Full Report
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator, from the specially designated nationals list. The names of the individuals are as follows - Merom Harpaz Andrea Nicola Constantino Hermes Gambazzi Sara Aleksandra Fayssal Hamou
Analysis Summary
# Threat Actor: Intellexa Consortium
## Attribution & Identity
**Primary Actor:** Intellexa Consortium (a commercial spyware developer/distributor).
**Individuals Recently Sanctioned/De-sanctioned:** Merom Harpaz (Manager of Intellexa S.A.), Andrea Nicola Constantino Hermes Gambazzi (Owner of Thalestris Limited and Intellexa Limited), and Sara Aleksandra Fayssal Hamou (Corporate off-shoring specialist).
**Associated Entities:** Intellexa S.A., Thalestris Limited (held distribution rights and processed transactions), Intellexa Limited.
## Activity Summary
The focus of the article is the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) **removing sanctions** against three key individuals linked to the Intellexa Consortium and its commercial spyware, Predator. These individuals were previously sanctioned in March and September 2024. Despite the removal of sanctions on these specific individuals, the commercial spyware Predator remains a significant threat, with recent reports indicating its continued use against civil society figures. The removal decision reason is explicitly stated as "not known."
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Typically delivered via 1-click or zero-click attack vectors (similar to Pegasus).
- **Evasion:** Designed for stealth, leaving little to no traces of compromise.
- **Payload Action:** Harvesting sensitive data from infected devices.
- **Known Operating Period:** Active since at least 2019.
## Targeting
- **Sectors:** Civil society figures, journalists, activists, and politicians (as revealed by investigations into its deployment). Officially marketed for counterterrorism and law enforcement use.
- **Geography:** An Amnesty International report noted a recent attack attempt against a human rights lawyer in Pakistan's Balochistan province.
- **Victims:** Human rights lawyer in Pakistan's Balochistan province (recent targeted attempt mentioned).
## Tools & Infrastructure
- **Malware Families Used:** Predator (commercial spyware).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Entities involved in the ecosystem included Intellexa S.A. and Thalestris Limited (which held distribution rights).
- Hamou provided managerial services, including renting office space in Greece for Intellexa S.A.
## Implications
The de-sanctioning of key personnel linked to a known commercial spyware vendor like Intellexa raises concerns about the perceived consequences for developers and distributors of such surveillance tools. Analysts fear this could signal that aggressive proliferation of commercial spyware might face fewer barriers if financial influence is applied, potentially encouraging other "bad actors." The continued documented use of Predator suggests that existing international measures and public reporting have not fully deterred its operators.
## Mitigations
- Defense against data harvesting and stealth exploits requiring robust endpoint detection and response (EDR) capability.
- Vigilance concerning communication vectors, especially zero-click and 1-click exploits delivered via messaging applications (like WhatsApp, contextually relevant).
- Awareness of the evolving threat landscape created by commercial spyware vendors, particularly concerning shifts in corporate ownership or geographic operations as entities seek to overcome sanctions.