{
	"id": "e5be24bb-a835-4f5e-bbcd-6d7f2d022b81",
	"created_at": "2026-04-06T01:32:03.376566Z",
	"updated_at": "2026-04-10T03:25:23.469029Z",
	"deleted_at": null,
	"sha1_hash": "ceb96e13541ad7fad41601cf69fcf0dc68c9c329",
	"title": "Independently Confirming Amnesty Security Lab’s finding of Predator targeting of U.S. \u0026 other elected officials on Twitter/X - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4005141,
	"plain_text": "Independently Confirming Amnesty Security Lab’s finding of\r\nPredator targeting of U.S. \u0026 other elected officials on Twitter/X -\r\nThe Citizen Lab\r\nArchived: 2026-04-06 00:12:54 UTC\r\nAmnesty International’s Security Lab has just published Caught in the Net as part of the European Investigative\r\nCollaborations‘ Predator Files, which details a threat actor sending what they assess to be Predator infection links\r\non social media in replies to Twitter / X posts by officials, journalists and other members of civil society.\r\nThe Citizen Lab independently received and collected a set of since-deleted posts by this threat actor, which we\r\ncall REPLYSPY. Our findings align with the Security Lab’s conclusions concerning Cytrox infrastructure, and we\r\nassess with high confidence that REPLYSPY included Cytrox Predator infection links in replies to numerous U.S.\r\nand international officials and others.\r\nIf a user clicked on one of the links, and a validation procedure (see: Section 2) was satisfied, the user’s device\r\nwould have been infected with Cytrox’s Predator spyware, likely using a chain of zero-day exploits. Cytrox is a\r\nsubsidiary of surveillance conglomerate Intellexa.\r\nThis note briefly describes some aspects of the observed targeting, as well as elements of Predator’s installation\r\nvalidation process that Citizen Lab has observed in 2023.\r\n1. US \u0026 foreign elected officials: mercenary spyware targets\r\nOn May 23, 2023, Albanian politician Etilda Gjonaj quote-tweeted a tweet by US Ambassador to Albania Yuri\r\nKim that mentioned Senator Chris Murphy and Senator Gary Peters. Senator Murphy was tagged on his official\r\naccount, while Senator Peters was tagged on his campaign account.\r\nOn June 1, 2023, the primary REPLYSPY account “Joseph Gordon” (@Joseph_Gordon16) responded to this\r\ntweet with another tweet containing a link, as well as the text “UK aims to deter Albanian refugees with ‘make\r\nclear the perils’ ad campaign”, the headline of a recent article published by Hong Kong English-language\r\nnewspaper South China Morning Post. However, the link included by Gordon was not a link to the official website\r\nof the South China Morning Post (scmp.com) but instead to a “lookalike” website southchinapost[.]net.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 1 of 9\n\nWe attribute the domain name southchinapost[.]net to Cytrox’s Predator spyware with high confidence. This\r\ndomain name matched our fingerprint F1 from our PREDATOR IN THE WIRES report; a website matching\r\nfingerprint F1 was used to deliver a chain of iOS zero-day exploits, followed by a sample of Cytrox’s Predator\r\nspyware, to a target in Egypt via network injection.\r\nAdditionally, we note that the southchinapost[.]net domain features in this recent report as attributed to Cytrox /\r\nPredator by researchers at Sekoia, pivoting from domains released in PREDATOR IN THE WIRES.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 2 of 9\n\nWhile we are not aware if anyone clicked on this link, we assess that if a user had clicked on the link, their phone\r\ncould have been infected with Cytrox’s Predator spyware. Like other mercenary spyware, Cytrox Predator\r\ninfection could allow the spyware’s operator to see almost everything on the user’s device, including snooping on\r\nencrypted calls and messages. A recent analysis of leaked documentation by Amnesty International’s Security Lab\r\ndescribes Predator’s specific capabilities in more detail.\r\nBased on a sample of Predator spyware that we captured in Egypt in September 2023, we outline part of the\r\nvalidation procedure that Predator uses to determine whether a user who clicked on a link should be infected (see:\r\nSection 2).\r\n2. Predator Install Validation Process\r\nLike similar mercenary spyware, after a target has navigated to a Predator infection link, either by clicking on the\r\nlink, or by being forcibly redirected there through the use of network injection, Cytrox’s Predator implements a\r\nseries of validation checks to determine whether the Predator spyware should be installed on the target’s device.\r\nSome of these checks are implemented by the Predator installation server, and some are implemented by code that\r\nPredator runs on the user’s device. While we do not have direct visibility into checks implemented on the Predator\r\ninstallation server, we were able to reverse engineer checks employed by a sample of Predator we captured in\r\nSeptember 2023.\r\nAfter the infection link delivers zero-day exploits to hack the device, but before Predator is installed, an eight-step\r\nvalidation program is executed on the device. If any of the validation steps fail, installation of Predator is aborted\r\nand telemetry is sent back indicating the specific failure reason.\r\nMost of these checks seem designed to avoid infecting devices under active observation by security researchers.