{
	"id": "db5259d8-3562-4b47-8a01-ca2189d3f55d",
	"created_at": "2026-04-06T01:29:43.898203Z",
	"updated_at": "2026-04-10T03:33:20.554163Z",
	"deleted_at": null,
	"sha1_hash": "bd9efc9ae8dc0a6d0f8ce9de4335821c746ba040",
	"title": "Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4099468,
	"plain_text": "Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals\r\nCytrox Mercenary Spyware - The Citizen Lab\r\nArchived: 2026-04-06 00:46:36 UTC\r\nKey Findings\r\nTwo Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to\r\nremain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known\r\nmercenary spyware developer Cytrox.\r\nThe phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s\r\nPegasus spyware, operated by two different government clients.\r\nBoth targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest\r\nversion (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.\r\nWe obtained samples of Predator’s “loader,” the first phase of the spyware, and analyzed their\r\nfunctionality. We found that Predator persists after reboot using the iOS automations feature.\r\nWe conducted Internet scanning for Predator spyware servers and found likely Predator customers in\r\nArmenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.\r\nCytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to\r\ncompete with NSO Group, and which describes itself as “EU-based and regulated, with six sites and R\u0026D\r\nlabs throughout Europe.”\r\n1. Background\r\nWe confirmed the hacking of the devices of two individuals with Cytrox’s Predator spyware: Ayman Nour, a\r\nmember of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts\r\na popular news program and wishes to remain anonymous.\r\nAyman Nour is the president of the Egyptian political opposition group Union of the Egyptian National Forces.\r\nNour is also a former Egyptian presidential candidate and founder and chairperson of the Ghad al-Thawra party.\r\n1\r\nIn 2005, Nour ran against former Egyptian President Hosni Mubarak. After the election, Nour was convicted of\r\n“forging signatures on petitions” filed to create his political party—a charge which was widely considered to be\r\n“politically inspired”—and imprisoned for more than four years. Nour was finally released from prison in 2009 on\r\nhealth grounds and after international pressure.\r\nNour was a candidate of the Ghad Al-Thawra party in the 2012 Egyptian presidential elections. He was excluded\r\nfrom the elections along with a number of other opposition candidates. In 2013, after opposing President Abdel\r\nFattah El-Sisi’s military coup, Nour fled Egypt for Lebanon. In 2015, the Egyptian embassy in Lebanon declined\r\nto renew his passport and Nour departed Lebanon for Turkey, where he has resided since 2015. He remains a\r\nvocal critic of Sisi’s regime, describing his government as an “oppressive military regime.” He has also accused\r\nSisi’s government of “extreme human rights violations” and of turning the country into a “fully autocratic state.”\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 1 of 23\n\nThe second target whose phone we confirmed was hacked with Cytrox’s Predator spyware is an Egyptian exiled\r\njournalist and an outspoken critic of the Sisi regime. This target has chosen to remain anonymous.\r\n1.1. Enter: Cytrox\r\nFounded in 2017, Cytrox’s business activity is blandly described in Crunchbase as providing governments with an\r\n“operational cyber solution” that includes gathering information from devices and cloud services. In Pitchbook,\r\ntheir technology is defined as “cyber intelligence systems designed to offer security” to governments and assist\r\nwith “designing, managing and implementing cyber intelligence gathering in the network, enabling businesses to\r\ngather intelligence from both end devices as well as from cloud services.”\r\nCytrox reportedly began life as a North Macedonian start-up.2 A review of corporate registry documents shows\r\nthat Cytrox appears to have a corporate presence in Israel and Hungary.\r\nCytrox’s Israeli companies were founded in 2017 as Cytrox EMEA Ltd. and Cytrox Software Ltd. Perhaps taking\r\na page from Candiru’s corporate obfuscation playbook, both of those companies were renamed in 2019 to\r\nBalinese Ltd. and Peterbald Ltd., respectively. We also observed one entity in Hungary, Cytrox Holdings Zrt,\r\nwhich was also formed in 2017.\r\nAt the time of writing, we believe that Cytrox’s CEO is Ivo Malinkovksi, as stated on his LinkedIn page. Notably,\r\nMalinkovksi’s now-private Instagram account includes a 2019 image of him in front of the Pyramids of Giza in\r\nEgypt.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 2 of 23\n\nA 2019 report in Forbes states that Cytrox was “rescued” by Tal Dilian, a former Israel Defence Forces (IDF) Unit\r\n81 commander, whose company WiSpear (which appears to have been renamed Passitora Ltd.) is based in\r\nLimassol, Cyprus and reportedly acquired Cytrox in 2018 according to the Atooro Fund. Dilian is also known as\r\nthe founder of Circles, a prominent cellular network surveillance company. In December 2020, the Citizen Lab\r\npublished an investigation into Circles’ government clients. Dilian is also the founder and CEO of Intellexa.