Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices
New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware developed by Cytrox and currently managed by the Intellexa Alliance. The infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first time customers in Botswana and the Philippines have been publicly identified.. Despite being marketed for counterterrorism and law enforcement, Predator has often been used against civil society, targeting journalists, politicians, and activists. In this latest activity, no specific victims or targets have been identified.
Multi-tier Predator delivery network architecture (Source: Recorded Future)
Understanding Risks and Implementing Security Best Practices
The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. While most abuse cases involve targeting civil society, other organizations and individuals in regions known for spyware abuse should remain aware of the risk, regardless of their industry or location. Given the high deployment costs and per-infection charges, high-profile individuals, such as executives, who are expected to possess significant intelligence value are more likely to be targeted.. The European Union has recently taken steps to curb the abuse of mercenary spyware among its member states.
As the market for mercenary spyware grows with new companies and products, the risk of being targeted extends to anyone of interest to entities with access to these tools or similar capabilities. With continued profitability, increasing competition, and strengthened IT security, innovation will likely lead to more covert infection methods—such as persistence through factory resets—new targets like cloud backups, a more professionalized spyware ecosystem, and broader product portfolios. Consequently, effective mitigation strategies must involve close monitoring of the ecosystem, thorough risk assessments, and stronger regulations from policymakers.
Mitigation Strategies
To mitigate these risks, organizations and individuals are advised to follow security best practices such as regular phone updates, device reboots, lockdown mode, Mobile Device Management systems, and separating personal from corporate devices. Security awareness training and minimal data exposure culture are also crucial. Long-term solutions include conducting risk assessments for developing dynamic security policies. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities.
Key findings from Insikt Group's research include the discovery of a new multi-tiered Predator delivery infrastructure, indicating the likely continued use of Predator in at least eleven countries. This conclusion is supported by domain analysis and insights from Recorded Future Network Intelligence. Despite public disclosures in September 2023, Predator's operators have continued their operations with minimal changes. Predator, alongside NSO Group’s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time.
To read the entire analysis, click here to download the report as a PDF.
Note: This report summary was first published on March 1, 2024 and has been updated on October 30, 2024. The original analysis and findings remain unchanged.
Indicators of Compromise
| Domains: 02s[.]co 06g[.]co 09a[.]co 2-gis[.]kz astanapark[.]com beroxe[.]com buildneeds[.]net bw-guardian[.]com cabinet-salyk[.]kz centent-management[.]net clazc[.]com coazoa[.]com copy-note[.]net corporatebusinesssolution[.]net dzhabarzan[.]com e-kgd[.]kz ehudaldaa[.]com escortbabesluxo[.]com eventnews[.]live fast-notify[.]com fastnews[.]biz fr-monde[.]com gabzmus[.]com get-location[.]com get-location[.]net highclub[.]life informationrank[.]net jumia-egy[.]com kapital-news[.]com kejoranews[.]net kollesa[.]com krisha-kz[.]com kroal[.]com ladiesclubhouse[.]com lusofonia-mundo[.]com magnum-kz[.]com mastershop[.]biz mb-ph[.]net mmegi[.]co