{
	"id": "2d56bf91-5f81-4b5c-9f44-ac7c59d5d028",
	"created_at": "2026-04-06T00:13:16.342393Z",
	"updated_at": "2026-04-10T03:22:00.164527Z",
	"deleted_at": null,
	"sha1_hash": "53f9dff40ef0daaa286485be3cace6fc2ecc90d5",
	"title": "Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79128,
	"plain_text": "Predator Spyware Resurgence: Insikt Group Exposes New Global\r\nInfrastructure\r\nBy Insikt Group®\r\nArchived: 2026-04-05 15:58:10 UTC\r\nExecutive Summary\r\nFollowing major public exposures by Insikt Group and others throughout the last two years, alongside US\r\ngovernment sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator\r\nmobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline\r\nraised questions about whether the combination of US sanctions, public exposure, and broader international efforts\r\nto curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to\r\nIntellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a\r\nresurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure\r\nis tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also\r\nbeen identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the\r\nbroader observation that Predator is highly active in Africa, with over half of its identified customers located on\r\nthe continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a\r\nCzech entity previously associated with the Intellexa Consortium.\r\nThe deployment of spyware like Predator beyond legitimate criminal or counterterrorism use poses serious threats\r\nto privacy, legal rights, and the physical safety of both direct targets and associated individuals. While most\r\nknown cases of abuse have targeted civil society and political activists, individuals and organizations in regions\r\nwith a record of spyware misuse should remain vigilant, regardless of sector. Given Predator’s expensive licensing\r\nmodel, its use is typically reserved for high-value, strategic targets. This makes politicians, corporate executives,\r\nand others in sensitive positions especially vulnerable due to the intelligence they may possess. The use of\r\nspyware against political opposition figures is currently under investigation in several EU countries, reflecting\r\nwider global efforts to curb the activities of mercenary spyware developers.\r\nAs outlined in Insikt Group’s previous reports on Predator, defenders should follow recommended best practices.\r\nThese include ensuring personal and corporate devices are kept separate, regularly updating phones, encouraging\r\nperiodic device reboots (though this may not always fully eliminate Predator), using lockdown mode, and\r\nimplementing a mobile device management (MDM) system. Additionally, investing in security awareness training\r\nfor employees and fostering a culture of minimal data exposure are essential for reducing the risk of successful\r\nspearphishing attacks and limiting data theft in the event of a breach.\r\nhttps://www.recordedfuture.com/research/predator-still-active-new-links-identified\r\nPage 1 of 5\n\nInsikt Group expects the mercenary spyware market to continue expanding, fueled by sustained demand and\r\ncorporate profitability. This growth will likely be accompanied by ongoing innovation, as rising competition and\r\nstrengthened IT security among targets drive the development of new products and techniques. For instance, as\r\ndefenders work to eliminate entire classes of vulnerabilities, spyware operators may adapt by targeting alternatives\r\nsuch as cloud backups accessed via stolen credentials or by employing new deployment methods. As these tools\r\nproliferate and techniques evolve, the range of victims is likely to extend beyond civil society, influencing\r\npolitical discourse and sparking further legal confrontations. Recent court rulings in favor of technology\r\ncompanies against spyware vendors may set a precedent, encouraging more firms to actively challenge the misuse\r\nof their platforms. Insikt Group anticipates that spyware vendors will continue leveraging complex corporate\r\nstructures to evade sanctions or detection, while increasingly tailoring their operations to specific regions, a trend\r\noften described as the balkanization of the ecosystem.\r\nKey Findings\r\nInsikt Group has identified new infrastructure associated with Predator, indicating continued operations\r\ndespite public exposure, international sanctions, and policy interventions.\r\nThe newly identified infrastructure includes both victim-facing Tier 1 servers as well as high-tier\r\ncomponents that likely link back to Predator operators in various countries.\r\nAlthough much of Predator’s infrastructure remains consistent with previous reporting, its operators have\r\nintroduced changes designed to further evade detection — a pattern Insikt Group noted in earlier reporting.\r\nInsikt Group has detected Predator-related activity in several countries throughout the last twelve months\r\nand is the first to report a suspected Predator operator presence in Mozambique.\r\nInsikt Group also connected components of Predator’s infrastructure to a Czech entity previously linked\r\nwith the Intellexa Consortium by a Czech investigative outlet.\r\nBackground\r\nPredator is a sophisticated mercenary spyware targeting both Android and iPhone devices and has been active\r\nsince at least 2019. Originally developed by Cytrox and now operated under the Intellexa alliance, Predator is\r\nengineered for flexibility and stealth, leaving minimal evidence on infected devices and making external\r\ninvestigations into abuse particularly challenging. Once deployed, Predator provides complete access to a device’s\r\nmicrophone, camera, and all data — such as contacts, messages, photos, and videos — without the victim’s\r\nawareness. The spyware’s modular design, based on Python, allows operators to introduce new features remotely,\r\nwithout the need to re-exploit the device.