IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus

A high-profile politician and journalist have been targeted with spyware likely spread using WhatsApp messages

A cheetah obscured by foliage while stalking prey

A new strain of spyware targeting high-profile exiled politicians and journalists has been discovered by the same organisation that investigated and alerted the world to NSO Group's Pegasus tool.

Two Egyptian exiles, a politician and a journalist, were found to have had their Apple iPhones infected with Predator spyware in June 2021, following an inspection by Citizen Lab.

Predator is regarded as being a program with similar capabilities to NSO Group's Pegasus, which was used to target figures such as journalist and Saudi critic Jamal Khashoggi.

Predator is built and sold by North Macedonian startup Cytrox, which Citizen Lab researchers believe has a number of government clients across Africa, Eastern Europe, and the Middle East. It's also thought to have private customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

The Predator spyware offers similar surveillance capabilities to Pegasus but is less technical in its exploitation approach. Instead of utilising an undisclosed zero-day vulnerability in iOS, it instead operates using a phishing-like attack framework using links sent via WhatsApp messages that lead to one-click infections.

An iPhone belonging to Ayman Nour, former Egyptian presidential candidate and president of the Egyptian political opposition group Union of the Egyptian National Forces, was found in June 2021 to be infected with both Predator and Pegasus spyware at the same time, with the hacks conducted by two separate government clients.

Citizen Lab believes with medium-to-high confidence the Predator attacks on both Egyptian exiles were ordered by the Egyptian government as a Cytrox customer.

Nour's iPhone is said to have been repeatedly attacked with Pegasus Spyware since March 2021 using the NSO Group's iOS zero-day FORCEDEXPLOIT. Phone logs also showed a number of processes related to Predator spyware running on the device, with researchers concluding that clicking on links sent to Nour via WhatsApp from an Egyptian number purporting to be a Dr Rania Shhab led to the phone being infected with Predator.

Nour was first alerted to the possibility of a hack when he noticed his phone running unusually hot - an indicator which later revealed two separate surveillance tools running at the same time.

The second target, an exiled Egyptian journalist who wished to remain anonymous, received similar texts from a number purporting to be an assistant editor at the Al Masry Al Youm newspaper.

Citizen Lab was only able to obtain samples of Predator's loader, not the entire exploit, which it believes remains active in the wild. The organisation's analysis showed Predator persists on iOS even after rebooting, using Apple's automation feature.

From its initial inspection in June 2021, Citizen Lab said the spyware was able to infect the then-latest iOS version (version 14.6) but it's unclear if the current version of Apple's mobile operating system is vulnerable too. IT Pro contacted Apple for clarity but it did not reply in time for publication, though it told Citizen Lab it was investigating the issue.

Cytrox is believed to be part of Intellexa, a collective of spyware groups formed to compete with the now-financially struggling NSO Group. Intellexa describes itself as EU-based and regulated with six sites and R&D labs throughout Europe, Citizen Lab said.

Knowledge of the 'spyware alliance' is "murky at best", Citizen Lab said, but it's thought the group was formed in 2019 and now operates out of Greece after first basing itself in Cyprus.

Meta released a report following Citizen Lab's findings announcing it was taking action against surveillance-for-hire groups. Cytrox, along with others unrelated to Intellexa, were specifically named in the report. Meta already banned and sued NSO Group in 2019 for its surveillance programme.

Pages belonging to a total of seven companies known for surveilling others using a mercenary business model have been banned by Meta, and it has also alerted around 50,000 individuals it believes may have been targeted by the companies.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Bahrain targets activists with NSO's Pegasus spyware
spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022