Predator¶
Predator is a mercenary spyware platform developed by Cytrox and operated under the Intellexa alliance, a consortium of European surveillance companies assembled to compete with NSO Group. Unlike Pegasus, which relies on proprietary zero-click exploits, Predator is typically delivered through one-click exploit chains targeting Chrome and Android kernel vulnerabilities. Its architecture splits responsibilities between an initial loader called Alien and the main implant Predator, which runs a Python-based module system for flexible surveillance tasking. Predator has been deployed against journalists, politicians, and academics across at least 25 countries.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2019 (estimated development start), December 2021 (first public documentation) |
| Status | Active, despite U.S. sanctions on Intellexa |
| Type | Commercial spyware (government-exclusive) |
| Attribution | Cytrox (North Macedonia), part of the Intellexa alliance led by Tal Dilian |
| Aliases | Predator, PREDATOR (Talos convention) |
| Loader | Alien |
| Platforms | Android (primary), iOS |
Origin and Lineage¶
Cytrox was founded in North Macedonia and later acquired into the Intellexa alliance, a group of companies including Nexa Technologies (formerly Amesys, France), WiSpear/Passitora Ltd. (Cyprus), and Senpai Technologies (Israel). Tal Dilian, an ex-Israeli Defense Forces intelligence officer, assembled this consortium with the explicit goal of building an EU-regulated competitor to NSO Group.
Citizen Lab first publicly documented Predator in December 2021 when they discovered it on the iPhone of Ayman Nour, an Egyptian opposition politician living in exile in Turkey. Notably, Nour's device was infected with both Pegasus and Predator simultaneously by two separate government clients, making it the first known case of dual commercial spyware infection.
Distribution¶
Predator delivery relies on one-click exploit chains and social engineering rather than zero-click capabilities.
Exploit Chain Delivery¶
Google TAG documented three campaigns in May 2022 where Predator was deployed using five zero-day vulnerabilities:
| CVE | Component | Type |
|---|---|---|
| CVE-2021-37973 | Chrome (use-after-free in Portals) | 0-day |
| CVE-2021-37976 | Chrome (info leak in core) | 0-day |
| CVE-2021-38000 | Chrome (insufficient validation in Intents) | 0-day |
| CVE-2021-38003 | Chrome (type confusion in V8) | 0-day |
| CVE-2021-1048 | Android kernel (use-after-free) | 0-day |
The attack flow:
- Target receives a spear-phishing email containing a one-time link disguised as a URL shortener
- Clicking redirects through the exploit server, which chains Chrome RCE with an Android kernel privilege escalation
- The Alien loader is dropped onto the device
- Alien downloads and executes the Predator implant
- The target is redirected to a legitimate website to avoid suspicion
Google TAG noted that these campaigns targeted tens of users per operation across Egypt, Armenia, Greece, Madagascar, Indonesia, Serbia, and Spain. The exploit chains also used n-day exploits alongside zero-days, exploiting the gap between when patches are released and when they reach end-user devices.
One-Click Link Delivery¶
In the Greek surveillance scandal, targets received links via SMS or messaging apps that led to exploit pages. Citizen Lab confirmed Predator infections on the devices of journalist Thanasis Koukakis and PASOK party leader Nikos Androulakis. In some cases, links were distributed through social media, including posts on Twitter/X containing malicious URLs.
Capabilities¶
Alien Loader¶
Alien is far more than a simple dropper. Cisco Talos published an in-depth technical analysis revealing that Alien provides foundational capabilities that Predator depends on:
| Capability | Implementation |
|---|---|
| Process injection | Loaded into the zygote64 process, giving it access to every Android application |
| IPC hooking | Hooks ioctl() in libbinder.so to intercept inter-process communication across the Android framework |
| SELinux bypass | Operates within the privileged zygote SELinux context |
| Module delivery | Downloads and loads Predator and additional modules from C2 |
| Audio recording | Low-level audio capture implemented at the Alien layer |
Predator Implant¶
Predator itself runs a Python runtime environment, making it highly modular. New surveillance capabilities can be deployed as Python modules without requiring re-exploitation of the target device.