\r\nPredator can be delivered through both \"1-click\" and \"zero-click\" attack vectors. \"1-click\" attacks rely on social\r\nengineering messages with malicious links that require user interaction (1, 2, 3), while \"zero-click\" attacks,\r\ndescribed in the \"Predator Files,\" involve techniques that do not require any action from the target, such as\r\nnetwork injection or proximity-based methods. However, there have been no confirmed cases of Predator using\r\nfully remote \"zero-click\" exploits like those seen with NSO Group Pegasus, which can compromise devices\r\nthrough messaging apps without any user interaction (for example, FORCEDENTRY or BLASTPASS).\r\nOver the past two years, Insikt Group has identified suspected Predator operators in more than a dozen countries,\r\nincluding in Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Indonesia, Kazakhstan,\r\nhttps://www.recordedfuture.com/research/predator-still-active-new-links-identified\r\nPage 2 of 5\n\nMongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago (1, 2). Notably, this is the\r\nfirst public report to identify Mozambique as a suspected customer. While Predator is ostensibly marketed for\r\ncounterterrorism and law enforcement purposes, previous reporting has documented a clear pattern of its\r\ndeployment against civil society actors, including journalists and activists, and politicians (1, 2, 3, 4). These\r\ninstances described in earlier reports likely represent only a small portion of the overall abuses, given the\r\nwidespread use of mercenary spyware like Predator, the difficulty of detection, and limited victim support. It is\r\nimportant to emphasize the risk of cross-border targeting, which has been observed not only with Predator, where\r\nan operator linked to Vietnam has targeted EU officials and members of the European Parliament, but also with\r\nother mercenary spyware, such as Pegasus.\r\nDespite increased public reporting on Predator’s infrastructure and techniques, as well as growing attention to\r\nIntellexa’s corporate structure, Predator operations remain active. This persistence continues even after measures\r\nsuch as US sanctions, an EU resolution, a US visa ban on Intellexa affiliates, and the launch of the Pall Mall\r\nProcess, alongside likely rising exploit costs, particularly for iPhones. This likely reflects growing demand for\r\nspyware tools, especially in countries facing export restrictions, ongoing technical innovation in response to\r\npublic reporting and security enhancements, and increasingly complex corporate structures designed to impede\r\nsanctions and attribution. One such example, involving a Czech entity likely linked to Predator operations, is\r\ndiscussed later in this report.\r\nThreat Analysis\r\nTier 1 (C2) Servers\r\nInsikt Group has identified new victim-facing Tier 1 (C2) infrastructure that is highly likely associated with\r\nPredator, including domains and IP addresses. Although the specific functions of these domains and IP addresses\r\nhave not yet been confirmed, they are probably involved in payload delivery and the exploitation process,\r\nconsistent with previous infrastructure linked to Predator. A table in Appendix B presents the domains and IP\r\naddresses observed over the past twelve months.\r\nPreviously, domains linked to Predator often impersonated specific organizations, such as frequently visited local\r\nnews outlets, as Insikt Group has reported in the past (1, 2). However, this pattern began to gradually shift\r\nfollowing increased media attention and public reporting from the end of 2023 onward. More recent domains now\r\ntypically consist of two or more seemingly random English words. Insikt Group has observed that some of these\r\ndomains reuse particular keywords; for instance, both boundbreeze[.]com and branchbreeze[.]com share the word\r\n\"breeze\". In a few recent cases, domains feature Portuguese-language words, which likely reflect the language of\r\nintended targets. Additionally, certain domains contain keywords that could provide clues to their targeting, such\r\nas keep-badinigroups[.]com, which may refer to communities or groups associated with the Badini dialect spoken\r\nin the Badinan region of Iraqi Kurdistan.\r\nThe majority of identified domains have been registered through the registrar PDR Ltd. d/b/a\r\nPublicDomainRegistry.com and typically use name servers associated with orderbox-dns[.]com, among others.\r\nWhile Predator infrastructure has historically favored certain autonomous system numbers (ASNs) such as\r\nAS62005, AS61138, and AS44066, Insikt Group has observed that more recent Predator-linked domains are being\r\nhosted on a broader range of ASNs — including AS42708, AS20473, and AS44477 — which have not previously\r\nhttps://www.recordedfuture.com/research/predator-still-active-new-links-identified\r\nPage 3 of 5\n\nbeen connected to Predator activity. Notably, Insikt Group also identified at least one instance where a server tied\r\nto higher-tier Predator infrastructure was hosted with Stark Industries.