Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus

A high-profile politician and journalist have been targeted with spyware likely spread using WhatsApp messages

A cheetah obscured by foliage while stalking prey

A new strain of spyware targeting high-profile exiled politicians and journalists has been discovered by the same organisation that investigated and alerted the world to NSO Group's Pegasus tool.

Two Egyptian exiles, a politician and a journalist, were found to have had their Apple iPhones infected with Predator spyware in June 2021, following an inspection by Citizen Lab.

Predator is regarded as being a program with similar capabilities to NSO Group's Pegasus, which was used to target figures such as journalist and Saudi critic Jamal Khashoggi.

Predator is built and sold by North Macedonian startup Cytrox, which Citizen Lab researchers believe has a number of government clients across Africa, Eastern Europe, and the Middle East. It's also thought to have private customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

The Predator spyware offers similar surveillance capabilities to Pegasus but is less technical in its exploitation approach. Instead of utilising an undisclosed zero-day vulnerability in iOS, it instead operates using a phishing-like attack framework using links sent via WhatsApp messages that lead to one-click infections.

An iPhone belonging to Ayman Nour, former Egyptian presidential candidate and president of the Egyptian political opposition group Union of the Egyptian National Forces, was found in June 2021 to be infected with both Predator and Pegasus spyware at the same time, with the hacks conducted by two separate government clients.

Citizen Lab believes with medium-to-high confidence the Predator attacks on both Egyptian exiles were ordered by the Egyptian government as a Cytrox customer.

Nour's iPhone is said to have been repeatedly attacked with Pegasus Spyware since March 2021 using the NSO Group's iOS zero-day FORCEDEXPLOIT. Phone logs also showed a number of processes related to Predator spyware running on the device, with researchers concluding that clicking on links sent to Nour via WhatsApp from an Egyptian number purporting to be a Dr Rania Shhab led to the phone being infected with Predator.

Nour was first alerted to the possibility of a hack when he noticed his phone running unusually hot - an indicator which later revealed two separate surveillance tools running at the same time.

The second target, an exiled Egyptian journalist who wished to remain anonymous, received similar texts from a number purporting to be an assistant editor at the Al Masry Al Youm newspaper.

Citizen Lab was only able to obtain samples of Predator's loader, not the entire exploit, which it believes remains active in the wild. The organisation's analysis showed Predator persists on iOS even after rebooting, using Apple's automation feature.

From its initial inspection in June 2021, Citizen Lab said the spyware was able to infect the then-latest iOS version (version 14.6) but it's unclear if the current version of Apple's mobile operating system is vulnerable too. IT Pro contacted Apple for clarity but it did not reply in time for publication, though it told Citizen Lab it was investigating the issue.

Cytrox is believed to be part of Intellexa, a collective of spyware groups formed to compete with the now-financially struggling NSO Group. Intellexa describes itself as EU-based and regulated with six sites and R&D labs throughout Europe, Citizen Lab said.

Knowledge of the 'spyware alliance' is "murky at best", Citizen Lab said, but it's thought the group was formed in 2019 and now operates out of Greece after first basing itself in Cyprus.

Meta released a report following Citizen Lab's findings announcing it was taking action against surveillance-for-hire groups. Cytrox, along with others unrelated to Intellexa, were specifically named in the report. Meta already banned and sued NSO Group in 2019 for its surveillance programme.

Pages belonging to a total of seven companies known for surveilling others using a mercenary business model have been banned by Meta, and it has also alerted around 50,000 individuals it believes may have been targeted by the companies.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Bahrain targets activists with NSO's Pegasus spyware
spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022