Full Report
Researchers also found indicators “likely associated” with the use of Predator spyware by an entity tied to Pakistan.
Analysis Summary
# Threat Actor: Entity associated with Pakistan operating Predator Spyware
## Attribution & Identity
* **Identification:** An entity (likely a government or state-affiliated group) leveraging Predator spyware.
* **Known Aliases/Associations:** Associated with the use of Predator spyware developed by Intellexa. The attribution is based on finding indicators "likely associated" with this use, tying the deployment activity to Pakistan. The actual name of the operating entity is **unclear**.
## Activity Summary
* **Recent Campaigns/Operations:** The research uncovered indicators linking the use of Predator spyware to an entity tied to Pakistan. It is currently **unclear** whether the targets were within or tied to Pakistan, or if the customer operating the spyware was based there.
* **Context:** This activity is occurring while Intellexa (the spyware manufacturer) faces increased scrutiny and sanctions. The use of Predator spyware overall appears to have slowed slightly in 2025, possibly due to obfuscation efforts by customers.
* **Related Intellexa Customers (Contextual):** Intellexa customers were recently found operating in Saudi Arabia, Kazakhstan, Angola, and Mongolia.
## Tactics, Techniques & Procedures
* **TTPs Mentioned:**
* Deployment of the **Predator spyware** (commercial/state-sponsored surveillance tool).
* Obfuscation of infrastructure, as Intellexa customers have changed infrastructure setups to complicate detection.
* Potential use of advertising sector shell companies as initial vectors, as two newly found firms linked to Intellexa operate in the advertising sector.
* **MITRE ATT&CK IDs:** None explicitly mentioned in the text.
## Targeting
* **Sectors:** Intellexa's Predator spyware has historically targeted members of **civil society** and **business executives** worldwide.
* **Geography:** The operator linked to Pakistan could be targeting anywhere, but the broader use of Predator spyware was noted in Iraq, Saudi Arabia, Kazakhstan, Angola, and Mongolia as current users.
* **Victims:** Specific victims in the context of the Pakistan-linked activity are **not mentioned**.
## Tools & Infrastructure
* **Malware Families Used:** Predator spyware.
* **Infrastructure:** The specific C2 infrastructure linked to the Pakistan-associated entity is **not detailed**. The report notes that domain naming conventions may be changing to mask infrastructure. Newly identified companies linked to Intellexa were found in Kazakhstan and the Philippines (potentially related to logistics or vectoring).
## Implications
The activity suggests that state-sponsored or affiliated entities operating out of Pakistan are utilizing sophisticated, commercially available surveillance tools like Predator, indicating a continued focus on powerful digital intrusive capabilities against targets of interest. The changes in infrastructure highlight the adaptive nature of these actors, challenging defensive detection mechanisms.
## Mitigations
* **Infrastructure Monitoring:** Implement enhanced monitoring for subtle shifts in domain naming conventions or infrastructure configurations associated with known Predator/Intellexa-derived activity.
* **Supply Chain Risk:** Maintain heightened awareness of software and services provided by companies previously associated with surveillance vendors facing sanctions (e.g., Intellexa).
* **Target Hardening:** Focus on reinforcing mobile and corporate security postures for civil society members and business leaders, who are the typical targets of this spyware.