Research

Predator spyware demonstrates troubleshooting, researcher-dodging capabilities

It’s the latest batch of revelations about what makes the Intellexa-made spyware stand out from competitors.

By Tim Starks

January 14, 2026

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

J Studios, Getty Images

Predator spyware operators have the ability to recognize why an infection failed, and the tech has more sophisticated capabilities for averting detection than previously known, according to research published Wednesday.

Jamf Threat Labs found from an analysis of a Predator sample that it has an error code system that can alert operators to why an implant didn’t stick, with “error code 304” signifying that a target was running security or analysis tools.

“This error code system transforms failed deployments from black boxes into diagnostic events,” Shen Yuan and Nir Avraham wrote for the company. “When an operator deploys Predator against a target and receives error code 304, they know the target is running security tools — not that the exploit failed, not that the device is incompatible, but specifically that active analysis is occurring.

“This has direct implications for targeted individuals: if security analysis tools like Frida are running, Predator will abort deployment and report error code 304 to operators, who can then troubleshoot why their deployment failed,” they continued.

Furthermore, the capability to detect specific security tools reveals more about Predator’s workings.

“The inclusion of netstat is noteworthy — it suggests Predator is concerned about targets who might be monitoring their own network connections, not just researchers with specialized tools,” the researchers wrote. “A privacy-conscious user simply checking their network connections would trigger this detection.”

And Predator suppresses crash logs that can help detect infection attempts, Jamf concluded.

It’s the second time in as many months that researchers have uncovered capabilities that differentiate Predator, made by Intellexa, from competitors.

Jamf said the results of its analysis show that Predator is interested in dodging both spyware researchers and security products, and overall point to better anti-analysis capabilities than those that have been previously documented.