msbsck[.]com mujmbosnoticias[.]com mundodenoticias[.]online myfawry[.]net nospam[.]kz notify-service[.]biz nur-news[.]com olimpbets[.]kz ongsworld[.]com pelovkin[.]com people-beeline[.]com peticaonline[.]comv plastictoysworld[.]com plinkypong[.]com post-notify[.]info qazsporttv[.]com rcuples[.]com rozavetrovv[.]com schedulefestival[.]com shoxtek[.]com soccer-bw[.]com spacsaver[.]info sportnow[.]news suarapapua[.]co sustanbuild[.]com thintank[.]co tickets-kz[.]com tobupmi[.]com tohna[.]net ulstur[.]co vendaswebs[.]com vestinfo[.]net vestinfo[.]org vestinfos[.]net vinho-online[.]com vlast-news[.]com walatparez[.]com weekendcool[.]com yo-um7[.]com zakorn[.]com zikolo[.]net ztb-news[.]com IP Addresses: 2.58.15[.]58 5.39.221[.]36 5.39.221[.]47 5.39.221[.]48 5.255.88[.]172 23.137.248[.]95 37.120.222[.]115 45.129.0[.]125 45.148.244[.]5 45.86.163[.]77 45.86.163[.]93 46.246.97[.]245 46.249.49[.]230 46.30.190[.]98 79.110.52[.]179 79.110.52[.]196 79.137.199[.]216 79.141.175[.]146 84.247.51[.]14 84.247.51[.]18 85.17.9[.]21 85.17.9[.]73 85.17.9[.]74 85.239.34[.]174 87.121.45[.]29 87.121.45[.]42 87.121.45[.]45 88.119.161[.]135 91.241.93[.]165 95.141.34[.]222 98.142.254[.]112 101.99.75[.]197 141.94.122[.]19 146.70.158[.]144 146.70.161[.]50 158.58.172[.]3 164.215.103[.]143 164.215.103[.]20 169.239.128[.]137 169.239.129[.]48 169.239.129[.]63 169.239.129[.]76 169.255.59[.]98 176.124.198[.]52 176.124.198[.]55 185.113.8[.]67 185.113.8[.]83 185.117.91[.]165 185.117.91[.]237 185.130.227[.]29 185.130.227[.]88 185.130.227[.]95 185.130.45[.]34 185.130.46[.]165 185.130.46[.]202 185.156.172[.]17 185.156.172[.]20 185.156.172[.]48 185.158.248[.]131 185.158.248[.]85 185.196.9[.]76 185.212.47[.]75 185.219.220[.]99 185.219.221[.]30 185.62.58[.]107 185.66.140[.]112 192.46.237[.]163 193.168.143[.]111 193.168.143[.]116 193.168.143[.]184 193.168.143[.]185 193.233.161[.]137 193.233.161[.]163 193.29.104[.]13 193.29.104[.]5 193.29.104[.]83 193.29.59[.]171 193.42.36[.]106 193.42.36[.]84 212.237.217[.]127 213.252.246[.]152 |
Predator Delivery Servers
| Domain | IP Address | First Seen | Last Seen |
| 06g[.]co | 185.130.227[.]29 | 2023-12-22 | 2024-02-21 |
| 02s[.]co | 185.130.227[.]95 | 2023-12-22 | 2024-02-21 |
| spacsaver[.]info | 45.148.244[.]5 | 2023-11-30 | 2024-02-20 |
| 09a[.]co | 5.39.221[.]36 | 2023-12-22 | 2024-02-21 |
| ongsworld[.]com | 146.70.158[.]144 | 2023-11-16 | 2024-02-21 |
| fr-monde[.]com | 169.239.129[.]76 | 2023-12-15 | 2024-02-20 |
| lusofonia-mundo[.]com | 169.239.129[.]63 | 2023-12-15 | 2024-02-17 |
| ladiesclubhouse[.]com | 169.239.129[.]48 | 2023-12-15 | 2024-02-18 |
| vinho-online[.]com | 169.239.128[.]137 | 2023-12-15 | 2024-02-17 |
| vendaswebs[.]com | 185.158.248[.]131 | 2023-11-16 | 2024-02-17 |
| mundodenoticias[.]online | 185.196.9[.]76 | 2023-11-16 | 2024-02-17 |
| mujmbosnoticias[.]com | 185.212.47[.]75 | 2023-11-02 | 2024-02-21 |
| soccer-bw[.]com | 185.130.46[.]165 | 2023-11-22 | 2024-02-17 |
| mmegi[.]co | 45.129.0[.]125 | 2023-11-22 | 2024-02-16 |
| bw-guardian[.]com | 95.141.34[.]222 | 2023-11-19 | 2024-02-17 |
| yo-um7[.]com | 185.130.46[.]202 | 2023-11-29 | 2024-02-17 |
| sustanbuild[.]com | 193.29.104[.]5 | 2023-11-25 | 2024-02-17 |
| myfawry[.]net | 2.58.15[.]58 | 2023-12-14 | 2024-02-20 |
| jumia-egy[.]com | 79.110.52[.]196 | 2023-12-14 | 2024-02-17 |
| suarapapua[.]co | 158.58.172[.]3 | 2023-12-01 | 2024-01-29 |
| kejoranews[.]net | 185.158.248[.]85 | 2023-12-07 | 2024-02-15 |
| nospam[.]kz | 176.124.198[.]52 | 2023-12-28 | 2024-02-13 |
| olimpbets[.]kz | 176.124.198[.]55 | 2023-12-28 | 2024-02-13 |
| vlast-news[.]com | 185.156.172[.]20 | 2023-12-08 | 2024-02-16 |
| ztb-news[.]com | 185.156.172[.]17 | 2023-12-08 | 2024-02-17 |
| cabinet-salyk[.]kz | 185.156.172[.]48 | 2023-12-15 | 2024-02-21 |
| zikolo[.]net | 193.168.143[.]116 | 2023-11-11 | 2024-02-14 |