\r\n1.2. Cytrox, a Part of the “Intellexa Alliance”\r\nThe following section is not a complete accounting of the relationship between Cytrox and other entities. It is\r\nbased on a review of a mix of media reports and a nonexhaustive review of company registries across various\r\njurisdictions. Additional research into Intellexa and the companies that form this marketing alliance could\r\npotentially provide useful insight into how commercial surveillance companies employ complex business\r\nstructures and use measures that obfuscate their operations.\r\nThe Link Between Cytrox and Intellexa\r\nCytrox is part of the so-called “Intellexa alliance,” a marketing label for a range of mercenary surveillance\r\nvendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys),\r\nWiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete\r\nagainst other players in the cyber surveillance market such as NSO Group and Verint.\r\nOriginally based in Cyprus, a recent report indicates that Intellexa now operates from Greece, which is also listed\r\nas the LinkedIn location of its founder, Dilian. A preliminary review of corporate registry documentation suggests\r\nthat the alliance has a corporate presence in not only Greece (Intellexa S.A.), but also in Ireland (Intellexa\r\nLimited).3 The Dun \u0026 Bradstreet entry for Intellexa S.A. and Intellexa Limited note Sara-Aleksandra Fayssal\r\nHamou (or Sara Hamou) as a key principal in both companies. Hamou is reportedly Dilian’s second wife.\r\nIn our preliminary research, the specific link between Cytrox and Intellexa, as well as other companies in the\r\n“alliance,” remains murky at best. In reviewing filings in the Israeli business registry, we observed a 2020 transfer\r\nof all shares held by Cytrox Holdings Zrt (Hungary) in Cytrox EMEA Ltd./Balinese Ltd. (Israel) to Aliada Group\r\nInc., an entity registered in the British Virgin Islands (registration no. 1926732). Prior to this share transfer, Cytrox\r\nHoldings Zrt appears to have been the sole shareholder of shares in Cytrox EMEA Ltd./Balinese and after this\r\nshare transfer it seems to remain the sole shareholder in Cytrox Software Ltd./Peterbald. Further, an article from\r\nIntelligence Online in 2017 notes that WiSpear Systems is “owned by Aliada Group Inc.”\r\nInformation on Aliada Group Inc. is relatively scant. The same 2017 article from Intelligence Online notes that\r\nAliada Group Inc. is “backed by the private equity firm Mivtach-Shamir, which spent $3.5 million to acquire a\r\n32% stake in Aliada in December 2016, along with an option to acquire an additional 5%.” Mivtach-Shamir is “a\r\npublicly-traded Israeli investment company” founded by Meir Shamir. In reviewing entries for WiSpear/Passitora\r\nLtd. in Cyprus’ business registry, we noted that “Mivtah Shamir Technologies (2000) Ltd.” is listed as a director of\r\nPassitora Ltd., along with Dilian. We also found an entry in the Israeli business registry for a “Mivtach Shamir\r\nTechnologies (2000) Ltd.,” which was apparently incorporated in 2000.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 3 of 23\n\nFurther, a 2020 Haaretz article noted that Avi Rubinstein, a “high-tech entrepreneur, filed a lawsuit against Dilian\r\nin Tel Aviv District Court.”4 According to Haaretz, Aliada Group Inc. is described in the litigation as “a group of\r\ncyberweapon companies whose products are branded under the name Intellexa.” Two other individuals, Oz Liv,\r\nwho was also a commander in Unit 81, and Meir Shamir, are also named as defendants. According to Haaretz,\r\nthese two individuals, along with Rubinstein, who filed the suit, and Dilian, are all shareholders in Aliada Group\r\nInc.\r\nHaaretz further notes that Rubinstein is accusing Dilian, Liv, and Shamir of acting “illegally to dilute\r\n[Rubinstein’s] own shares through a pyramid of companies set up overseas. Some of those companies were\r\nestablished via front men connected to Dilian, including his second wife, Sara Hamou” (as noted above, Hamou’s\r\nname appears in corporate registry listings in the Dun \u0026 Bradstreet database for Intellexa entities in Ireland and\r\nGreece). The lawsuit also reportedly claimed that “this transfer of Aliada’s activities out of Israel via shell\r\ncompanies, first to the British Virgin Islands and later Ireland, violated both Israeli and foreign defense export\r\ncontrol laws.”\r\nAccording to the BVI Registrar of Corporate Affairs, as of the date of publication of this report, Aliada Group\r\nInc.’s legal status is “in penalty” due to nonpayment of annual fees. In addition, the registered agent filed an intent\r\nto resign on November 12, 2021. The reason for the resignation is as yet unclear.\r\nIntellexa’s Products\r\nA prior version of the Intellexa website markets “intelligence solutions” including “tactical interception.” The\r\nmarketing of interception was also underscored in Dilian’s 2019 Forbes interview. However, at the time of\r\nwriting, the website is considerably more vague about the company’s activities. In its current form, Intellexa’s\r\nwebsite and associated videos pitch a product called “Nebula” which is described as a ‘holistic’ intelligence\r\ngathering and analysis platform.