UPDATED 12:40 EDT / OCTOBER 09 2023


The Predator Files describe another nefarious global spyware campaign

A group of journalists and researchers today released evidence of a massive campaign to spy on numerous political leaders across the globe.

Called “The Predator Files,” the project covers the use of potent spyware that targeted more than 50 social media accounts in 10 countries beginning in February.

It documents the reports from dozens of local media outlets that are part of the European Investigative Collaborations, which is based in Germany, but also includes reporters in France, the Netherlands, Italy, Spain and the U.S. who have written stories about the exploit. The project began with three reporters — Nicola Naber and Rafael Buschman from Der Spiegel and Yann Philippin from the independent French Mediapart, and added technical researchers from the Security Lab at Amnesty International and The Citizen Lab in Toronto.

What makes Predator most dangerous is that “one message, one link, one click. That’s all it takes to lose control of your digital life, unwittingly and in a matter of seconds,” wrote Der Spiegel. In some cases, clicking on that link wasn’t necessary to become infected with the spyware.

If this sounds familiar, the context is eerily similar to the work done to expose the use of NSO Group’s Pegasus software two years ago.

Those targeted include the presidents of the European Parliament and Taiwan, U.S. Congressman Michael McCaul and U.S. Senator Chris Murphy, among others. These people may or may not have had infected phones. Many of the targets originated from a Twitter account linked to the malware authors.

SiliconANGLE most recently wrote about Predator malware this past March, when Artemis Seaford, a Meta Platforms Inc. security team manager, fell prey to the spyware when she was working in Greece. Predator was built by Cytrox, a North Macedonia-based software vendor that is a subsidiary of surveillance conglomerate Intellexa. It has corporate subsidiaries in Hungary, Greece and Ireland.

The company’s roots date back to 2018 when it was founded by Tal Dilian, a former Israeli army officer. Another Israeli connection is that a former Prime Minister Ehud Olmert once worked for the company. Sources contacted by the Washington Post claim the conglomerate is no longer in business.

The software eventually was banned by Meta across all of its social media platforms in 2021, and both Cytrox and Intellexa were placed on a block list by the U.S. government this summer.

“If a user clicked on one of the links, the user’s device would have been infected, likely using a chain of zero-day exploits,” wrote The Citizen Lab’s researchers. The infection happens only if a device, typically a mobile phone, passes a series of validation checks for running processes, logging activities and whether a proxy has been installed. These conditions are typical for phones used by security researchers. Otherwise the malware aborts.

Amnesty’s lab tracked the targeted individuals to those working primarily responsible for EU and U.N. policies on illegal or undocumented commercial fishing activities. “The targeting came as Vietnamese and American diplomats were negotiating a major cooperation agreement intended to counter growing Chinese influence in the region,” the Post said.

Sales of the Predator malware were tracked to multimillion-Euro contracts with government entities in Vietnam, which were independently verified by Google researchers in a May blog post. That post documents three different campaigns that delivered shorted URL links that were sent to targets via email.

Other spyware products from Intellexa were found in 25 countries and “were used to undermine human rights, press freedom, and social movements across the globe,” according to Amnesty research. It found computing infrastructure linked to the Predator spyware system in Angola, Egypt, Mongolia, Kazakhstan, Indonesia, Madagascar, Sudan and Vietnam, showing how widespread its use was.

Like Pegasus, Amnesty analysts wrote, “the Predator spyware, and its variants, are highly invasive spyware that can access unlimited amounts of data on the device.”

And its name is particularly apt. “Predator had been used to go after individuals who are a thorn in the side of the powerful,” wrote Der Spiegel. “These new disclosures make clear that the unchecked sale and transfer of surveillance technologies could continue to facilitate human rights abuse on a massive global scale,” Amnesty wrote in its report. Several of the Predator reporters said its use points to major EU failures to regulate its use and other spyware.

Image: Amnesty International

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One-click below supports our mission to provide free, deep and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy