IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus

A high-profile politician and journalist have been targeted with spyware likely spread using WhatsApp messages

A cheetah obscured by foliage while stalking prey

A new strain of spyware targeting high-profile exiled politicians and journalists has been discovered by the same organisation that investigated and alerted the world to NSO Group's Pegasus tool.

Two Egyptian exiles, a politician and a journalist, were found to have had their Apple iPhones infected with Predator spyware in June 2021, following an inspection by Citizen Lab.

Predator is regarded as being a program with similar capabilities to NSO Group's Pegasus, which was used to target figures such as journalist and Saudi critic Jamal Khashoggi.

Predator is built and sold by North Macedonian startup Cytrox, which Citizen Lab researchers believe has a number of government clients across Africa, Eastern Europe, and the Middle East. It's also thought to have private customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

The Predator spyware offers similar surveillance capabilities to Pegasus but is less technical in its exploitation approach. Instead of utilising an undisclosed zero-day vulnerability in iOS, it instead operates using a phishing-like attack framework using links sent via WhatsApp messages that lead to one-click infections.

An iPhone belonging to Ayman Nour, former Egyptian presidential candidate and president of the Egyptian political opposition group Union of the Egyptian National Forces, was found in June 2021 to be infected with both Predator and Pegasus spyware at the same time, with the hacks conducted by two separate government clients.

Citizen Lab believes with medium-to-high confidence the Predator attacks on both Egyptian exiles were ordered by the Egyptian government as a Cytrox customer.

Nour's iPhone is said to have been repeatedly attacked with Pegasus Spyware since March 2021 using the NSO Group's iOS zero-day FORCEDEXPLOIT. Phone logs also showed a number of processes related to Predator spyware running on the device, with researchers concluding that clicking on links sent to Nour via WhatsApp from an Egyptian number purporting to be a Dr Rania Shhab led to the phone being infected with Predator.

Nour was first alerted to the possibility of a hack when he noticed his phone running unusually hot - an indicator which later revealed two separate surveillance tools running at the same time.

The second target, an exiled Egyptian journalist who wished to remain anonymous, received similar texts from a number purporting to be an assistant editor at the Al Masry Al Youm newspaper.

Citizen Lab was only able to obtain samples of Predator's loader, not the entire exploit, which it believes remains active in the wild. The organisation's analysis showed Predator persists on iOS even after rebooting, using Apple's automation feature.

From its initial inspection in June 2021, Citizen Lab said the spyware was able to infect the then-latest iOS version (version 14.6) but it's unclear if the current version of Apple's mobile operating system is vulnerable too. IT Pro contacted Apple for clarity but it did not reply in time for publication, though it told Citizen Lab it was investigating the issue.

Cytrox is believed to be part of Intellexa, a collective of spyware groups formed to compete with the now-financially struggling NSO Group. Intellexa describes itself as EU-based and regulated with six sites and R&D labs throughout Europe, Citizen Lab said.

Knowledge of the 'spyware alliance' is "murky at best", Citizen Lab said, but it's thought the group was formed in 2019 and now operates out of Greece after first basing itself in Cyprus.

Meta released a report following Citizen Lab's findings announcing it was taking action against surveillance-for-hire groups. Cytrox, along with others unrelated to Intellexa, were specifically named in the report. Meta already banned and sued NSO Group in 2019 for its surveillance programme.

Pages belonging to a total of seven companies known for surveilling others using a mercenary business model have been banned by Meta, and it has also alerted around 50,000 individuals it believes may have been targeted by the companies.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Pension Protection Fund confirms employee data exposed in GoAnywhere breach

Pension Protection Fund confirms employee data exposed in GoAnywhere breach

24 Mar 2023
Online Safety Bill: Why is Ofcom being thrown under the bus?
Policy & legislation

Online Safety Bill: Why is Ofcom being thrown under the bus?

24 Mar 2023