\r\nThe company’s website prominently features the claim that it is “EU-based and regulated.” This claim is\r\ninteresting given the track record of some of Intellexa’s participating corporate entities, which have been riddled\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 4 of 23\n\nwith legal issues and other controversy. For example, in June 2021, executives of Amesys and Nexa Technologies\r\nwere indicted by investigating judges with the crimes against humanity and war crimes unit of the Paris Judicial\r\nCourt for complicity in torture in relation to product sales to the Libyan government and complicity in torture and\r\nforced dissapearance in relation to product sales to the Egyptian government.\r\nDilian has also been followed by reports of legal and other irregularities, both during his time in the Israeli\r\nmilitary and in his new career as a mercenary surveillance tech vendor. In 2019, after courting publicity with a\r\ndemonstration to Forbes of a “$9 million signals intelligence van” with communications hacking capabilities in\r\nCyprus, WiSpear and Tal Dilian attracted police interest. The van was confiscated by Cypriot authorities, several\r\nWiSpear/Passitora Ltd. employees were arrested and briefly detained, and Dilian was wanted for questioning.\r\nAccording to a 2020 Reuters article Dilian—who characterized the Cypriot investigation as a “witch hunt” against\r\nhim—fled Cyprus after an arrest warrant was issued in his name. An article in CyprusMail from November 2021\r\nnotes that the Attorney-General’s office decided to “drop all charges” against all three individuals involved in the\r\n“spy van” case (the case against WiSpear/Passitora Ltd. was not dropped). Reporting from the same month notes\r\nthat WiSpear was fined almost 1 million Euros for privacy violations.\r\n2. Attacks Against the Two Targets\r\nNour first became suspicious after observing that his iPhone was “running hot.” We learned of Nour’s case and\r\nreviewed logs from his phone. Ultimately, we determined that his device had been exploited and infected with two\r\nseparate mercenary spyware tools: Pegasus spyware, made by NSO Group, and Predator, which is developed by\r\nCytrox.\r\nWe attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We\r\nconducted scanning (Section 4) that identified the Egyptian Government as a Cytrox Predator customer, websites\r\nused in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from\r\nEgyptian WhatsApp numbers (Section 2.5, Section 2.7).\r\n2.1. Confirming NSO Pegasus Infection of Ayman Nour\r\nThe logs showed that Nour’s phone had been repeatedly compromised with NSO Group’s Pegasus spyware since\r\nMarch 3, 2021. For example, evidence of execution of the following processes was identified on Nour’s phone,\r\ndating back to March 3, 2021:\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/tisppd/private/var/db/com.apple.xpc.roleaccountd.staging/bfr\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/xpccfd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/comsercvd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/rlaccountd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/launchrexd\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 5 of 23\n\n/private/var/db/com.apple.xpc.roleaccountd.staging/ckeblld\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/comnetd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/accountpfd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/jlmvskrd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/msgacntd\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/brstaged\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/fdlibframed\r\nThese process names all appear on a list of Pegasus indicators published by Amnesty Tech and we have also\r\nindependently linked them to Pegasus. Crash logs also showed that on June 30, 2021, NSO Group’s\r\nFORCEDENTRY exploit (CVE-2021-30860) was fired at the phone. The exploit did not result in installation of\r\nthe Pegasus spyware at this time.\r\nBased on the traces of FORCEDENTRY, the presence of process names linked to Pegasus, and additional factors,\r\nwe conclude with high confidence that the phone was repeatedly hacked with NSO Group’s Pegasus spyware\r\nstarting on March 3, 2021.\r\n2.2. Confirming Cytrox Predator Infection of Ayman Nour\r\nAfter confirming forensic traces of Pegasus on Nour’s iPhone, we identified the presence of additional spyware,\r\nwhich we attribute with high confidence to Cytrox. We further conclude with high confidence that it is unrelated\r\nto Pegasus spyware.\r\nWhile examining the iPhone logs we determined that, on June 30, 2021, two commands “/Payload2” were\r\nrunning on the phone (PIDs 339 and 1272), and that these commands had been launched with a single argument, a\r\nURL on distedc[.]com . The commands were running as root.\r\niPhone logs indicated that the process names of the commands were UserEventAgent and\r\ncom.apple.WebKit.Networking , that their binaries were resident on disk in the /private/var/tmp/ folder, and\r\nthat the responsible process for both was siriactionsd , which is a legitimate iOS process that manages iOS\r\nshortcuts and automations.