Predator spyware activity surfaces in new places with new tricks

Recorded Future said on Thursday that it had linked Intellexa infrastructure to new locations, the latest indication that the Predator spyware maker has adapted after setbacks.

The revelations from the company’s Insikt Group include identification of a previously unknown customer in Mozambique, a connection to a Czech entity and a cluster linked to an Eastern European country. It also found innovations in how it was hiding its activity.

“Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies,” said Julian-Ferdinand Vögele, a threat researcher with the firm.

Predator activity declined after sanctions and public exposure, and remains down compared to before, according to Recorded Future. The information in the company’s report suggests Intellexa, also known as the Intellexa Consortium, is responding to those difficulties, and is likely to continue adapting.

“Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt,” the report said.

The discovery of the Mozambique customer fits in with the high level of Predator activity across Africa. The Czech link confirms reporting from an investigative outlet in the country. The Eastern European activity was brief, from August to November of last year, suggesting possible development or testing, Recorded Future said.

Intellexa has also taken additional steps to evade detection.

“One notable strategy involves the use of fake websites, which generally fall into four main categories: fake 404 error pages, counterfeit login or registration pages, sites indicating that they are under construction, and websites purporting to be associated with specific entities, such as a conference,” the report states.