Research (Insikt)

Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices

Posted: 1st March 2024
By: Insikt Group®

insikt-group-logo-updated-3-300x48.png

New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philippines. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists, with no specific victims or targets currently identified in this latest activity.

Predator-Spyware.png Multi-tier Predator delivery network architecture (Source: Recorded Future)

Understanding Risks and Implementing Security Best Practices

The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. High-profile individuals, such as executives, are at greater risk due to the high costs of deploying such spyware. The European Union has recently taken steps to curb the abuse of mercenary spyware among its member states.

To mitigate these risks, organizations and individuals are advised to follow security best practices such as regular phone updates, device reboots, lockdown mode, Mobile Device Management systems, and separating personal from corporate devices. Security awareness training and minimal data exposure culture are also crucial. Long-term solutions include conducting risk assessments for developing dynamic security policies. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities.

Key findings from the Insikt Group's research include the identification of a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data. Despite public disclosures in September 2023, Predator's operators have continued their operations with minimal changes. Predator, alongside NSO Group’s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time.

To read the entire analysis, click here to download the report as a PDF.

Indicators of Compromise

Domains:
02s[.]co
06g[.]co
09a[.]co
2-gis[.]kz
astanapark[.]com
beroxe[.]com
buildneeds[.]net
bw-guardian[.]com
cabinet-salyk[.]kz
centent-management[.]net
clazc[.]com
coazoa[.]com
copy-note[.]net
corporatebusinesssolution[.]net
dzhabarzan[.]com
e-kgd[.]kz
ehudaldaa[.]com
escortbabesluxo[.]com
eventnews[.]live
fast-notify[.]com
fastnews[.]biz
fr-monde[.]com
gabzmus[.]com
get-location[.]com
get-location[.]net
highclub[.]life
informationrank[.]net
jumia-egy[.]com
kapital-news[.]com
kejoranews[.]net
kollesa[.]com
krisha-kz[.]com
kroal[.]com
ladiesclubhouse[.]com
lusofonia-mundo[.]com
magnum-kz[.]com
mastershop[.]biz
mb-ph[.]net
mmegi[.]co
msbsck[.]com
mujmbosnoticias[.]com
mundodenoticias[.]online
myfawry[.]net
nospam[.]kz
notify-service[.]biz
nur-news[.]com
olimpbets[.]kz
ongsworld[.]com
pelovkin[.]com
people-beeline[.]com
peticaonline[.]comv
plastictoysworld[.]com
plinkypong[.]com
post-notify[.]info
qazsporttv[.]com
rcuples[.]com
rozavetrovv[.]com
schedulefestival[.]com
shoxtek[.]com
soccer-bw[.]com
spacsaver[.]info
sportnow[.]news
suarapapua[.]co
sustanbuild[.]com
thintank[.]co
tickets-kz[.]com
tobupmi[.]com
tohna[.]net
ulstur[.]co
vendaswebs[.]com
vestinfo[.]net
vestinfo[.]org
vestinfos[.]net
vinho-online[.]com
vlast-news[.]com
walatparez[.]com
weekendcool[.]com
yo-um7[.]com
zakorn[.]com
zikolo[.]net
ztb-news[.]com

IP Addresses:
2.58.15[.]58
5.39.221[.]36
5.39.221[.]47
5.39.221[.]48
5.255.88[.]172
23.137.248[.]95
37.120.222[.]115
45.129.0[.]125
45.148.244[.]5
45.86.163[.]77
45.86.163[.]93
46.246.97[.]245
46.249.49[.]230
46.30.190[.]98
79.110.52[.]179
79.110.52[.]196
79.137.199[.]216
79.141.175[.]146
84.247.51[.]14
84.247.51[.]18
85.17.9[.]21
85.17.9[.]73
85.17.9[.]74
85.239.34[.]174
87.121.45[.]29
87.121.45[.]42
87.121.45[.]45
88.119.161[.]135
91.241.93[.]165
95.141.34[.]222
98.142.254[.]112
101.99.75[.]197
141.94.122[.]19
146.70.158[.]144
146.70.161[.]50
158.58.172[.]3
164.215.103[.]143
164.215.103[.]20
169.239.128[.]137
169.239.129[.]48
169.239.129[.]63
169.239.129[.]76
169.255.59[.]98
176.124.198[.]52
176.124.198[.]55
185.113.8[.]67
185.113.8[.]83
185.117.91[.]165
185.117.91[.]237
185.130.227[.]29
185.130.227[.]88
185.130.227[.]95
185.130.45[.]34
185.130.46[.]165
185.130.46[.]202
185.156.172[.]17
185.156.172[.]20
185.156.172[.]48
185.158.248[.]131
185.158.248[.]85
185.196.9[.]76
185.212.47[.]75
185.219.220[.]99
185.219.221[.]30
185.62.58[.]107
185.66.140[.]112
192.46.237[.]163
193.168.143[.]111
193.168.143[.]116
193.168.143[.]184
193.168.143[.]185
193.233.161[.]137
193.233.161[.]163
193.29.104[.]13
193.29.104[.]5
193.29.104[.]83
193.29.59[.]171
193.42.36[.]106
193.42.36[.]84
212.237.217[.]127
213.252.246[.]152