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 6 of 23\n\nWhile iOS has legitimate binaries with the names “com.apple.WebKit.Networking” and “UserEventAgent”, the\r\nbinaries in Figures 5 do not match any known legitimate Apple version. Moreover, the legitimate iOS binaries\r\nwith these names are not stored in /private/var/tmp/ . The two suspicious processes were running as part of the\r\n“ com.apple.WorkflowKit.BackgroundShortcutRunner ” launchd coalition. We found two additional suspicious\r\nprocesses that had recently run in this same coalition, named “hooker” and “takePhoto”.\r\n2.3. Attribution to Cytrox\r\nWe looked up the IP address for distedc[.]com on Internet scanning service Censys and found that, as of October\r\n2021, it returned an HTTP 302 redirect to https://duckduckgo.com. Concluding that this might be an identifying\r\nbehavior, we built a Censys fingerprint for the redirect.\r\nWe found 28 hosts on Censys matching this fingerprint in October 2021, including an IP in Northern Macedonia,\r\n62.162.5[.]58 , which was pointed to by dev-bh.cytrox[.]com in August 2020, and which also returned a\r\nredirect with dev-bh.cytrox[.]com in its Location header on port 80 during this period.\r\nAdditionally, passive DNS tool RiskIQ shows that the IP 62.162.5[.]58 returned a certificate\r\n(0fb1b8da5f2e63da70b0ab3bba8438f30708282f) for teslal[.]xyz between July 2020 and September 2020. Since\r\n62.162.5[.]58 currently returns a teslal[.]xyz certificate, we assume that the IP has not changed ownership\r\nsince August 2020 and is thus still related to cytrox[.]com .\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 7 of 23\n\nThe cytrox.com domain previously returned a WordPress page containing an email address (ivo@cytrox.com),\r\nwhich appears to be the email of Ivo Malinkovski, CEO of Cytrox. The WordPress page is apparently\r\nunmaintained, and was apparently hacked to include spam links to an online casino (Figure 6).\r\nWe analyzed binaries associated with the spyware (Section 3), which revealed that the spyware is named\r\n“Predator.” We performed additional fingerprinting and scanning (Section 4) that allowed us to identify additional\r\ncomponents of Cytrox client infrastructure.\r\n2.4. Observation of Additional Domains\r\nIn addition to distedc[.]com, we observed additional domains associated with the Predator installation on the two\r\nvictim phones.\r\nDomain Where Seen\r\ndistedc[.]com\r\nAs argument to running Predator process in system logs; in iOS\r\nautomation for Predator persistence\r\ngosokm[.]com\r\niOS system logs for running Predator processes showed data\r\nexfiltration here\r\nyoutubesyncapi[.]com\r\nbity[.]ws\r\nPredator configuration echoed to system logs\r\negyqaz[.]com\r\nWithin Android Predator sample downloaded from distedc[.]com;\r\nSafari history of compromised device\r\nalmasryelyuom[.]com\r\nqwxzyl[.]com\r\nSafari history of compromised device timestamped ~1ms before\r\negyqaz[.]com\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 8 of 23\n\nTable 1\r\nDomains observed in Predator spyware used to hack Egyptian targets.\r\n2.5. How Ayman Nour was Hacked with Predator\r\nWe searched Nour’s phone for these domains and found that an Egyptian number on WhatsApp\r\n(+201201407978), purporting to be a “Dr. Rania Shhab,” sent four distinct links to almasryelyuom[.]com and\r\nqwxzyl[.]com to Nour’s device. The links were sent as images containing URLs. The same WhatsApp account\r\nsent a link to youtu-be[.]net , which we assess is also related, because the server response for youtu-be[.]net\r\nmatches that of almasryelyuom[.]com and qwxzyl[.]com .\r\nThe following are examples of images accompanying the links sent by the attacker, extracted from Nour’s phone:\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 9 of 23\n\n2.6. Evidence of Predator and Pegasus Running Simultaneously\r\nPhone logs indicate that on June 22, 2021, Pegasus and Predator were running simultaneously on Nour’s phone, as\r\nthese four processes were observed running simultaneously:\r\nPID Process Spyware\r\n4219 /private/var/db/com.apple.xpc.roleaccountd.staging/launchrexd Pegasus\r\n4257 /private/var/db/com.apple.xpc.roleaccountd.staging/fdlibframed Pegasus\r\n4265 /private/var/tmp/UserEventAgent Predator\r\n4412 /private/var/tmp/com.apple.WebKit.Networking Predator\r\nTable 2\r\nPegasus and Predator processes running simultaneously on Nour’s phone on June 22, 2021.\r\nThe phone logs indicate that the device was infected with Pegasus on June 22 at 13:26 GMT. A number of\r\nLibrary/SMS/Attachments folders were created between 13:17 and 13:21, and there were no entries whatsoever in\r\nthe Attachments table of the sms.db file for June 22, suggesting that a zero-click exploit may have been the vector\r\nfor Pegasus installation. Approximately an hour later, a Predator link sent to Nour on WhatsApp was opened in\r\nSafari at 14:33 GMT on the same day and Predator was installed on the device two minutes later at 14:35 GMT.\r\n2.7. How Second Target was Hacked with Predator\r\nThe second target, an Egyptian journalist in exile who is the host of a popular news program, received one\r\nmessage on WhatsApp from an unknown number (+201201407595) with a link to the same almasryelyuom[.]com\r\nwebsite.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 10 of 23\n\nThe individual who sent the link claimed that they were an Assistant Editor at the Al Masry Al Youm newspaper.