Researchers find Predator spyware is being used in several countries, including Iraq

Steven

Researchers find Predator spyware is being used in several countries, including Iraq

Summary

New research from Recorded Future’s Insikt Group finds continued use of Predator spyware made by Intellexa across multiple countries, including fresh evidence of deployments in Iraq. The report also identifies activity likely tied to Pakistan, active customers in Saudi Arabia, Kazakhstan, Angola and Mongolia, and a Mozambique-linked cluster that remained operative until at least June 2025. Researchers note that customers in Egypt, Botswana and Trinidad and Tobago appear to have “ceased communication,” which could mean they stopped using Intellexa or changed infrastructure to evade detection.

Insikt documents how Intellexa has been adapting its infrastructure and domain naming conventions to make discovery harder, and it uncovered several new companies that appear to be linked to the firm — including entities that may ship products or leverage advertising channels as malware delivery vectors. The findings follow US sanctions that began in July 2023 and expanded in 2024, aimed at disrupting Intellexa’s opaque corporate network.

Key Points

  1. Recorded Future’s Insikt Group found indicators of Predator spyware use in Iraq and activity likely associated with an entity tied to Pakistan.
  2. Active Intellexa customers were observed in Saudi Arabia, Kazakhstan, Angola and Mongolia; some customers in other countries appear to have stopped communicating.
  3. Intellexa has changed domain and infrastructure naming conventions, which complicates detection by researchers.
  4. Several newly-identified companies may act as shell firms, resellers or advertising-based delivery channels for spyware.
  5. US sanctions since July 2023 and further designations in 2024 have not eliminated the spyware’s global footprint.
  6. A Mozambique-linked cluster remained active through at least late June 2025.

Context and relevance

The report is significant because Predator has been used against civil society members and business executives worldwide; its continued deployment signals ongoing surveillance risks and shows how spyware vendors use corporate obfuscation to evade accountability. For security teams, policymakers and privacy advocates, the research highlights the limits of sanctions alone and the need for improved threat intelligence, cross-border enforcement and defensive measures against evolving infrastructure tactics.

Why should I read this?

Short and blunt: Predator’s not gone. It’s appearing in unexpected places, changing its playbook and leaning on shell companies to hide. If you’re interested in privacy, digital rights or security, this tells you where the risk is and how the vendor is trying to stay one step ahead — we’ve read the heavy bits so you don’t have to.

Source

Source: https://therecord.media/intellexa-predator-spyware-continues-despite-sanctions