Predator Delivery Servers

Domain IP Address First Seen Last Seen
06g[.]co 185.130.227[.]29 2023-12-22 2024-02-21
02s[.]co 185.130.227[.]95 2023-12-22 2024-02-21
spacsaver[.]info 45.148.244[.]5 2023-11-30 2024-02-20
09a[.]co 5.39.221[.]36 2023-12-22 2024-02-21
ongsworld[.]com 146.70.158[.]144 2023-11-16 2024-02-21
fr-monde[.]com 169.239.129[.]76 2023-12-15 2024-02-20
lusofonia-mundo[.]com 169.239.129[.]63 2023-12-15 2024-02-17
ladiesclubhouse[.]com 169.239.129[.]48 2023-12-15 2024-02-18
vinho-online[.]com 169.239.128[.]137 2023-12-15 2024-02-17
vendaswebs[.]com 185.158.248[.]131 2023-11-16 2024-02-17
mundodenoticias[.]online 185.196.9[.]76 2023-11-16 2024-02-17
mujmbosnoticias[.]com 185.212.47[.]75 2023-11-02 2024-02-21
soccer-bw[.]com 185.130.46[.]165 2023-11-22 2024-02-17
mmegi[.]co 45.129.0[.]125 2023-11-22 2024-02-16
bw-guardian[.]com 95.141.34[.]222 2023-11-19 2024-02-17
yo-um7[.]com 185.130.46[.]202 2023-11-29 2024-02-17
sustanbuild[.]com 193.29.104[.]5 2023-11-25 2024-02-17
myfawry[.]net 2.58.15[.]58 2023-12-14 2024-02-20
jumia-egy[.]com 79.110.52[.]196 2023-12-14 2024-02-17
suarapapua[.]co 158.58.172[.]3 2023-12-01 2024-01-29
kejoranews[.]net 185.158.248[.]85 2023-12-07 2024-02-15
nospam[.]kz 176.124.198[.]52 2023-12-28 2024-02-13
olimpbets[.]kz 176.124.198[.]55 2023-12-28 2024-02-13
vlast-news[.]com 185.156.172[.]20 2023-12-08 2024-02-16
ztb-news[.]com 185.156.172[.]17 2023-12-08 2024-02-17
cabinet-salyk[.]kz 185.156.172[.]48 2023-12-15 2024-02-21
zikolo[.]net 193.168.143[.]116 2023-11-11 2024-02-14
magnum-kz[.]com 45.86.163[.]93 2023-12-08 2024-02-20
tickets-kz[.]com 45.86.163[.]77 2023-12-10 2024-02-17
people-beeline[.]com 5.39.221[.]47 2023-12-14 2024-02-17
rozavetrovv[.]com 5.39.221[.]48 2023-12-14 2024-02-17
2-gis[.]kz 79.137.199[.]216 2023-12-28 2024-02-20
e-kgd[.]kz 85.17.9[.]21 2023-12-15 2024-02-17
kapital-news[.]com 85.17.9[.]73 2023-12-14 2024-02-19
nur-news[.]com 85.17.9[.]74 2023-12-14 2024-02-21
astanapark[.]com 87.121.45[.]42 2023-12-11 2024-02-16
krisha-kz[.]com 88.119.161[.]135 2023-11-26 2024-02-17
ehudaldaa[.]com 84.247.51[.]14 2023-12-23 2024-02-20
ulstur[.]co 84.247.51[.]18 2023-12-25 2024-02-20
mb-ph[.]net 193.42.36[.]106 2023-12-07 2024-02-21
buildneeds[.]net 141.94.122[.]19 2023-11-21 2024-02-17
sportnow[.]news 185.113.8[.]67 2023-11-11 2024-02-19
corporatebusinesssolution[.]net 193.168.143[.]184 2023-11-25 2024-02-09