\r\nThe validation also involves a rudimentary location check designed to avoid targeting American and Israeli\r\ndevices. Such a check is likely to be highly approximative and may not correspond to a phone’s actual location at\r\ntime of infection. Note that the Predator installation server might implement further location checks, such as\r\nattempting to geolocate the IP address used by the user who clicks on the infection link. The server might decide\r\nto abort installation if the IP address is geolocated to certain regions.\r\nThese multi-layered checks highlight the difficulty for security researchers in obtaining the “final payload” of\r\nmercenary spyware. The spyware industry has evolved these checks over time, in response to several high-profile\r\nincidents where full spyware payloads were captured, such as our 2016 capture of NSO Group’s Pegasus spyware,\r\nand our 2021 capture of Cytrox’s Predator spyware.\r\nThe Eight Validation Steps\r\nStep 1: Running Process Check\r\nThe validator checks the count of running processes that launched from the /private/var/tmp/ directory on the\r\nphone. The validator aborts if there is more than one such process. On an uncompromised phone, exactly zero\r\nprocesses should be running from this directory. Since Predator runs two processes from the /private/var/tmp/\r\ndirectory, this could be a check to ensure that Predator has not already infected the phone. This check also might\r\ncause installation to fail if certain other types of spyware are present on the device.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 3 of 9\n\nStep 2: Check for Log Monitoring\r\nThe validator checks if the system log is actively being observed on the phone and aborts if so. Typically, only\r\ndevelopers or security researchers would observe a phone’s log.\r\nStep 3: Rudimentary Location Check\r\nThe validator checks the locale selected on the phone. The locale consists of a language and country selected by\r\nthe user. The user can change this at any time in their phone settings. Changing the locale changes the language\r\ndisplayed in the user interface, as well as various number formats (e.g., commas vs periods for decimal points),\r\ndate formats, calendar type (e.g., Gregorian, Hijri, Jalali), units of measure (celsius vs fahrenheit), etc. If the\r\ncountry code of the locale is “IL” (Israel) or “US” (the United States), then the validator aborts. For many reasons,\r\nlocale might not always correspond to the phone’s physical location.\r\nStep 4: Developer Mode Check\r\nThe validator checks if developer mode is enabled on the phone, and aborts if so.\r\nStep 5: Jailbreak Detection\r\nThe validator checks if Cydia is installed and aborts if so. This might indicate that the phone has been jailbroken\r\nwith a commodity jailbreak tool. A jailbreak tool could allow a security researcher to extract components of the\r\nspyware or exploits that could not be extracted from a normal device.\r\nStep 6: Monitoring check\r\nThe validator checks if any “unsafe” processes are running and aborts if so. The hardcoded list of “unsafe”\r\nprocesses include apps that a security researcher might run, such as tcpdump and netstat to observe network\r\ntraffic, sshd to access files on the device, frida-server to inject code into processes, and checkra1nd, a jailbreak\r\ntool. The list of “unsafe” processes also includes three mobile security apps.\r\nStep 7: Proxy Check\r\nThe validator checks if the user has configured a “proxy” for their Internet traffic and aborts if so. A proxy might\r\nbe used by security researchers to intercept encrypted traffic from the device.\r\nStep 8: MiTM Check\r\nFinally, the validator checks if any additional root Certificate Authorities have been installed and aborts if so. The\r\nuse of additional root Certificate Authorities could indicate that a security researcher is attempting to intercept\r\nencrypted traffic from the device.\r\nIf all steps are successful, barring other failure conditions, we judge that the Predator infection would complete.\r\n3. Extensive REPLYSPY Targeting of Officials, Media \u0026 Civil Society\r\nWe note a wider range of suspected targeting by the REPLYSPY actor, in line with the findings of Amnesty’s\r\nSecurity Lab detailed here. For example, “Joseph Gordon”repeatedly replied to tweets mentioning multiple\r\nadditional elected US officials.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 4 of 9\n\nNotably the targeting occurred on themes related to Taiwan with links to URLs on the domain name caavn[.]org.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 5 of 9\n\nAmnesty International’s Security Lab attributes caavn[.]org to Cytrox during the period that the links were shared,\r\nand provides an extensive list of additional targeting and analysis, including the targeting of journalists, European\r\nand other elected and appointed officials, and commentators on Southeast Asian issues. We observed the\r\ncaavn[.]org domain name pointing to an IP address that F1-matching domains pointed to.\r\nAmnesty’s Security Lab highlights that the primary REPLYSPY Twitter / X account shows signs of alignment\r\nwith the interests of the government of Vietnam, which was recently revealed by Der Spiegel as part of the\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 6 of 9\n\nPredator Files to be a Cytrox customer, having purchased Predator for 5.6 million Euros for 2 years. The Citizen\r\nLab also noted signs of a Vietnamese nexus with the primary observed account.\r\nPublic Posts for Mercenary Spyware Targeting: Rare\r\nUnsurprisingly, we rarely observe mercenary spyware links being delivered on public facing social media posts.