\r\n3. Analysis of Cytrox’s Predator Spyware\r\nWe obtained Android and iOS payloads from distedc[.]com and found them to be copies of a loader for a spyware\r\nproduct called Predator. We believe that these payloads are invoked by a previous exploit phase that we do not\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 11 of 23\n\nhave.\r\n3.1. Initialization\r\nThe iPhone executable is a 64-bit Mach-O binary which, like its Android counterpart, expects two arguments\r\nwhen the binary’s main function is called, which appear to be a kernel process task port and a pid value. The\r\nmain function then calls kmem_init with these values, which proceeds to enable Predator stage 1 for continued\r\nexecution. The Android sample passes its arguments to shared constants SHMEMFD_VSS and SHMEMFD_VSS .\r\nBoth the iOS and Android samples then call a startPy function to load a bundled Python 2.7 runtime. In the iOS\r\nsample, two additional built-in objects are added to the runtime: predutils and predconfig. The Android sample\r\ncontains further additional built-in objects: injector, pc2, recorder, and voip_recorder. Upon initialization, startPy\r\nloads a frozen Python module named loader which begins by importing the Predator config from the interpreter’s\r\npredconfig module.\r\nThe iOS and Android configurations are slightly different. The complete configurations are available in Appendix\r\n1. Once Predator iOS loads its configuration, it loads another frozen Python module named km_ios, a utility\r\nmodule that provides kernel memory management helper functions enabling additional Predator module\r\ncapabilities.\r\nThe iOS payload also contains a _check function, which queries the phone number and the phone’s current locale\r\ncountry code. If the locale country code is equal to “IL” (the country code for Israel), or the phone number begins\r\nwith “+972” (the telephone country code for Israel) then the spyware terminates. However, the method that\r\nPredator uses to query the phone number, CTSettingCopyMyPhoneNumber, may not work in recent versions of\r\niOS. We could not determine how (or if) the _check function is called.\r\n3.2. Python Loader\r\nIn addition to the frozen loader module, “src/loader.py” (“frozenpyc/src/loader.py” in the Android sample), we\r\nalso found copies of what appear to be older versions of the module that do not appear to be invoked by Predator:\r\n“src/loader2.py”, “src/loader_real.py” and “src/loaderBackup03”. All of the loader versions contain multiple\r\nreferences to “Predator.”\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 12 of 23\n\nAfter loading the Predator configuration, the iOS loader then wipes the device’s crash logs by removing all files in\r\n“/private/var/mobile/Library/Logs/CrashReporter/”. Then, it downloads a configuration file and additional stages\r\nof the spyware from the server (specified by predconfig’s INS_URL parameter, which is set to https://bity[.]ws).\r\nOn Android, the loader module also downloads additional files from the server (specified by predconfig’s\r\nINS_URL parameter, which is set to https://egyqaz[.]com).\r\n3.3. Persistence on iOS\r\nOn iOS, the loader calls a get_configuration_persistency function, which downloads an iOS shortcuts automation\r\nfrom the spyware server to ensure persistence. The persistent payload is referred to as “Nahum,” which is the\r\nname of a minor biblical prophet. Nahum’s prophecy appears in the Hebrew Tanakh and the Christian Old\r\nTestament, and foretells the total destruction of Nineveh, a powerful fortress city.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 13 of 23\n\nNineveh is destroyed, deserted, desolate! Hearts melt with fear; knees tremble, strength is gone; faces\r\ngrow pale. Where now is the city that was like a den of lions, the place where young lions were fed,\r\nwhere the lion and the lioness would go and their cubs would be safe?\r\nNahum 2:10-11 GNB\r\nThe iOS automation is triggered when certain apps are opened, including a number of built-in Apple apps, such as\r\nthe App Store, Camera, Mail, Maps, Safari, as well as third-party apps including Twitter, Instagram, Facebook\r\nMessenger, LinkedIn, Skype, SnapChat, Viber, Wire, TikTok, Line, OpenVPN, WhatsApp, Signal, and Telegram.\r\nThe automation first checks if the phone’s battery level is greater than 9% (i.e., if the phone is not in a low-battery\r\nsituation). If the phone’s battery level is adequate, then the automation downloads JavaScript code from the\r\nspyware server and substitutes this code into a block of HTML contained in the shortcut. We were unable to obtain\r\nthis JavaScript code. The HTML in the shortcut also contains a JavaScript function “make_bogus_transform”\r\nwhich appears to create an XSLT transformation that may be invoked by the downloaded JavaScript code. The\r\nHTML code with the substituted JavaScript is then Base64-encoded, its contents are prepended with\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 14 of 23\n\n“data:text/html,” and then the automation passes this URL to WebKit to render. This presumably triggers the\r\nexploit and results in the installation of the Predator spyware.\r\nWhile automations normally trigger visible notifications when they are run, the Predator shortcut runs entirely in\r\nthe background, invisible to the user, because Predator also changes an option to disable automations from\r\ntriggering notifications.