Full Report
The author, Julian-Ferdinand Vögele, thanks Amnesty International's Security Lab for its ongoing reporting on the Intellexa and Predator spyware ecosystem. Today, Security Lab published a related report on Intellexa, which can be found here. Executive Summary Insikt Group identified several individuals and entities linked to Intellexa and its broader network of associated companies. These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation. Using export and import data, Insikt Group identified one entity linked to the previously reported Czech cluster that facilitated the shipment of Intellexa products to clients. In at least one instance, a direct delivery was made to an end user, while additional entities in Kazakhstan and the Philippines appear to have been involved in product imports, indicating an expanding network footprint. Two additional entities in the advertising sector may be tied to the “Aladdin” ad-based infection vector, previously associated with the Czech cluster via a leaked 2022 invoice. In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq. The continued domestic use of mercenary spyware such as Predator poses significant privacy, legal, and physical security risks worldwide. Although civil society remains the primary target in most publicly documented cases, recent evidence shows that executives and other high-profile individuals with substantial intelligence value are increasingly being targeted as well. Due to Predator’s costly licensing model, operators are likely to reserve its deployment for high-value strategic targets, placing politicians, business leaders, and individuals in sensitive roles at heightened risk. Meanwhile, the widespread and likely unlawful use of spyware against political opposition continues to be a pressing issue under investigation in several European Union (EU) member states, including Poland and Greece. Insikt Group assesses that several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight (1, 2). Despite this, a core network of facilitators continues to underpin the industry’s operations. Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves. Targeting has also expanded beyond traditional civil society figures to include corporate leaders and private-sector individuals (1, 2), suggesting that the publicly visible cases represent only a fraction of a much larger, concealed global ecosystem. Key Findings Insikt Group uncovered additional companies highly likely tied to Intellexa’s broader corporate web, particularly within the previously discussed Czech cluster. At least one of these entities appears to have been used to ship Intellexa products to clients, offering further insight into Intellexa's global business structures. Two newly identified companies appear to operate in the advertising sector and may be connected to a previously reported ad-based infection vector known as “Aladdin.” This vector was earlier associated with the Czech cluster through a leaked invoice from 2022 showing payments for a proof-of-concept to an individual linked to that cluster. Analysis of export and import databases revealed indications that one of the newly identified companies was used to deliver Intellexa products to end customers, either directly or through intermediaries. This research also exposed two additional entities located in Kazakhstan and the Philippines.
Analysis Summary
# Threat Actor: Intellexa / Predator Ecosystem Facilitators
## Attribution & Identity
The primary focus is on the corporate network supporting **Intellexa** and the distribution of the **Predator** mercenary spyware. Insikt Group identified and analyzed associated corporate entities forming a "global corporate web."
**Known Aliases and Associated Groups:**
* **Intellexa:** The likely manufacturer/distributor network.
* **Predator:** The core spyware product associated with this network.
* **Czech cluster:** A previously reported group linked via corporate structure.
* Entities linked to the **"Aladdin"** ad-based infection vector.
## Activity Summary
Insikt Group uncovered a complex network of companies linked to Intellexa, spanning technical, operational, and formation roles.
* Shipment facilitation: At least one entity linked to the Czech cluster was used to ship Intellexa products to clients, including direct delivery to an end-user.
* Geographic Expansion: Entities in **Kazakhstan** and the **Philippines** appear involved in product imports, suggesting an expanding logistical footprint.
* Infection Vector Link: Two new advertising sector entities may connect to the "Aladdin" ad-based infection vector, previously linked to the Czech cluster via a 2022 invoice.
* Ongoing Operations: Recorded Future intelligence shows ongoing **Predator** spyware activity, including new evidence of deployment in **Iraq**.
## Tactics, Techniques & Procedures
The primary TTPs relate to the operationalization and distribution of the spyware, rather than direct infection techniques detailed in this summary:
* Backend development, infrastructure setup, and company formation used to shield distribution.
* Shipment of spyware products to clients (facilitated by associated corporate entities).
* Use of the **“Aladdin” ad-based infection vector** (implied linkage).
* Predator deployment providing complete access to a device’s microphone, camera, and all data.
**MITRE ATT&CK Techniques Identified (Associated with Resource Development/Initial Access):**
* **Resource Development:** Acquire Infrastructure: Domains (T1583.001)
* **Resource Development:** Acquire Infrastructure: Virtual Private Server (T1583.003)
* **Resource Development:** Acquire Infrastructure: Server (T1583.004)
* **Initial Access:** Spearphishing Link (T1566.002)
* **Execution:** Exploitation for Client Execution (T1203)
## Targeting
**Sectors:**
* Civil Society (primary target in publicly documented cases).
* Executives and high-profile individuals with substantial intelligence value.
* Politicians and business leaders (due to the high cost and strategic value assessment of Predator deployment).
* Political opposition groups.
**Geography:**
* Global scope, with specific mention of activity in:
* Iraq (new evidence of Predator deployment).
* Kazakhstan (import entity).
* Philippines (import entity).
* European Union (investigations ongoing in Poland and Greece).
**Victims:**
* Civil society figures.
* Politicians.
* Business leaders/Corporate leaders.
* Private-sector individuals.
## Tools & Infrastructure
**Malware Families Used:**
* Predator spyware (sophisticated mercenary spyware targeting Android and iPhone devices).
**Infrastructure:**
* Entities involved in backend development and infrastructure setup.
* Entities in the advertising sector potentially linked to the "Aladdin" vector.
* Observed Indicators of Compromise (IoCs):
* **Domains:** badinigroup[.]com, birura[.]com, gardalul[.]com, keep-badinigroups[.]com
* **IP Addresses:** 5[.]253[.]43[.]92, 38[.]180[.]54[.]77, 45[.]86[.]231[.]8, 89[.]150[.]57[.]85
## Implications
The network represents a resilient, expanding global structure underpinning mercenary spyware proliferation. The ecosystem is showing signs of **balkanization** (splitting along geopolitical lines) and a shift toward regions with weaker oversight. The expansion of targeting to include corporate leadership indicates the spyware is reserved for high-value strategic targets across both political and private sectors. Rising competition heightens risks of corruption and insider leaks surrounding exploit technologies.
## Mitigations
* Monitor for suspicious advertising vectors like "Aladdin" used for initial compromises.
* Scrutinize export/import records for entities involved in technology shipments linked to known spyware clusters (e.g., Czech cluster).
* Increased defense planning, especially for executives and critical infrastructure personnel, given the shift in targeting from exclusively civil society.
* Employ technical countermeasures capable of detecting highly persistent and stealthy surveillance malware like Predator.