| magnum-kz[.]com | 45.86.163[.]93 | 2023-12-08 | 2024-02-20 |
| tickets-kz[.]com | 45.86.163[.]77 | 2023-12-10 | 2024-02-17 |
| people-beeline[.]com | 5.39.221[.]47 | 2023-12-14 | 2024-02-17 |
| rozavetrovv[.]com | 5.39.221[.]48 | 2023-12-14 | 2024-02-17 |
| 2-gis[.]kz | 79.137.199[.]216 | 2023-12-28 | 2024-02-20 |
| e-kgd[.]kz | 85.17.9[.]21 | 2023-12-15 | 2024-02-17 |
| kapital-news[.]com | 85.17.9[.]73 | 2023-12-14 | 2024-02-19 |
| nur-news[.]com | 85.17.9[.]74 | 2023-12-14 | 2024-02-21 |
| astanapark[.]com | 87.121.45[.]42 | 2023-12-11 | 2024-02-16 |
| krisha-kz[.]com | 88.119.161[.]135 | 2023-11-26 | 2024-02-17 |
| ehudaldaa[.]com | 84.247.51[.]14 | 2023-12-23 | 2024-02-20 |
| ulstur[.]co | 84.247.51[.]18 | 2023-12-25 | 2024-02-20 |
| mb-ph[.]net | 193.42.36[.]106 | 2023-12-07 | 2024-02-21 |
| buildneeds[.]net | 141.94.122[.]19 | 2023-11-21 | 2024-02-17 |
| sportnow[.]news | 185.113.8[.]67 | 2023-11-11 | 2024-02-19 |
| corporatebusinesssolution[.]net | 193.168.143[.]184 | 2023-11-25 | 2024-02-09 |
| informationrank[.]net | 193.168.143[.]185 | 2023-11-25 | 2024-02-17 |
| centent-management[.]net | 193.29.59[.]171 | 2023-11-21 | 2024-02-09 |
| highclub[.]life | 46.249.49[.]230 | 2023-11-11 | 2024-02-21 |
| vestinfos[.]net | 185.130.45[.]34 | 2023-12-22 | 2024-02-09 |
| get-location[.]net | 46.246.97[.]245 | 2023-12-21 | 2024-02-08 |
| vestinfo[.]org | 79.141.175[.]146 | 2023-12-22 | 2023-12-22 |
| eventnews[.]live | 185.219.221[.]30 | 2023-12-04 | 2024-02-08 |
| get-location[.]com | 192.46.237[.]163 | 2023-12-04 | 2024-02-20 |
| vestinfo[.]net | 87.121.45[.]29 | 2023-12-04 | 2024-02-17 |
| thintank[.]co | 5.255.88[.]172 | 2023-10-25 | 2024-01-20 |
| fastnews[.]biz | 101.99.75[.]197 | 2023-11-17 | 2024-02-18 |
| plinkypong[.]com | 146.70.161[.]50 | 2023-11-29 | 2024-02-17 |
| peticaonline[.]com | 164.215.103[.]143 | 2023-11-27 | 2024-02-17 |
| escortbabesluxo[.]com | 164.215.103[.]20 | 2023-11-03 | 2024-02-13 |
| coazoa[.]com | 169.255.59[.]98 | 2023-11-01 | 2024-02-19 |
| weekendcool[.]com | 185.113.8[.]83 | 2023-11-18 | 2024-02-14 |
| qazsporttv[.]com | 185.117.91[.]237 | 2023-12-14 | 2024-02-17 |
| pelovkin[.]com | 185.117.91[.]165 | 2023-11-29 | 2024-02-14 |
| plastictoysworld[.]com | 185.130.227[.]88 | 2023-11-28 | 2024-02-17 |
| tohna[.]net | 185.219.220[.]99 | 2023-11-02 | 2024-02-10 |
| notify-service[.]biz | 185.62.58[.]107 | 2023-11-16 | 2024-02-01 |
| copy-note[.]net | 185.66.140[.]112 | 2023-11-29 | 2024-01-31 |
| zakorn[.]com | 193.168.143[.]111 | 2023-11-10 | 2024-02-17 |
| walatparez[.]com | 193.233.161[.]137 | 2023-12-09 | 2024-02-17 |
| tobupmi[.]com | 193.233.161[.]163 | 2023-11-14 | 2024-02-16 |
| gabzmus[.]com | 193.29.104[.]13 | 2023-11-14 | 2024-02-17 |
| msbsck[.]com | 193.29.104[.]83 | 2023-11-16 | 2024-02-17 |
| mastershop[.]biz | 193.42.36[.]84 | 2023-11-17 | 2024-02-11 |
| kollesa[.]com | 212.237.217[.]127 | 2023-11-10 | 2024-02-17 |
| schedulefestival[.]com | 213.252.246[.]152 | 2023-11-16 | 2024-02-18 |
| post-notify[.]info | 23.137.248[.]95 | 2023-11-17 | 2024-02-17 |
| dzhabarzan[.]com | 37.120.222[.]115 | 2023-12-08 | 2024-02-21 |
| shoxtek[.]com | 46.30.190[.]98 | 2023-11-23 | 2024-02-12 |
| fast-notify[.]com | 79.110.52[.]179 | 2023-12-09 | 2024-02-19 |
| clazc[.]com | 85.239.34[.]174 | 2023-11-24 | 2024-02-17 |
| beroxe[.]com | 87.121.45[.]45 | 2023-12-09 | 2024-02-21 |
| kroal[.]com | 91.241.93[.]165 | 2023-12-08 | 2024-02-19 |
| rcuples[.]com | 98.142.254[.]112 | 2023-11-28 | 2024-02-02 |
MITRE ATT&CK TTPs
| Tactic: Technique | ATT&CK Code |
| Resource Development: Acquire Infrastructure: Domains | T1583.001 |
| Resource Development: Acquire Infrastructure: Virtual Private Server | T1583.003 |
| Resource Development: Acquire Infrastructure: Server | T1583.004 |
| Initial Access: Spearphishing Link | T1566.002 |
| Execution: Exploitation for Client Execution | T1203 |
Related