Advertisement

Predator spyware activity surfaces in new places with new tricks

The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
This picture taken in 2020 shows members of Malaysia's Predator club wearing custom helmets from the movie character "Predator" outside the Petronas Twin Towers in Kuala Lumpur. (Photo by MOHD RASFAN / AFP) (Photo by MOHD RASFAN/AFP via Getty Images)

Recorded Future said on Thursday that it had linked Intellexa infrastructure to new locations, the latest indication that the Predator spyware maker has adapted after setbacks.

The revelations from the company’s Insikt Group include identification of a previously unknown customer in Mozambique, a connection to a Czech entity and a cluster linked to an Eastern European country. It also found innovations in how it was hiding its activity.

“Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies,” said Julian-Ferdinand Vögele, a threat researcher with the firm.

Predator activity declined after sanctions and public exposure, and remains down compared to before, according to Recorded Future. The information in the company’s report suggests Intellexa, also known as the Intellexa Consortium, is responding to those difficulties, and is likely to continue adapting.

Advertisement

“Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt,” the report said.

The discovery of the Mozambique customer fits in with the high level of Predator activity across Africa. The Czech link confirms reporting from an investigative outlet in the country. The Eastern European activity was brief, from August to November of last year, suggesting possible development or testing, Recorded Future said.

Intellexa has also taken additional steps to evade detection.

“One notable strategy involves the use of fake websites, which generally fall into four main categories: fake 404 error pages, counterfeit login or registration pages, sites indicating that they are under construction, and websites purporting to be associated with specific entities, such as a conference,” the report states.

Latest Podcasts