatically processed and added to the user’s calendar\r\nwith no user-facing prompt or notification. We are unsure why the events are overlapping, though there may be a\r\nspecific behaviour triggered by overlapping events.\r\nWe examined Calendar.sqlitedb files from two phones which showed the\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/subridged process name in 2019 and 2020. Overall, we have\r\nnot observed any ENDOFDAYS calendar events generated prior to January 2021, leading us to believe that\r\nENDOFDAYS was targeted at iOS 14.\r\nOther Observations about ENDOFDAYS\r\nAt least one target who was notified by Apple tested positive for QuaDream’s spyware and was negative for\r\nPegasus.\r\nWe have not observed any cases of individuals targeted with ENDOFDAYS prior to January 2021 or after\r\nNovember 2021.\r\nWe have also observed evidence of infections where the QuaDream spyware payload was customised.  In one\r\ncase, we found indications that the phone’s duetexpertd process was somehow coaxed to launch a WebKit\r\ninstance, which may have been induced to navigate to a malicious URL, leading to further exploitation, and the\r\nexecution of the spyware.\r\nSummary of Target Forensics\r\nOverall, we identified at least five targets showing indicators of infection or targeting with QuaDream’s spyware\r\nor exploits. We attribute two cases to QuaDream’s spyware or exploits with high confidence, as they match\r\nmultiple QuaDream indicators, and three with medium confidence, as they only match a single indicator.\r\nCase Evidence that Supports QuaDream Infection Timeframe Confidence\r\nC1\r\nsubridged run from\r\ncom.apple.xpc.roleaccountd.staging\r\nUnknown Medium\r\nC2\r\nsubridged run from\r\ncom.apple.xpc.roleaccountd.staging\r\n2019 Medium\r\nC3\r\nsubridged run from\r\ncom.apple.xpc.roleaccountd.staging\r\n2019, 2020 Medium\r\nC4\r\nENDOFDAYS calendar events\r\nsubridged run from\r\ncom.apple.xpc.roleaccountd.staging\r\n2021 High\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 8 of 14\n\nEctoplasm Factor\r\nC5\r\nsubridged run from\r\ncom.apple.xpc.roleaccountd.staging\r\nEctoplasm Factor\r\n2021 High\r\n4. Internet Scanning for QuaDream Servers\r\nPartners in the threat intelligence community shared a network indicator linked to QuaDream’s spyware with us.\r\nPivoting off of this indicator, we were able to devise fingerprints and identify more than 600 servers and 200\r\ndomain names that we conclude with high confidence were linked to QuaDream’s spyware between late 2021 and\r\nearly 2023, including servers that we believe are used to receive data exfiltrated from QuaDream victims, and\r\nservers used for QuaDream’s one-click browser exploits.\r\nIn several cases, we were able to trace these servers back to their operators. We believe that there are QuaDream\r\nsystems operated from the following countries:\r\nBulgaria\r\nCzech Republic\r\nHungary\r\nGhana\r\nIsrael\r\nMexico\r\nRomania\r\nSingapore\r\nUnited Arab Emirates (UAE)\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 9 of 14\n\nUzbekistan\r\nWe shared our results with Microsoft Threat Intelligence, who conducted additional scanning to identify\r\nQuaDream-linked domain names. Microsoft Threat Intelligence are publishing the results of their scanning in their\r\nreport.\r\nCountries of Concern\r\nHungary, Mexico, and the United Arab Emirates are known to abuse spyware to target human rights defenders\r\n(HRDs), journalists, and other members of civil society. The Citizen Lab has reported extensively on spyware\r\nabuse in Mexico. A report published in March 2023 by Mexican digital rights organisation R3D uncovered\r\nevidence that Mexico’s Army was behind some of this surveillance abuse. The Citizen Lab has also reported\r\nextensively on the UAE Government’s abuse of spyware to target HRDs, intellectuals and activists. The Pegasus\r\nProject uncovered evidence suggesting that Hungary’s government was behind the abusive use of spyware to\r\ntarget Hungarian journalists, and the Citizen Lab verified that Hungarian photojournalist Dániel Németh’s phone\r\nwas infected with Pegasus.\r\nWe cannot determine if the systems operated from Israel are operated by the Israeli government or QuaDream\r\nitself. Nevertheless, the Israeli government is also suspected to have abused mercenary spyware to target\r\nPalestinian HRDs, as well as domestic political activists.