\r\nThe get_configuration_persistency function also downloads an iOS profile named “com.[name redacted].disable-shortcuts-notifications”, from the spyware server.\r\nWe located a profile with the same name publicly released by [name redacted], a software engineering student. We\r\nare redacting the name of the student here because we do not believe they are involved in Cytrox Predator\r\ndevelopment. The profile’s sole function is to prevent iOS from displaying notifications when an automation is\r\nrun. Thus, users who have been hacked with Predator do not see notifications when the spyware is launched.\r\nThere is nothing particularly special or complex about this specific profile, and Predator’s developers could have\r\neasily crafted their own similar profile that duplicated this functionality without mentioning the software\r\nengineering student by name.\r\nThe get_configuration_persistency function also downloads binaries called “takePhoto,” “agent.dylib,” “inject,”\r\nand “hooker” on iOS14, but does not download these files on iOS13, instead logging the message “iOS 13, don’t\r\nneed hooker.” We did not obtain these files, but we believe that “hooker” and “takePhoto” are the same binaries\r\nwe saw running in Section 2.2.\r\n3.4. Additional Android Details\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 15 of 23\n\nWe did not find a mechanism for persistence on Android, nor values in the Android configuration file that indicate\r\npersistence support. However, we found some additional code in the Android sample, including code to disable\r\nSELinux and code for an audio recording component.\r\nPredator stores additional Python modules and native ELF binaries in the fs.db SQLite file which is located at the\r\npath set in DB_FILE. The Python interpreter has a frozen module called sqlimper which is responsible for\r\ninteracting with this database. The database contains a table called files which has a column called file_hash and a\r\ncolumn called file_data. The file_hash is used in place of a file name and is computed using the following routine,\r\nwhere n is the name:\r\nThe injector module declares one function, inject, which can inject a shared object into a running process.\r\nInterestingly, there is a function called prior to injection which attempts to disable SELinux enforcement via the\r\nSELinuxFS.\r\nIt should be noted that this approach likely will not succeed on devices that have additional checks and protections\r\naround SELinux enforcement—for example, Samsung RKP. However, there are artifacts associated with Predator\r\nthat suggest approaches like RKP can be defeated by stomping on the SELinux access vector cache entries to\r\ngrant the needed permissions.\r\nThe pc2 module contains a single function, pc2_send_command, that is used as an IPC mechanism to send\r\ncommands to Predator’s audio recording component. The supported commands are START_VOIP, STOP_VOIP,\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 16 of 23\n\nSTART_MICRORECORDER, STOP_MICRORECORDER, and POLL_VOIP. This module works in conjunction\r\nwith the recorder and voip_recorder modules. Each of the recorder modules have a start and stop function which\r\nare used to start/stop Predator’s hot mic (recorder) and call recording (voip_recorder) capabilities. Recordings are\r\nstored in /data/local/tmp/wd/r/ in MP3 format.\r\n4. Scanning to Find Cytrox Customers\r\nWe fingerprinted the behavior of the domains from Table 1 and found additional domains via Shodan and Censys.\r\nDomains Fingerprint\r\nalmasryelyuom[.]com\r\nqwxzyl[.]com\r\nyoutu-be[.]net\r\n[Shodan, Censys]\r\negyqaz[.]com [Shodan, Censys]\r\ndistedc[.]com [Shodan, Censys]\r\ngosokm[.]com [Shodan, Censys]\r\nyoutubesyncapi[.]com\r\nbity[.]ws\r\n[Shodan, Censys]\r\nTable 3\r\nShodan and Censys fingerprints for Cytrox domains.\r\nOf the Shodan and Censys results, we identified several servers that returned HTTP Server headers with the value\r\n“Server,” rather than “nginx,” These servers were typically hosted on consumer broadband connections available\r\nto local subscribers only, rather than cloud-hosting services that can be procured internationally. We believe that\r\nthe “Server: Server” IPs on consumer broadband connections are endpoint IPs that indicate locations of\r\ncustomers. We found endpoint IPs in the following countries, so we conclude that these governments are likely\r\namong Cytrox’s customers: Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.\r\nScanning also reveals a range of domains used by Cytrox that have country-specific themes, which leads us to\r\nsuspect that they may be specifically targeted in relation to these countries. We list a subset of these in Table 4.\r\nCountry Theme Cytrox Domain\r\nEgypt aramexegypt[.]com\r\nalmasryelyuom[.]com\r\nalraeesnews[.]net\r\nbank-alahly.com\r\ncarrefourmisr[.]com\r\neg-gov[.]org\r\negyqaz[.]com\r\netisalategypt.tech\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 17 of 23\n\nCountry Theme Cytrox Domain\r\nikea-egypt[.]net\r\norangegypt[.]co\r\nsinai-new[.]com\r\nuberegypt.cn[.]com\r\nvodafoneegypt[.]tech\r\nyallakora-egy.com\r\nyuom7[.]net\r\nIvory Coast\r\nadibjan[.]net\r\npolitique-koaci[.]info\r\nMadagascar tribune-mg[.]xyz\r\nMali actumali[.]org\r\nSaudi Arabia\r\nniceonase[.]com\r\nniceonesa[.]net\r\nSerbia\r\nnovosti[.]bid\r\npolitika[.]bid\r\nTrinidad \u0026 Tobago\r\nforwardeshoptt[.]com\r\nguardian-tt[.]me\r\ntable 4\r\nSome Cytrox Predator domains indicating country themes.