\r\nPosting links publicly entails a substantial risk of discovery and exposure, as well as the possibility of a link being\r\nclicked by an unintended target. Because spyware is often priced on a per-infection basis, it is often undesirable\r\nfor operators to risk installation on unintended targets by posting infection links publicly. The use of such replies\r\nlikely points to a lack of professionalism or of concern for the possibilities of getting caught.\r\nNevertheless, we have identified several other limited cases of spyware infection links distributed publicly via\r\nTwitter. One notable case is from 2011, where we documented a Twitter account posting a Panama-linked Hacking\r\nTeam RCS infection link.\r\nAdditionally, in 2015, we observed a Pegasus infection link in a Tweet mentioning Kenya’s then-Senate Minority\r\nLeader Moses Wetangula. Pegasus is developed and sold by NSO Group.\r\nThe fact that REPLYSPY extensively used this technique in 2023 is somewhat surprising, and might point to a\r\nlack of professionalism, a failure by Cytrox / Intellexa to direct customer behavior, or a perception by the\r\ncustomer that the targeting would be consequence-free.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 7 of 9\n\nOfficial Targeting With Mercenary Spyware: Proliferation’s Price-tag\r\nThe pervasive targeting of human rights defenders, dissidents, and journalists with mercenary spyware is\r\nundeniable and extensively documented. In recent years, a second category of targeting has emerged: foreign\r\nespionage activities. This activity is extensive and targets some of the world’s largest democracies.\r\nWhen the US added Cytrox and Intellexa to the Entity List on July 18, 2023, they found that the companies had\r\nengaged in activities contrary to the national security interests of the United States and to human rights. These\r\nlatest cases of officials targeted over Twitter suggest that the threat to US national security posed by these\r\ncompanies and the actions of their customers are direct. They join a growing list of cases of officials targeted with\r\nspyware. In March 2023, the US confirmed that at least 50 officials stationed in 10 countries were targeted with\r\nmercenary spyware.\r\nWhile reports of the targeting of US officials are relatively recent, past reporting and investigations, notably\r\nincluding the Pegasus Project, have underlined just how extensively mercenary spyware is used as a tool of\r\nespionage against officials. That project found that at least ten prime ministers and three presidents had been\r\npotentially selected for targeting with Pegasus. The Citizen Lab has also reported on extensive evidence of\r\nPegasus spyware infections in governmental networks, for example, finding an infection at 10 Downing Street,\r\nand the UK’s Foreign Commonwealth and Development Office.\r\nThis latest case of targeting on Twitter/ X includes replies to posts from civil society as well as elected officials\r\naround the world. If indeed an element of the government of Vietnam is responsible for REPLYSPY, the targeting\r\nof civil society and foreign espionage attempts targeting the US, EU and other countries are unsurprising. As\r\ndescribed by Der Spiegel, Intellexa executives and their benefactors sought and won contracts with government\r\nclients that are widely known abusers of human rights worldwide.\r\nInformation acquired by the Predator Files project reveals a flagrant disregard for accountability mechanisms, as\r\nwell as those mechanisms’ inherent weaknesses. Rather than undertake any serious due diligence, Intellexa\r\nexecutives and their allies sought instead to wittingly skirt export controls to sell surveillance technology to\r\nregimes they knew were likely to abuse them. The complicity of senior European business executives and\r\npoliticians in these endeavors shows why regulation of the mercenary spyware market is so difficult to\r\naccomplish. Notably, German agencies are reported to be clients of Intellexa; Germany is also not among the 11\r\ncountries that recently pledged to work collectively to counter the proliferation and misuse of commercial\r\nspyware.\r\nRead More Citizen Lab Research on Cytrox’s Predator Spyware:\r\nThe Citizen Lab has conducted several investigations into Predator spyware.\r\n2021:Pegasus vs. Predator: Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware This report\r\ndescribes the first discovery of a Predator infection in the wild on a device also infected with NSO Group’s\r\nPegasus spyware.\r\n2022: Citizen Lab analyses confirmed Predator infections on the devices of Greek journalist Thanasis Koukakis\r\nand former Meta manager, Artemis Seaford, among others.\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 8 of 9\n\n2023: Predator in the Wires: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential\r\nAmbitions. This report describes how network injection techniques were used to target Ahmed Eltantawy,\r\nresulting in the co-discovery with Google’s Threat Analysis Group of the iOS exploit chain CVE-2023-41991,\r\nCVE-2023-41992, CVE-2023-41993.\r\nSource: https://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nhttps://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://citizenlab.ca/2023/10/predator-spyware-targets-us-eu-lawmakers-journalists/"
	],
	"report_names": [
		"predator-spyware-targets-us-eu-lawmakers-journalists"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439123,
	"ts_updated_at": 1775791523,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ceb96e13541ad7fad41601cf69fcf0dc68c9c329.pdf",
		"text": "https://archive.orkl.eu/ceb96e13541ad7fad41601cf69fcf0dc68c9c329.txt",
		"img": "https://archive.orkl.eu/ceb96e13541ad7fad41601cf69fcf0dc68c9c329.jpg"
	}
}