| Capability | Details |
|---|---|
| Call recording | Record voice calls and VoIP conversations |
| Messaging app access | Extract data from WhatsApp, Signal, Telegram |
| Camera | Activate front and rear cameras |
| Microphone | Ambient audio recording |
| Location | GPS and network-based tracking |
| Certificate injection | Install custom CA certificates into the user trust store, enabling MITM of TLS traffic |
| App hiding | Conceal applications or prevent their execution |
| Arbitrary code execution | Load and execute Python modules on demand from C2 |
Unknown Modules¶
Talos identified references to two modules they could not obtain for analysis:
| Module | Suspected Function |
|---|---|
tcore |
Main surveillance orchestration component |
kmem |
Kernel memory access for privilege escalation |
Technical Details¶
Architecture¶
The Alien + Predator split serves an operational purpose: Alien handles the low-level Android integration (process injection, IPC hooking, SELinux context), while Predator provides the high-level surveillance logic through Python. This separation means Alien needs to be tightly coupled to the target Android version, while Predator modules remain portable.
Persistence¶
Predator achieves persistence through Alien's injection into zygote64. Since Zygote is the parent process from which all Android applications fork, Alien persists as long as the system is running. On reboot, the persistence mechanism reinstalls the loader.
TLS Interception¶
One of Predator's more aggressive capabilities is certificate poisoning. By injecting custom CA certificates into the user certificate store, Predator can perform man-in-the-middle attacks on HTTPS connections. This allows the operator to intercept encrypted communications from apps that do not implement certificate pinning.
C2 Communication¶
Predator uses HTTPS for C2 communication with multi-hop proxy infrastructure. Citizen Lab mapped suspected Predator C2 servers to operators in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
Known Deployments and Targets¶
| Country | Targets | Source |
|---|---|---|
| Egypt | Ayman Nour (opposition politician), exiled journalist | Citizen Lab, December 2021 |
| Greece | Journalist Thanasis Koukakis, PASOK leader Nikos Androulakis, other politicians | CPJ, Citizen Lab |
| Armenia | Government-backed campaigns | Google TAG |
| Indonesia | Government-backed campaigns | Google TAG |
| Madagascar | Political targets | Google TAG |
| Serbia | Journalists, civil society | Google TAG |
| Spain | Political figures | Google TAG |
| United States | U.S. Senator and Congressman (targeted via social media links) | Citizen Lab, October 2023 |
| European Union | President of European Parliament, MEPs | Citizen Lab, October 2023 |
| Vietnam, Qatar, Congo, Kenya, and others | Various | Amnesty International Predator Files |
Notable Campaigns and Discoveries¶
December 2021: Citizen Lab publishes "Pegasus vs. Predator", the first public documentation of Predator. The report identifies Cytrox as the developer and reveals that Egyptian opposition figure Ayman Nour's phone was simultaneously infected with both Pegasus and Predator.
May 2022: Google TAG reveals that Cytrox exploited five zero-day vulnerabilities (four in Chrome, one in Android kernel) across three campaigns targeting Android users in multiple countries. TAG attributes the exploit packaging to Cytrox. Project Zero's 2021 zero-day trend analysis noted a record 58 in-the-wild zero-days detected that year, with Cytrox/Predator attributed for five Android and Chrome zero-days.
April 2022: CPJ reports that Greek journalist Thanasis Koukakis was surveilled with Predator from July to September 2021. The revelations trigger a political crisis in Greece, leading to the resignations of the Greek intelligence chief and the prime minister's chief of staff in August 2022.
May 2023: Cisco Talos publishes "Mercenary Mayhem", the most detailed technical analysis of Predator and Alien to date. The report reveals the Python-based architecture, Zygote injection, IPC hooking, and TLS interception capabilities. Talos also publishes a companion piece mapping the Intellexa corporate structure.
October 2023: The Predator Files investigation, a year-long collaboration between Amnesty International and European Investigative Collaborations (EIC), reveals that 25 countries purchased Intellexa products. Citizen Lab independently confirms Predator targeting of U.S. and EU elected officials and journalists through links distributed on Twitter/X.
March 2024: The U.S. Treasury Department sanctions Intellexa and its founder Tal Dilian, along with associated entities, for developing and distributing commercial spyware used against Americans. Despite sanctions, reports indicate Intellexa continues to operate through restructured corporate entities.