\r\nAdditionally, several other countries are known to have deficiencies in surveillance oversight, or otherwise poor\r\nhuman rights records. Uzbekistan has a long record of serious human rights violations, and the regime imposes\r\nsignificant restrictions on basic human rights, including freedom of expression, association, and peaceful\r\nassembly. Singapore’s constitution does not recognize the right to privacy, and state authorities have broad\r\nsurveillance powers that bypass standard judicial mechanisms.\r\n5. Request for Comment\r\nOn April 7, 2022, the Citizen Lab sent an email to Vibeke Dank, who is listed as QuaDream’s legal counsel,\r\nasking questions about how QuaDream’s business practices take into account human rights and the potential for\r\nspyware abuse, and inviting comment on the locations of suspected operators we identify in our report. We\r\nreceived no response as of the date of publication of this report.\r\n6. Conclusion\r\nQuaDream’s obscurity reflects an effort to avoid media scrutiny that was successful, for a time. Yet once\r\nQuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil\r\nsociety and journalists. This pattern is a repetition of the abuses found with more notorious players, like NSO\r\nGroup’s Pegasus spyware, Cytrox’s Predator spyware, and before them Hacking Team and FinFisher.\r\nQuaDream has been in business for several years, has developed sophisticated spyware products, and appears to\r\nhave dealings with numerous government clients around the world. The firm has common roots with NSO Group,\r\nas well as other companies in the Israeli commercial spyware industry, and the Israeli government’s own\r\nintelligence agencies.\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 10 of 14\n\nLike NSO Group, Intellexa, and other commercial spyware firms we have studied, QuaDream employs\r\ncomplicated and opaque corporate practices that may be designed to evade public scrutiny and accountability. For\r\nexample, it appears that its troubled partnership with InReach may have been designed as a way to evade export\r\ncontrols and government oversight. Such convoluted corporate structures impair accountability by impeding\r\ninvestigations and making it difficult to ensure that companies are operating in compliance with applicable laws\r\nand regulations.\r\nUltimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and\r\nthat continued vigilance is required by researchers and potential targets alike.  Until the out-of-control\r\nproliferation of commercial spyware is successfully curtailed through systemic government regulations, the\r\nnumber of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as\r\nothers still operating in the shadows.\r\nAppendix A: Key Individuals at QuaDream and InReach\r\nWe have identified key individuals associated with QuaDream and InReach through a review of corporate\r\ndocuments, newspaper articles, and various databases.\r\nKey Individuals at QuaDream\r\nIlan Dabelstein: Dabelstein is a former Israeli military official who holds a significant position in\r\nQuaDream as a co-founder, major shareholder, and board member. Corporate registration documents in\r\nIsrael dated February 17, 2021 indicated that he held the position of CEO. According to a June 22, 2022,\r\nreport by Intelligence Online, Ilan Dabelstein is the only founding member still holding shares in\r\nQuaDream.\r\nGuy Geva and Nimrod Rinsky: According to documents obtained from Israel’s corporate register, Geva\r\nand Rinsky are co-founders and significant shareholders in QuaDream who, according to Reuters, both\r\npreviously worked for NSO Group. Although the latest documents we obtained from Israel’s corporate\r\nregister show Geva and Rinsky are shareholders in QuaDream, Intelligence Online reported that both men\r\nsold their shares in the company in early 2022.\r\nVibeke Dank: According to Israeli corporate registration documents, Dank is a lawyer who has been\r\ngranted authority to sign legal documents on behalf of QuaDream. Reuters noted that Dank’s email address\r\nwas listed on QuaDream’s corporate registration form. A recent IntelligenceOnline report pointed to Dank’s\r\nrole in providing legal assistance to mercenary spyware vendors, such as NSO Group, QuaDream, and\r\nNFV Systems, which were sanctioned by the Israeli Defense Ministry in March 2023.