Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery

Estimated reading time: 12 minutes

Key takeaways:

  • Intellexa’s Predator spyware utilizes zero-day vulnerabilities and an ads-based delivery method.
  • The leaks reveal specific CVEs targeted by Predator, impacting Android, iOS, and Chrome.
  • Intellexa can remotely access customer surveillance systems, raising human rights concerns.
  • The spyware has a global reach, with detected activity in over a dozen countries.
  • Proactive threat detection and incident response planning are crucial for defense.

Table of Contents:

Recent leaks from Intellexa, the company behind the Predator spyware, expose previously undisclosed zero-day vulnerabilities and an innovative ads-based delivery method. This Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery, posing a significant threat to mobile security and raising concerns about the exploitation of advertising ecosystems for surveillance purposes.

Intellexa’s Predator Spyware: A Deep Dive into the Leaks

A joint investigation, based on leaked documents from Intellexa, sheds light on the inner workings of the company and its Predator spyware. Predator, like NSO Group’s Pegasus, is a mercenary spyware tool capable of extracting sensitive data from Android and iOS devices without the user’s knowledge. The leaks reveal that Predator has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow.

One notable incident involved a human rights lawyer from Pakistan’s Balochistan province who received a suspicious link on WhatsApp. Amnesty International identified this link as a Predator attack attempt, marking the first instance of a civil society member in Pakistan being targeted by Intellexa’s spyware. While Pakistan has dismissed the allegations, the incident underscores the potential for abuse and the global reach of Predator.

Initial Access Vectors and Zero-Day Exploits

Predator typically gains initial access to devices through messaging platforms, exploiting zero-day vulnerabilities to install the spyware. These attacks often involve 1-click or zero-click methods, requiring the victim to either click a malicious link or, in more sophisticated attacks, no interaction at all.

The leaks reveal a list of zero-day vulnerabilities linked to Intellexa, either developed in-house or acquired from external sources:

  • CVE-2025-48543: Use-after-free in Android Runtime (Google)
  • CVE-2025-6554: Type confusion in V8 (Google Chrome)
  • CVE-2023-41993: WebKit JIT RCE (Apple Safari)
  • CVE-2023-41992: Kernel IPC Use-After-Free (Apple)
  • CVE-2023-41991: Certificate validation bypass in Security framework (Apple)
  • CVE-2024-4610: Use-after-free in Bifrost GPU and Valhall GPU Kernel Driver (Arm)
  • CVE-2023-4762: Type confusion in V8 (Google Chrome)
  • CVE-2023-3079: Type Confusion in V8 (Google Chrome)
  • CVE-2023-2136: Integer overflow in Skia (Google Chrome)
  • CVE-2023-2033: Use-After-Free in V8 (Google Chrome)
  • CVE-2021-38003: Inappropriate implementation in V8 (Google Chrome)
  • CVE-2021-38000: Insufficient validation of untrusted input in Intents (Google Chrome)
  • CVE-2021-37976: Information leak in memory_instrumentation (Google Chrome)
  • CVE-2021-37973: Use-after-free in Portals (Google Chrome)
  • CVE-2021-1048: Use-After-Free in Android Kernel (Google)

The variety of zero-days targeting different components highlights Intellexa’s broad attack surface and its focus on gaining persistent access to targeted devices.

Detailed Exploitation Chain

One specific iOS zero-day exploit chain, observed in attacks against targets in Egypt in 2023, utilized CVE-2023-41993 and a framework called JSKit to execute native code. Google Threat Intelligence Group (GTIG) noted that the same exploit and framework were used in a watering hole attack by Russian government-backed hackers against Mongolian government websites, suggesting that these exploits may be sourced from third-party vendors.

Following the exploitation of CVE-2023-41993, the attack progresses to break out of the Safari sandbox and execute a third-stage payload called PREYHUNTER, which exploits CVE-2023-41991 and CVE-2023-41992. PREYHUNTER includes two modules:

  • Watcher: This module monitors for crashes and suspicious behavior, terminating the exploitation process if any are detected.
  • Helper: This module communicates with other parts of the exploit, deploys hooks to record VoIP conversations, implements a keylogger, and captures images from the camera.

Intellexa also employs a custom framework for exploiting various V8 flaws in Chrome, including CVE-2021-38003, CVE-2023-2033, CVE-2023-3079, CVE-2023-4762, and CVE-2025-6554. The abuse of CVE-2025-6554 was observed in Saudi Arabia in June 2025.

Once installed, Predator collects data from messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information, exfiltrating it to a server physically located in the customer’s country. It can also activate the device’s microphone to record ambient audio and use the camera to take photos.

