{
	"id": "8bdefb7b-3559-4dea-bfc2-22b1a5f778d2",
	"created_at": "2026-04-06T03:37:37.645593Z",
	"updated_at": "2026-04-10T03:19:56.191619Z",
	"deleted_at": null,
	"sha1_hash": "c2f5217fbf8dfba5236b22f891390d86fbb1f2fe",
	"title": "The Predator spyware ecosystem is not dead",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 320803,
	"plain_text": "The Predator spyware ecosystem is not dead\r\nBy Sekoia TDR,\u0026nbsp;Felix Aimé\u0026nbsp;and\u0026nbsp;Maxime A.\r\nPublished: 2024-02-28 · Archived: 2026-04-06 03:17:21 UTC\r\n4 minutes reading\r\nContext\r\nIn September and October 2023, several open source publications, part of the Predator Files project coordinated\r\nby the European Investigative Collaborations, exposed the use of the Predator spyware by customers of Intellexa\r\nsurveillance solutions. The intrusion set related to these customers is tracked under the code-name Lycantrox by\r\nSekoia.\r\nAlongside Amnesty International, CitizenLab or MediaPart, Sekoia.io published the blogpost Active Lycantrox\r\ninfrastructure illumination exposing exploits-related and command-and-control infrastructure clusters employed\r\nby Intellexa customers. The publications forced the shutdown of exposed infrastructure, hindering the reported\r\nuse of the spyware against civil society, journalists, politicians or academic targets. \r\nAs all Predator Files publications exposed users, technical infrastructure and alleged targets, we assumed the\r\nspyware use would at least temporarily decrease, or simply end. But no, the Predator ecosystem isn’t dead: we\r\nfound new infrastructure built after the Predator Files publications, proving Predator is still used nowadays.\r\nAs Sekoia.io officially supported in February 2024 the Pall Mall Process – tackling the proliferation and\r\nirresponsible use of commercial cyber intrusion capabilities, we have decided to share related infrastructure with\r\nour partners and expose a few domains, with possible related customers once again, in this blogpost.\r\nAlleged customers analysis\r\nhttps://blog.sekoia.io/the-predator-spyware-ecosystem-is-not-dead/\r\nPage 1 of 4\n\nOperational security changes for plausible deniability\r\nIn a general overview of the newly exposed infrastructure, we noticed a significant increase in the number of\r\ngeneric malicious domains which do not give indications on targeted entities and possible customers of Intellexa\r\nsurveillance solutions. \r\nWe assess that some government services that use Intellexa surveillance solutions have taken notice of\r\npublications like ours, and adapted their process to keep using the solution without giving hints about their\r\ntargets.\r\nAngola \r\nIn our previous paper, we exposed several domains associated with Angola entities, some of them were\r\nmimicking online media, and others were related to national entities (telecom operators, the national oil company,\r\nthe national postal service). Such targets made us assess that Angola government services were probably\r\ncustomers of Intellexa surveillance solutions, a hypothesis correlated with other fellow researchers such as\r\nAmnesty International.\r\nIn the new infrastructure, we found Portuguese-speaking malicious domains but not directly related to Angola\r\nentities. As no other Portuguese-speaking countries were reported using Predator, we assess with medium\r\nconfidence that Angola services are still using Predator as of mid-February 2024 but have increased their\r\noperational security, looking for more plausible deniability.\r\nMadagascar\r\nIn our previous paper, we assessed that Madagascar government services probably purchased and leveraged\r\nPredator spyware to conduct political domestic surveillance, especially the month before the 9 November 2023\r\nhttps://blog.sekoia.io/the-predator-spyware-ecosystem-is-not-dead/\r\nPage 2 of 4\n\npresidential election. \r\nAs other media also pointed out this hypothesis, President Rajoelina acknowledged the use of Predator in an\r\ninterview to the French media RFI on October 18th 2023. Thus it is possible Madagascar Predator users\r\nincreased their operational security, leading to fewer noticeable malicious