Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus

A cheetah obscured by foliage while stalking prey

A new strain of spyware targeting high-profile exiled politicians and journalists has been discovered by the same organisation that investigated and alerted the world to NSO Group's Pegasus tool.

Two Egyptian exiles, a politician and a journalist, were found to have had their Apple iPhones infected with Predator spyware in June 2021, following an inspection by Citizen Lab.

Predator is regarded as being a program with similar capabilities to NSO Group's Pegasus, which was used to target figures such as journalist and Saudi critic Jamal Khashoggi.

Predator is built and sold by North Macedonian startup Cytrox, which Citizen Lab researchers believe has a number of government clients across Africa, Eastern Europe, and the Middle East. It's also thought to have private customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

The Predator spyware offers similar surveillance capabilities to Pegasus but is less technical in its exploitation approach. Instead of utilising an undisclosed zero-day vulnerability in iOS, it instead operates using a phishing-like attack framework using links sent via WhatsApp messages that lead to one-click infections.

An iPhone belonging to Ayman Nour, former Egyptian presidential candidate and president of the Egyptian political opposition group Union of the Egyptian National Forces, was found in June 2021 to be infected with both Predator and Pegasus spyware at the same time, with the hacks conducted by two separate government clients.

Citizen Lab believes with medium-to-high confidence the Predator attacks on both Egyptian exiles were ordered by the Egyptian government as a Cytrox customer.

Nour's iPhone is said to have been repeatedly attacked with Pegasus Spyware since March 2021 using the NSO Group's iOS zero-day FORCEDEXPLOIT. Phone logs also showed a number of processes related to Predator spyware running on the device, with researchers concluding that clicking on links sent to Nour via WhatsApp from an Egyptian number purporting to be a Dr Rania Shhab led to the phone being infected with Predator.

Nour was first alerted to the possibility of a hack when he noticed his phone running unusually hot - an indicator which later revealed two separate surveillance tools running at the same time.

The second target, an exiled Egyptian journalist who wished to remain anonymous, received similar texts from a number purporting to be an assistant editor at the Al Masry Al Youm newspaper.

Citizen Lab was only able to obtain samples of Predator's loader, not the entire exploit, which it believes remains active in the wild. The organisation's analysis showed Predator persists on iOS even after rebooting, using Apple's automation feature.

From its initial inspection in June 2021, Citizen Lab said the spyware was able to infect the then-latest iOS version (version 14.6) but it's unclear if the current version of Apple's mobile operating system is vulnerable too. IT Pro contacted Apple for clarity but it did not reply in time for publication, though it told Citizen Lab it was investigating the issue.

Cytrox is believed to be part of Intellexa, a collective of spyware groups formed to compete with the now-financially struggling NSO Group. Intellexa describes itself as EU-based and regulated with six sites and R&D labs throughout Europe, Citizen Lab said.

Knowledge of the 'spyware alliance' is "murky at best", Citizen Lab said, but it's thought the group was formed in 2019 and now operates out of Greece after first basing itself in Cyprus.

Meta released a report following Citizen Lab's findings announcing it was taking action against surveillance-for-hire groups. Cytrox, along with others unrelated to Intellexa, were specifically named in the report. Meta already banned and sued NSO Group in 2019 for its surveillance programme.

Pages belonging to a total of seven companies known for surveilling others using a mercenary business model have been banned by Meta, and it has also alerted around 50,000 individuals it believes may have been targeted by the companies.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.