Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery
Summary:
The Intellexa Leaks, a new joint investigation published by Inside Story, Haaretz, and the WAV Research Collective, with technical analysis from Amnesty International's Security Lab, has exposed the persistent global threat posed by the mercenary Predator spyware and its maker, Intellexa, despite the company and its executives being subjected to U.S. sanctions. The investigation revealed the first recorded attempt to target a member of civil society in Pakistan, a human rights lawyer from Balochistan, via a suspicious WhatsApp link consistent with a Predator one-click attack, though Pakistan has denied the claims. Predator, which has been marketed under names like Helios and Nova, functions similarly to NSO Group's Pegasus by covertly harvesting extensive sensitive data, including encrypted messages, calls, passwords, and photos, and then exfiltrating it to a server in the customer's country.
Intellexa maintains its position as a prolific vendor of zero-day exploits, which are either developed in-house or purchased externally, enabling stealthy installation on both Android (via Google Chrome flaws like CVE-2025-6554) and iOS (via Apple Safari flaws and a custom framework called JSKit). The complexity of their exploits is highlighted by an iOS chain that used multiple vulnerabilities (CVE-2023-41993, -41991, -41992) and a multi-stage payload, PREYHUNTER, which includes a "Watcher" module for operational security to detect suspicious behavior and a "Helper" module to hook systems for comprehensive data capture, such as keylogging and recording VoIP conversations.
Security Officer Comments:
Most significantly, the leaks revealed that Intellexa staff allegedly retained the ability to remotely access their customers' live surveillance systems (including those physically located on governmental premises) via tools like TeamViewer. Amnesty International argues that this deep operational involvement raises severe questions about the company's human rights diligence and could open Intellexa to claims of liability for any human rights abuses caused by the spyware's misuse. Furthermore, the report detailed new, advanced strategic delivery vectors aimed at enabling zero-click infections, including the Mars and Jupiter network injection systems (requiring ISP cooperation for an adversary-in-the-middle attack) and the sophisticated Aladdin system, which exploits the mobile advertising ecosystem to force a malicious ad onto a target's phone, triggering the zero-click infection simply upon viewing the ad. This new vector demonstrates how Intellexa continues to adapt and thrive, with Predator-related activity detected by Recorded Future in over a dozen countries, primarily in Africa, confirming a growing global demand for these intrusive surveillance tools.
Suggested Corrections:
To counter advanced mercenary spyware like Predator, focus on these essential steps:
https://thehackernews.com/2025/12/intellexa-leaks-reveal-zero-days-and.html
The Intellexa Leaks, a new joint investigation published by Inside Story, Haaretz, and the WAV Research Collective, with technical analysis from Amnesty International's Security Lab, has exposed the persistent global threat posed by the mercenary Predator spyware and its maker, Intellexa, despite the company and its executives being subjected to U.S. sanctions. The investigation revealed the first recorded attempt to target a member of civil society in Pakistan, a human rights lawyer from Balochistan, via a suspicious WhatsApp link consistent with a Predator one-click attack, though Pakistan has denied the claims. Predator, which has been marketed under names like Helios and Nova, functions similarly to NSO Group's Pegasus by covertly harvesting extensive sensitive data, including encrypted messages, calls, passwords, and photos, and then exfiltrating it to a server in the customer's country.
Intellexa maintains its position as a prolific vendor of zero-day exploits, which are either developed in-house or purchased externally, enabling stealthy installation on both Android (via Google Chrome flaws like CVE-2025-6554) and iOS (via Apple Safari flaws and a custom framework called JSKit). The complexity of their exploits is highlighted by an iOS chain that used multiple vulnerabilities (CVE-2023-41993, -41991, -41992) and a multi-stage payload, PREYHUNTER, which includes a "Watcher" module for operational security to detect suspicious behavior and a "Helper" module to hook systems for comprehensive data capture, such as keylogging and recording VoIP conversations.
Security Officer Comments:
Most significantly, the leaks revealed that Intellexa staff allegedly retained the ability to remotely access their customers' live surveillance systems (including those physically located on governmental premises) via tools like TeamViewer. Amnesty International argues that this deep operational involvement raises severe questions about the company's human rights diligence and could open Intellexa to claims of liability for any human rights abuses caused by the spyware's misuse. Furthermore, the report detailed new, advanced strategic delivery vectors aimed at enabling zero-click infections, including the Mars and Jupiter network injection systems (requiring ISP cooperation for an adversary-in-the-middle attack) and the sophisticated Aladdin system, which exploits the mobile advertising ecosystem to force a malicious ad onto a target's phone, triggering the zero-click infection simply upon viewing the ad. This new vector demonstrates how Intellexa continues to adapt and thrive, with Predator-related activity detected by Recorded Future in over a dozen countries, primarily in Africa, confirming a growing global demand for these intrusive surveillance tools.
Suggested Corrections:
To counter advanced mercenary spyware like Predator, focus on these essential steps:
- Immediate & Consistent Patching:
- Always update your OS (iOS/Android) and browsers (Chrome/Safari) immediately. Predator relies on exploiting unpatched zero-day vulnerabilities in these systems.
- Strict Link and Ad Scrutiny:
- Do not click suspicious links received via WhatsApp, SMS, or email, especially from unknown contacts.
- Use ad and pop-up blockers to mitigate the risk from the Aladdin zero-click vector that uses malicious advertisements.
- Account and System Hardening:
- Enable Multi-Factor Authentication (MFA) on all critical accounts.
- Limit application permissions to only what is necessary.
- Avoid unofficial app stores.
- Endpoint Security & Monitoring:
- Use reputable endpoint security or anti-spyware software.
- For technical users, consider using the Mobile Verification Toolkit (MVT) to actively check your device for known spyware indicator
https://thehackernews.com/2025/12/intellexa-leaks-reveal-zero-days-and.html