\r\nSuspected Infrastructure Detection Evasion Strategies\r\nIn response to ongoing public exposure, the operators behind Predator have adopted various tactics to evade\r\ndetection. These involve using more varied server configurations than previously reported, expanding the diversity\r\nof ASNs, and introducing additional layers to their multi-tiered infrastructure, among other approaches. One\r\nnotable strategy involves the use of fake websites, which generally fall into four main categories: fake 404 error\r\npages, counterfeit login or registration pages, sites indicating that they are under construction, and websites\r\npurporting to be associated with specific entities, such as a conference (see Figures 1-4).\r\nMulti-Tiered Infrastructure\r\nAs previously reported by Insikt Group, Predator customers continue to use a multi-tiered infrastructure network,\r\nwhich is likely designed to enable the targeting of specific individuals or entities (see Figure 5). This network\r\nclosely resembles the high-level architecture outlined in Amnesty’s October 2023 report, but it has continued to\r\nevolve since then. Earlier versions of Predator’s multi-tiered infrastructure, reported by Insikt Group in March\r\n2024, featured only three layers. The addition of a fourth layer in the current design is likely intended to further\r\nobscure the identification of countries suspected of deploying Predator.\r\nLeveraging Recorded Future® Network Intelligence, Insikt Group has observed that Tier 1 servers consistently\r\ncommunicate with a dedicated Tier 2 upstream virtual private server (VPS) IP address using Transmission Control\r\nProtocol (TCP) port 10514. These upstream servers likely function as anonymization hop points, making it more\r\ndifficult to associate Tier 1 servers directly with individual Predator customers. Communication over TCP port\r\n10514 is also consistently observed between Tier 2 and Tier 3 servers. Subsequently, Tier 3 servers relay traffic to\r\nthe Tier 4 layer, which appears to correspond to static, in-country ISP IP addresses suspected to be under the\r\ncontrol of Predator customers. In every instance analyzed, both the Tier 1 servers and their corresponding\r\nupstream servers appeared to be dedicated exclusively to a single customer.\r\nWhile only Tiers 1 through 4 appear directly connected to the operational infrastructure of Predator customers,\r\nInsikt Group has also been monitoring an additional layer, tracked as Tier 5, that seems to play a central, though\r\nstill unclear, role in Predator-related operations. Tier 5 servers have been linked to an entity in the Czech Republic,\r\nFoxITech s.r.o., which has previously been publicly associated with Intellexa and is discussed further in the\r\nConnection to Czech Entity section.\r\nSuspected Predator Usage Within Specific Countries\r\nSince Insikt Group began reporting on Predator in March 2024, suspected operators of the spyware have been\r\nidentified in over a dozen countries worldwide. While several of these operators have remained active in the past\r\ntwelve months, activity appears to have ceased in some locations, likely due to public reporting, leading to an\r\noverall lower number of current Predator operators. For example, in the Democratic Republic of the Congo\r\n(DRC), operations seem to have stopped about two weeks after Insikt Group published its findings on DRC-linked\r\nactivity in September 2024. Similarly, the suspected operator in Angola became inactive around the same period,\r\nhttps://www.recordedfuture.com/research/predator-still-active-new-links-identified\r\nPage 4 of 5\n\nonly to resume activity in early 2025, based on Recorded Future Network Intelligence. Additionally, Insikt Group\r\nhas uncovered evidence of Predator use in Mozambique — a country where no Predator operators had been\r\nidentified before this report.\r\nMozambique\r\nDrawing on Recorded Future Network Intelligence and other artifacts, Insikt Group attributes the domains listed\r\nin Table 1 with high confidence to a suspected Predator operator based in Mozambique. Additionally, several\r\nother domains, including mdundobeats[.]com, noticiafamosos[.]com, and onelifestyle24[.]com, as well as others\r\nfrom Appendix B, are likely linked to the same customer based on various technical indicators in Recorded\r\nFuture sources. Notably, all IP addresses associated with these domains, except for the one hosting\r\nonelifestyle24[.]com, fall within the same two /24 CIDR ranges. Insikt Group further assesses, using both\r\nRecorded Future Network Intelligence and passive DNS data, that the suspected Predator operator in Mozambique\r\nbecame active during the first half of 2024 and still appears to be active at the time of writing.\r\nSource: https://www.recordedfuture.com/research/predator-still-active-new-links-identified\r\nhttps://www.recordedfuture.com/research/predator-still-active-new-links-identified\r\nPage 5 of 5\n\nPublicDomainRegistry.com While Predator infrastructure and typically has historically use name servers favored certain associated with autonomous system orderbox-dns[.]com, numbers among (ASNs) such others. as\nAS62005, AS61138, and AS44066, Insikt Group has observed that more recent Predator-linked domains are being\nhosted on a broader range of ASNs- including AS42708, AS20473, and AS44477 -which have not previously\n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.recordedfuture.com/research/predator-still-active-new-links-identified"
	],
	"report_names": [
		"predator-still-active-new-links-identified"
	],
	"threat_actors": [],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53f9dff40ef0daaa286485be3cace6fc2ecc90d5.pdf",
		"text": "https://archive.orkl.eu/53f9dff40ef0daaa286485be3cace6fc2ecc90d5.txt",
		"img": "https://archive.orkl.eu/53f9dff40ef0daaa286485be3cace6fc2ecc90d5.jpg"
	}
}