domains. \r\nA domain still caught our attention, although it is not directly related to Madagascar but to the French newspaper\r\nLe Monde (fr-monde[.]com, created on 15 December 2023). This typosquatting can be related to the French\r\nnewspaper Le Monde‘s coverage of the use of Intellexa surveillance technologies by Madagascar, whether it is\r\nnot possible to assess if it was a phishing aimed at Malagasy individuals or Le Monde journalists. However, we\r\nassociate this domain to Madagascar with medium confidence as it resolved the same IP address\r\n(169.239.129[.]76) as bni-madagascar[.]com, another Lycantrox-related domain name weaponized last year. \r\nFor other users, business as usual\r\nIndonesia\r\nIn our previous investigation, we found malicious domains likely mimicking Jubi TV, a West Papua province\r\nopposition media. We assessed it was possible Indonesian services purchased and leveraged Intellexa surveillance\r\nsolutions to conduct political surveillance, at least on autonomist movements. The new domains we found\r\nconfirm our hypothesis. Among them, kejoranews[.]net likely typosquat Kejora News (the real website is\r\nwww.kejoranews.com), a media based in the Riau Islands province. The second one – suarapapua[.]co – mimics\r\nSuara Papua (suarapapua.com), a media also based in West Papua province, like previously seen with Jubi TV. \r\nThus, no significant operational change can be observed from the alleged Indonesian use of Predator.\r\nKazakhstan \r\nFor Kazakhstan, it looks like business as usual: a continuation of Predator malicious domains that easily points\r\nKazakhs entities, including medias (vlast-news[.]com), administrative services – cabinet-salyk[.]kz and e-kgd[.]kz\r\n– or generics domains with a .kz TLD.\r\nSekoia.io noticed no operational change from the alleged Kazakhstan use of Intellexa surveillance solutions.\r\nAstana services may not be concerned with public exposure, as Kazakhstan already has a troubled history with\r\ncyber surveillance vendors such as NSO, RCS Lab or FinFisher for compromising devices belonging to human\r\nright activists, politicians, journalists and opponents.\r\nEgypt\r\nThe new infrastructure includes at least 3 domains related to Egypt, mimicking entities related to the media (yo-um7[.]com), fintech (myfawry[.]net) or e-commerce (jumia-egy[.]com) sectors. Sekoia.io does not notice a\r\nsignificant change in the plausible deniability of Egypt-related Predator malicious domains.\r\nNewly discovered potential customer countries\r\nhttps://blog.sekoia.io/the-predator-spyware-ecosystem-is-not-dead/\r\nPage 3 of 4\n\nLast but not least, we discovered domains related to three countries not included in our previous paper: Botswana\r\n(mmegi[.]co), Mongolia (ulstur[.]co) and Sudan (sdntribune[.]co). The last two were reported as using Predator\r\nby Amnesty International and other publications related to the Predator Files.\r\nConclusion\r\nSekoia TDR analysts continue to monitor cyber mercenary groups, such as the Predator infrastructure used by\r\nIntellexa customers, contributing to the effort to tackle the proliferation and irresponsible use of commercial cyber\r\nintrusion capabilities as promoted by the Pall Mall Process. \r\nIf you are an NGO working to protect the civil society against cyber threats, do not hesitate to send us an email to\r\ntdr@sekoia.io in order to get in touch and share reports and indicators of compromise.\r\nShare\r\nCTI Intellexa Pall Mall Process Predator Predator Files\r\nShare this post:\r\nSource: https://blog.sekoia.io/the-predator-spyware-ecosystem-is-not-dead/\r\nhttps://blog.sekoia.io/the-predator-spyware-ecosystem-is-not-dead/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.sekoia.io/the-predator-spyware-ecosystem-is-not-dead/"
	],
	"report_names": [
		"the-predator-spyware-ecosystem-is-not-dead"
	],
	"threat_actors": [],
	"ts_created_at": 1775446657,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c2f5217fbf8dfba5236b22f891390d86fbb1f2fe.pdf",
		"text": "https://archive.orkl.eu/c2f5217fbf8dfba5236b22f891390d86fbb1f2fe.txt",
		"img": "https://archive.orkl.eu/c2f5217fbf8dfba5236b22f891390d86fbb1f2fe.jpg"
	}
}