\r\nWe additionally identified further domains impersonating popular companies and online sites (Table 5).\r\nLegitimate Service Cytrox Domain\r\nApple applepps[.]com\r\nFox News ffoxnewz[.]com\r\nGoogle Play Store playestore[.]net\r\nInstagram instegram[.]co\r\nLinkedIn lnkedin[.]org\r\nSephora sephoragroup[.]com\r\nTesla Motors\r\nteslal[.]shop\r\nteslal[.]xyz\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 18 of 23\n\nLegitimate Service Cytrox Domain\r\nTwitter\r\ntwtter[.]net\r\ntw.itter[.]me\r\nWhatsApp wha.tsapp[.]me\r\nXNXX xnxx-hub[.]com\r\nYouTube\r\nyoutu-be[.]net\r\nyoutub[.]app\r\nyoutubewatch[.]co\r\nTable 5\r\nSome Cytrox Predator domains impersonating legitimate companies or websites.\r\nSpecial Note: Predator After Pegasus for Saudi Arabia?\r\nAn IP address in Saudi Arabia appears to have begun matching our Cytrox Predator fingerprints at the end of July\r\n2021, and we classify this IP address as that of a likely Predator customer. NSO Group’s June 30, 2021\r\ntransparency report mentions that NSO cut off a client, later reported to be Saudi Arabia by The New York Times,\r\napparently in response to the revelations of spying on Al Jazeera journalists. This may be an indication that Saudi\r\nArabia has switched from Pegasus to Predator.\r\n5. Disclosure \u0026 Enforcement\r\nIn accordance with the Citizen Lab’s vulnerability disclosure policy, we shared copies of Cytrox Predator forensic\r\nartifacts with Apple, which has confirmed to the Citizen Lab that they are investigating. In addition, given the\r\nabuse of WhatsApp for Predator targeting, the Citizen Lab shared forensic artifacts with Meta’s security team.\r\nToday, Thursday, December 16, Meta is taking an enforcement action against Cytrox, which includes removing\r\napproximately 300 Facebook and Instagram accounts linked to Cytrox. Their investigation also reveals an\r\nextensive list of lookalike domains used as part of social engineering and malware attacks, which are included in\r\nAppendix A of their report.\r\nThe Meta report states that they believe Cytrox customers include entities in Egypt, Armenia, Greece, Saudi\r\nArabia, Oman, Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany, and that they identified additional\r\nabusive targeting initiated by Cytrox customers around the world.\r\n6. Conclusion\r\nThis report is the first investigation to discover Cytrox’s mercenary spyware being abused to target civil society.\r\nRemarkably, one of the victims was simultaneously infected with NSO Group’s Pegasus spyware. NSO Group has\r\nreceived outsized publicity in recent years, thanks to a growing customer list, spiraling abuse problems, and\r\ngroundbreaking investigative work by civil society. Cytrox and its Predator spyware, meanwhile, are relatively\r\nunknown.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 19 of 23\n\nThe targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil\r\nsociety transcends any specific mercenary spyware company. Instead, it is a pattern that we expect will persist as\r\nlong as autocratic governments are able to obtain sophisticated hacking technology. Absent international and\r\ndomestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to\r\nbe hacked into the foreseeable future.\r\nThe Mercenary Spyware Ecosystem\r\nBoth the Citizen Lab and Amnesty International’s Security Lab have produced extensive technical reports on NSO\r\nGroup. While prominent, the mercenary spyware firm was not the first nor is it the only spyware firm of its kind\r\nwhose technology has been linked to abuse problems. In fact, the market for offensive intrusion capabilities is\r\nlarge, varied, and proliferating internationally.\r\nFor example, prior to the Citizen Lab’s first report on NSO Group in 2016, we documented extensive abuses of\r\nHacking Team and FinFisher mercenary spyware. (Hacking Team was subsequently rebranded Memento Labs in\r\n2019.) In 2017, we published a report on the spyware firm, Cyberbit, whose technology was used by Ethiopia to\r\nmount a global cyber espionage campaign. We also discovered evidence that Cyberbit was marketing its spyware\r\nto known human rights abusers, including the Royal Thai Army, the Uzbek secret services, Vietnam, Kazakhstan,\r\nRwanda, Serbia, and Nigeria. Earlier this year, we published a report on yet another spyware firm, Candiru, with\r\nour findings independently corroborated by Microsoft, Google, and the threat intelligence team at ESET. Candiru\r\nwas subsequently designated alongside NSO Group on the U.S. Commerce Department’s “entity list” in\r\nNovember 2021 for “malicious cyber activities.”\r\nAs evidence continues to surface of new players in the spyware space, the same patterns of abuse will almost\r\ncertainly persist until the international regulatory environment changes.\r\nStructures to Avoid Accountability\r\nThe private intelligence and mercenary surveillance marketplace is marked by complex ownership structures,\r\ncorporate alliances, and regular rebranding. These practices frustrate investigation, regulation, and accountability.