\r\nAvi Rabinowitz/Avi Rabinovitch: Rabinowitz (or Rabinovitch) is a key principal and CEO at QuaDream\r\naccording to DNB and Haaretz. He was also described by QuaDream in the Cypriot Case File as\r\nQuaDream’s “sales manager.” According to his LinkedIn profile, he served as an Executive VP of sales of a\r\n“Cyber Startup” between November 2018 to May 2021, “CEO” from June 2021 to January 2023, and as of\r\nJanuary 2023, he has been “Cooking New Things.” Prior to working at QuaDream, Rabinovitch co-founded a company called Mabaya which was later sold to the NASDAQ listed company, Criteo. Prior to\r\nthis, he worked for Verint in a sales role for over 8 years.\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 11 of 14\n\nZvi Fischler: In November 2019, Intelligence Online reported that Fischler “was QuaDream’s head of\r\nsales for a long time.” According to his LinkedIn, Fischler was an officer in the elite intelligence unit in the\r\nIsraeli military for 16 years (1973-1989). Following that period, he spent 22 years at Verint (1993-2015) in\r\nsales and marketing for the EMEA region. In January 2019, he listed himself as a self-employed “sales\r\nspecialist.” Fischler and Rabinovitch are connected on LinkedIn, with the latter having “endorsed” the\r\nformer in “telecommunication” skills.\r\nLora Plotkin: Plotkin is a former shareholder of QuaDream and a former finance manager at InReach.\r\nUri Ashkenazi: Intelligence Online reported in July 2022 that Ashkenazi was building up his interests in\r\nIsraeli cyber intelligence and acquired shares in QuaDream. He is also one of the main shareholders of\r\nD\u0026W Ventures which holds a substantial stake in QuaDream. Ashkenazi, as reports describe him, is an\r\nIsraeli financier who is increasingly investing in Israel’s cyber intelligence sector. His LinkedIn profile\r\nstates that he is the Managing Partner of Titan Ventures, a venture capital fund that invests in early stage\r\nstartups, with a focus on disruptive software solutions for the cyber intelligence and defence industries. He\r\nis also an investor in other companies such as Cobwebs and Falkor.\r\nKey Individuals at InReach\r\nRoy Glasberg Keller: The articles of incorporation of InReach identify Cycotech Ltd. as the sole owner of\r\nInReach with 1000 shares. Cycotech was incorporated in Cyprus on August 31, 2017. It was originally\r\nregistered under the name “Zovisel” but then changed its name to Cycotech shortly after. Cycotech’s\r\narticles of incorporation indicate that Roy Glasberg Keller, an Israeli businessman living in America, is the\r\nsole shareholder with 1000 shares. This makes Keller the sole shareholder of InReach.\r\nAccording to his\r\nLinkedIn\r\nprofile, Keller is based in Los Angeles, California. He is the CTO of Prelude Communications and\r\ndescribes\r\nhimself on LinkedIn as having:\r\nspent his carrier [sic] advancing cyber and information security from service in the Israeli Air\r\nForce to a US vice president and a senior strategic advisor at Verint (NASDAQ:VRNT) a world\r\nleader in actionable intelligence. Roy lead [sic] teams in support of US and NATO forces in the\r\nwar on terror in operational assessment and in the field. Roy also supports the correction\r\nindustry ongoing effort to defeat the cell phones in correction facilities both in the US and\r\ninternationally [sic].\r\nHe appears to have served in the Israeli Air Force between 1992 and 1999 and held the position of CEO of\r\nU-TX between 2007 and 2014. After U-TX was acquired by Verint, he became the CEO of U-TX for a year\r\nand then served for one more year as a VP senior strategic advisor at Verint. His time at Verint overlapped\r\nwith Fischler.\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 12 of 14\n\nDoron Breiter, Christos Shiakallis, and Nenad Grozdanic: Breiter, Shiakallis, and Grozdanic are the three\r\nfounders of InReach. Grozdanic is the company’s chief information officer (CIO). The three founders were\r\npreviously with U-TX Technologies. U-TX was acquired by Verint in 2014 for $83 million. While media\r\nreports suggest that Shiakallis and Grozdanic are the owners of InReach, the corporate documents we\r\nobtained from the Cypriot company register show that Cycotech Ltd. is the sole owner.