informationrank[.]net 193.168.143[.]185 2023-11-25 2024-02-17
centent-management[.]net 193.29.59[.]171 2023-11-21 2024-02-09
highclub[.]life 46.249.49[.]230 2023-11-11 2024-02-21
vestinfos[.]net 185.130.45[.]34 2023-12-22 2024-02-09
get-location[.]net 46.246.97[.]245 2023-12-21 2024-02-08
vestinfo[.]org 79.141.175[.]146 2023-12-22 2023-12-22
eventnews[.]live 185.219.221[.]30 2023-12-04 2024-02-08
get-location[.]com 192.46.237[.]163 2023-12-04 2024-02-20
vestinfo[.]net 87.121.45[.]29 2023-12-04 2024-02-17
thintank[.]co 5.255.88[.]172 2023-10-25 2024-01-20
fastnews[.]biz 101.99.75[.]197 2023-11-17 2024-02-18
plinkypong[.]com 146.70.161[.]50 2023-11-29 2024-02-17
peticaonline[.]com 164.215.103[.]143 2023-11-27 2024-02-17
escortbabesluxo[.]com 164.215.103[.]20 2023-11-03 2024-02-13
coazoa[.]com 169.255.59[.]98 2023-11-01 2024-02-19
weekendcool[.]com 185.113.8[.]83 2023-11-18 2024-02-14
qazsporttv[.]com 185.117.91[.]237 2023-12-14 2024-02-17
pelovkin[.]com 185.117.91[.]165 2023-11-29 2024-02-14
plastictoysworld[.]com 185.130.227[.]88 2023-11-28 2024-02-17
tohna[.]net 185.219.220[.]99 2023-11-02 2024-02-10
notify-service[.]biz 185.62.58[.]107 2023-11-16 2024-02-01
copy-note[.]net 185.66.140[.]112 2023-11-29 2024-01-31
zakorn[.]com 193.168.143[.]111 2023-11-10 2024-02-17
walatparez[.]com 193.233.161[.]137 2023-12-09 2024-02-17
tobupmi[.]com 193.233.161[.]163 2023-11-14 2024-02-16
gabzmus[.]com 193.29.104[.]13 2023-11-14 2024-02-17
msbsck[.]com 193.29.104[.]83 2023-11-16 2024-02-17
mastershop[.]biz 193.42.36[.]84 2023-11-17 2024-02-11
kollesa[.]com 212.237.217[.]127 2023-11-10 2024-02-17
schedulefestival[.]com 213.252.246[.]152 2023-11-16 2024-02-18
post-notify[.]info 23.137.248[.]95 2023-11-17 2024-02-17
dzhabarzan[.]com 37.120.222[.]115 2023-12-08 2024-02-21
shoxtek[.]com 46.30.190[.]98 2023-11-23 2024-02-12
fast-notify[.]com 79.110.52[.]179 2023-12-09 2024-02-19
clazc[.]com 85.239.34[.]174 2023-11-24 2024-02-17
beroxe[.]com 87.121.45[.]45 2023-12-09 2024-02-21
kroal[.]com 91.241.93[.]165 2023-12-08 2024-02-19
rcuples[.]com 98.142.254[.]112 2023-11-28 2024-02-02

MITRE ATT&CK TTPs

Tactic: Technique ATT&CK Code
Resource Development: Acquire Infrastructure: Domains T1583.001
Resource Development: Acquire Infrastructure: Virtual Private Server T1583.003
Resource Development: Acquire Infrastructure: Server T1583.004
Initial Access: Spearphishing Link T1566.002
Execution: Exploitation for Client Execution T1203

Related