Remote Access Capabilities and Human Rights Concerns

The leaks revealed that Intellexa personnel had the capability to remotely access the surveillance systems of at least some of its customers via TeamViewer. This raises serious questions about human rights due diligence, as it implies that Intellexa could potentially monitor surveillance operations and targeted individuals, even those located on the premises of its governmental customers.

Amnesty International’s Jurre van Bergen stated that if a mercenary spyware company is directly involved in operating its product, it could be held liable for any human rights abuses caused by the use of the spyware.

Delivery Vectors: Tactical and Strategic

Intellexa uses various delivery vectors to trigger the opening of malicious links, categorized as tactical and strategic. Tactical vectors include Triton, Thor, and Oberon, while strategic vectors are delivered remotely via the internet or mobile network.

The strategic vectors include:

  • Mars and Jupiter: These are network injection systems that require cooperation between the Predator customer and the victim’s mobile operator or ISP. They perform adversary-in-the-middle (AitM) attacks, waiting for the target to open an unencrypted HTTP website or visit a domestic HTTPS website that has been intercepted using valid TLS certificates.
  • Aladdin: This exploits the mobile advertising ecosystem to carry out a zero-click attack. The system, under development since at least 2022, infects the target’s phone by forcing a malicious advertisement to be displayed on the target’s phone, potentially on any website that displays ads.

Google has identified the use of malicious ads as an attempt to abuse the advertising ecosystem for fingerprinting users and redirecting targeted individuals to Intellexa’s exploit delivery servers. Google has worked with partners to identify and shut down the companies created by Intellexa to create these ads.

Recorded Future discovered two companies, Pulse Advertise and MorningStar TEC, that appear to be operating in the advertising sector and are likely connected to the Aladdin infection vector.

Global Reach and Customer Activity

Despite U.S. sanctions imposed on Intellexa in 2024 for developing and distributing the surveillance tool, Recorded Future’s Insikt Group detected Predator-related activity in over a dozen countries, primarily in Africa, indicating a sustained demand for spyware tools.

Communications with Predator’s infrastructure were observed from customers based in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Customers in Botswana, Trinidad and Tobago, and Egypt ceased communication earlier in 2025, possibly indicating discontinued use of Predator or a modification of their infrastructure setups.

Practical Takeaways and Actionable Advice

This detailed analysis of the Intellexa leaks provides critical insights for both technical and non-technical readers.

Technical Readers:

  • Patch Management: Prioritize patching systems against the disclosed zero-day vulnerabilities. Use cyber threat intelligence platform to stay up-to-date on emerging threats and vulnerabilities.
  • Endpoint Detection and Response (EDR): Implement advanced EDR solutions to detect and prevent the installation of spyware on endpoints.
  • Network Monitoring: Enhance network monitoring capabilities to identify and block suspicious network traffic associated with Predator. Consider deploying a dark web monitoring service to identify potential threats early on.
  • Mobile Threat Defense (MTD): Deploy MTD solutions to protect mobile devices from spyware and other mobile threats.
  • Vulnerability Scanning: Utilize network and web application vulnerability scanning to discover and remediate vulnerabilities.

Non-Technical Readers:

  • Awareness Training: Conduct regular awareness training to educate employees about the risks of phishing attacks and malicious links.
  • Mobile Device Management (MDM): Implement MDM policies to enforce security configurations and restrict the installation of unauthorized apps.
  • Vendor Risk Management: Assess the security practices of third-party vendors and ensure they have adequate security measures in place. Use supply-chain risk monitoring to identify vulnerabilities in your vendor ecosystem.
  • Incident Response Planning: Develop and regularly test incident response plans to effectively respond to and contain security incidents.
  • Cybersecurity Insurance: Consider purchasing cybersecurity insurance to mitigate the financial impact of cyberattacks.

PurpleOps and the Fight Against Advanced Threats

The information revealed in the Intellexa leaks underscores the importance of proactive threat detection and response. PurpleOps is dedicated to providing cutting-edge cybersecurity solutions to protect organizations from advanced threats like Predator.

Our services include:

Protect Your Organization from Advanced Threats

The Intellexa leaks serve as a reminder of the sophistication and persistence of modern cyber threats. Protecting your organization requires a proactive and multi-layered approach to cybersecurity.

Contact PurpleOps Solutions today to learn more about how our services can help you defend against advanced threats like Predator and protect your critical assets.
Explore our platform to understand our advanced capabilities.

FAQ

Q: What is Predator spyware? [+]

Q: How does Predator infect devices? [+]

Q: What data can Predator collect? [+]

Q: What are zero-day vulnerabilities? [+]

Q: How can I protect my organization from Predator spyware? [+]