\r\nMercenary spyware companies further evade outside scrutiny by employing complex accounting and\r\nincorporation techniques familiar to those used by arms traffickers, money launderers, kleptocrats, and corrupt\r\nofficials.\r\nAs investigative journalists and public interest researchers continue to put a spotlight on mercenary spyware\r\ncompanies, we expect they will continue their efforts to evade scrutiny and accountability.\r\nAcknowledgements\r\nThanks to to M.S. and Ayman Nour. Citizen Lab investigations depend on victims and targets graciously sharing\r\nevidence with us.\r\nThanks to Meta for investigating this case following our notification and taking enforcement actions, and to\r\nApple.\r\nThanks to TNG.\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 20 of 23\n\nThanks to Amnesty Tech for sharing additional WHOIS details pointing to Intellexa.\r\nThanks to Team Cymru.\r\nAppendix 1: Predator Configurations\r\nAndroid Configuration:\r\nFS_ENDPOINT heh\r\nURL Component When\r\nDownloading Additional\r\nResources\r\nINS_URL https[:]//egyqaz[.]com/\r\nBase URL when\r\ndownloading additional\r\nresources\r\nFIN_URL https[:]//egyqaz[.]com/{}/vmq  \r\nDB_STAGE 9  \r\nRSA_PKEY \u003can RSA public key\u003e  \r\nWAIT_TIME 2  \r\nP_DIR /data/local/tmp/wd/\r\nPath to Predator working\r\ndirectory\r\nDB_FILE /data/local/tmp/wd/fs.db\r\nPath to SQLite database\r\nthat contains additional\r\ntools and Python modules\r\nPE_METHOD QUAILEGGS\r\nThe privilege escalation\r\nmethod to use\r\nINS_CERT \u003can x509 cert\u003e  \r\nLIBPYTHON_GIT_COMMIT 2b2f6c3\r\nGit commit hash of the\r\nproject\r\nFS_KEY \u003credacted\u003e\r\nKey used to encrypt\r\nSQLite database\r\niOS Configuration:\r\nConfig Key Config Value Notes\r\nPERSIST_FLAG persistflag Persistence\r\nboolean\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 21 of 23\n\nConfig Key Config Value Notes\r\ntoggle\r\nPERSIST https[:]//youtubesyncapi[.]com/\r\nPersistence\r\ndomain\r\nendpoint\r\nPERSIST_ID PI112233445566778899EEEEEEDDEEFF\r\nPersistence\r\nidentifier\r\nINS_URL https[:]//bity[.]ws\r\nBase URL\r\nwhen\r\ndownloading\r\nadditional\r\nresources\r\nINP_URL http[:]//192.168.2[.]1[:]8080  \r\nFIN_URL https[:]//bity[.]ws/{}/finish  \r\nDB_STAGE 9  \r\nRSA_PKEY \u003can RSA public key\u003e  \r\nWAIT_TIME 2  \r\nP_DIR /private/var/logs/keybagd/\r\nPath to\r\nPredator\r\nworking\r\ndirectory\r\nDB_FILE /private/var/logs/keybagd/fs.db\r\nPath to\r\nSQLite\r\ndatabase that\r\ncontains\r\nadditional\r\ntools and\r\nPython\r\nmodules\r\nENC_FILE /private/var/logs/keybagd/arm64e.encrypted  \r\nSHORT_FILE /private/var/logs/keybagd/Shortcuts.realm\r\nShortcuts\r\npersistence\r\nfile\r\nSHORT_FILE_LOCK /private/var/logs/keybagd/Shortcuts.realm.lock  \r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 22 of 23\n\nConfig Key Config Value Notes\r\nJS_FILE /private/var/logs/keybagd/jsPayload.js.encrypted  \r\nJS_KEY_FILE /private/var/logs/keybagd/jskey.txt  \r\nPRED_KEY_FILE /private/var/logs/keybagd/predkey.txt  \r\nPE_METHOD NWIOS\r\nThe\r\nprivilege\r\nescalation\r\nmethod to\r\nuse\r\nINS_CERT \u003can x509 cert\u003e  \r\nLIBPYTHON_GIT_COMMIT unknown\r\nGit commit\r\nhash of the\r\nproject\r\nFS_KEY TEST\r\nKey used to\r\nencrypt\r\nSQLite\r\ndatabase\r\nSource: https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nhttps://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/\r\nPage 23 of 23\n\nInformation Aliada Group on Aliada Group Inc. is “backed Inc. is relatively by the private scant. The same equity firm Mivtach-Shamir, 2017 article from Intelligence which spent $3.5 Online million notes that to acquire a\n32% stake in Aliada in December 2016, along with an option to acquire an additional 5%.” Mivtach-Shamir is “a\npublicly-traded Israeli investment company” founded by Meir Shamir. In reviewing entries for WiSpear/Passitora \nLtd. in Cyprus’ business registry, we noted that “Mivtah Shamir Technologies (2000) Ltd.” is listed as a director of\nPassitora Ltd., along with Dilian. We also found an entry in the Israeli business registry for a “Mivtach Shamir\nTechnologies (2000) Ltd.,” which was apparently incorporated in 2000.   \n   Page 3 of 23   \n\nredirect with Additionally, dev-bh.cytrox[.]com passive DNS tool in its Location RiskIQ shows header on that the IP 62.162.5[.]58 port 80 during returned this period. a certificate \n(0fb1b8da5f2e63da70b0ab3bba8438f30708282f)   for teslal[.]xyz between July 2020 and September 2020. Since\n62.162.5[.]58 currently returns a teslal[.]xyz certificate, we assume that the IP has not changed ownership\nsince August 2020 and is thus still related to cytrox[.]com .   \n   Page 7 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/"
	],
	"report_names": [
		"pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b",
			"created_at": "2024-02-02T02:00:04.032871Z",
			"updated_at": "2026-04-10T02:00:03.532955Z",
			"deleted_at": null,
			"main_name": "Caramel Tsunami",
			"aliases": [
				"SOURGUM",
				"Candiru"
			],
			"source_name": "MISPGALAXY:Caramel Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438983,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd9efc9ae8dc0a6d0f8ce9de4335821c746ba040.pdf",
		"text": "https://archive.orkl.eu/bd9efc9ae8dc0a6d0f8ce9de4335821c746ba040.txt",
		"img": "https://archive.orkl.eu/bd9efc9ae8dc0a6d0f8ce9de4335821c746ba040.jpg"
	}
}