\r\nDoron Breiter: Reports from Intelligence Online identify him as one of the founders of InReach. His\r\nLinkedIn profile indicates that he is currently residing in Cyprus and holds two current roles, one as a\r\n“consultant at a startup in stealth mode” and the other as a “Co-Founder of Confidential.” He also appears\r\nto have professional connections with Verint. He filed four patent applications related to IMSI products\r\nwith Verint in 2015, 2017, and 2019. Moreover, a recent patent application filed in the US in 2020 suggests\r\nthat he may also have ties to the Israeli company Cognyte.\r\nChristos Shiakallis: Shiakallis is one of the founders of InReach. He completed his MBA at the Kellogg\r\nSchool of Management in Illinois, like Breiter and Keller. According to his LinkedIn profile, he is based in\r\nDubai, UAE, and similar to Breiter, since July 2018 to date, he has been a consultant at “start-up in stealth\r\nmode” and a “co-founder in confidential.”\r\nNenad Grozdanic: According to Intelligence Online, Nenad is one of the founders of InReach. The Cypriot\r\nCase File describes him as the company’s General Manager and Chief Information Officer. According to\r\nhis LinkedIn page, Nenad is based in Dubai and is a “senior systems architect at confidential.”\r\nLora Plotkin: Along with being a former shareholder of QuaDream, according to the Cypriot Case File,\r\nPlotkin is also the former finance manager at InReach. QuaDream claims in the Cyprus proceedings that\r\nshe was the method by which QuaDream exercised oversight of InReach’s finances. Plotkin is a member of\r\na Facebook group called “Questions and Answers – Help for startups.” In July 2017, three months before\r\nthe agreement with InReach was signed, she posted a message on the group asking to consult with an\r\nexpert on “indirect” exporting.\r\nSavvas Angelides and Christos Ioannides: A.I.L Nominee Services Ltd (A.I.L) are listed as InReach’s\r\ndirector and secretary in corporate filings obtained from Cyprus (the company is also the director and\r\nsecretary of Cycotech). A.I.L was registered in Cyprus on 27 July 2010 and states its principal activities as\r\n“business, management and consultancy services.” Savvas Angelides was a founding shareholder in A.I.L.\r\nAngelides is the current Deputy Attorney General and former Minister of Defence of Cyprus. He\r\ntransferred his shares in A.I.L. to Christos Ioannides on 16 February 2018 and was appointed Minister of\r\nDefence on 1 March 2018. On 29 June 2020, he was appointed Deputy Attorney General. Ioannides\r\nremains the only shareholder of A.I.L.\r\nAcknowledgements\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 13 of 14\n\nWe are especially grateful to the victims and suspected targets in this investigation. Although they are not named\r\nin this initial report, without their willingness to share materials for analysis, this report would not have been\r\npossible.\r\nWe are grateful to Adam Senft and Snigdha Basu for editorial assistance, and Mari Zhou for graphical work on\r\nthis report.\r\nSpecial thanks to Access Now, especially the Digital Security Helpline.\r\nSpecial thanks to Microsoft Threat Intelligence for sharing samples, and Censys.\r\nSpecial thanks to TNG and CQ.\r\nSource: https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nhttps://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/"
	],
	"report_names": [
		"spyware-vendor-quadream-exploits-victims-customers"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b8c7c542-43ed-498c-af6b-b4b5f0c75724",
			"created_at": "2024-02-02T02:00:04.026045Z",
			"updated_at": "2026-04-10T02:00:03.529714Z",
			"deleted_at": null,
			"main_name": "Carmine Tsunami",
			"aliases": [
				"DEV-0196",
				"QuaDream"
			],
			"source_name": "MISPGALAXY:Carmine Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775791846,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26977250193b4e7d3fa9f4bcb81da66cd88f6541.pdf",
		"text": "https://archive.orkl.eu/26977250193b4e7d3fa9f4bcb81da66cd88f6541.txt",
		"img": "https://archive.orkl.eu/26977250193b4e7d3fa9f4bcb81da66cd88f6541.jpg"
	}
}