Pegasus vs. Predator: Dissident’s Phone Finds Cytrox Mercenary Spyware

Pegasus vs. Predator: Dissident’s Phone Finds Cytrox Mercenary Spyware” role=”main”>
AnalysisFocused Threats

Key Findings

  • Two Egyptians—exiled flesh presser Ayman Nour and the host of a popular news program (who desires to remain nameless)—had been hacked with Predator spyware, built and sold by the previously small-acknowledged mercenary spyware developer Cytrox.
  • The cellphone of Ayman Nour used to be concurrently contaminated with both Cytrox’s Predator and NSO Community’s Pegasus spyware, operated by two various authorities customers.
  • Each and every targets had been hacked with Predator in June 2021, and the spyware used to be in a position to contaminate the then-most modern model (14.6) of Apple’s iOS running machine the exercise of single-click on hyperlinks sent thru WhatsApp.
  • We purchased samples of Predator’s “loader,” the first section of the spyware, and analyzed their efficiency. We chanced on that Predator persists after reboot the exercise of the iOS automations characteristic.
  • We conducted Web scanning for Predator spyware servers and chanced on likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
  • Cytrox used to be reported to be portion of Intellexa, the so-known as “Huge title Alliance of spyware,” which used to be formed to compete with NSO Community, and which describes itself as “EU-essentially essentially based and regulated, with six websites and R&D labs one day of Europe.”

1. Background

We confirmed the hacking of the devices of two other folks with Cytrox’s Predator spyware: Ayman Nour, a member of the Egyptian political opposition residing in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and desires to remain nameless.

Ayman Nour is the president of the Egyptian political opposition crew Union of the Egyptian Nationwide Forces. Nour is additionally a aged Egyptian presidential candidate and founder and chairperson of the Ghad al-Thawra birthday celebration.1 In 2005, Nour ran in opposition to aged Egyptian President Hosni Mubarak. After the election, Nour used to be convicted of “forging signatures on petitions” filed to manufacture his political birthday celebration—a mark which used to be broadly even handed to be “politically impressed”—and imprisoned for bigger than four years. Nour used to be within the wreck launched from penal advanced in 2009 on health grounds and after international strain.

Nour used to be a candidate of the Ghad Al-Thawra birthday celebration within the 2012 Egyptian presidential elections. He used to be excluded from the elections along with a host of various opposition candidates. In 2013, after opposing President Abdel Fattah El-Sisi’s militia coup, Nour fled Egypt for Lebanon. In 2015, the Egyptian embassy in Lebanon declined to renew his passport and Nour departed Lebanon for Turkey, the save he has resided since 2015. He remains a vocal critic of Sisi’s regime, describing his authorities as an “oppressive militia regime.” He has additionally accused Sisi’s authorities of “coarse human rights violations” and of turning the country proper into a “absolutely autocratic teach.”

The 2nd target whose cellphone we confirmed used to be hacked with Cytrox’s Predator spyware is an Egyptian exiled journalist and an outspoken critic of the Sisi regime. This target has chosen to remain nameless.

1.1. Enter: Cytrox

Founded in 2017, Cytrox’s industry activity is blandly described in Crunchbase as providing governments with an “operational cyber solution” that choices gathering info from devices and cloud companies. In Pitchbook, their skills is defined as “cyber intelligence systems designed to provide security” to governments and abet with “designing, managing and imposing cyber intelligence gathering within the network, enabling companies to fetch intelligence from both stop devices as properly as from cloud companies.”

Pick 1: The logo of Cytrox from a North Macedonian job postings net pages. Source.

Cytrox reportedly started life as a North Macedonian beginning-up.2 A evaluation of company registry documents presentations that Cytrox appears to be like to possess a company presence in Israel and Hungary.

Cytrox’s Israeli companies had been essentially based in 2017 as Cytrox EMEA Ltd. and Cytrox Tool Ltd. In all likelihood taking a page from Candiru’s company obfuscation playbook, both of those companies had been renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We additionally seen one entity in Hungary, Cytrox Holdings Zrt, which used to be additionally formed in 2017.

Pick 2: Cytrox CEO Ivo Malinkovksi carrying a “More Money” shirt, and mimicking the conceal of Apple co-founder Steve Jobs’ biography. <a href=Source.” height=”490″ loading=”sluggish” src=”” width=”870″>

Pick 2: Cytrox CEO Ivo Malinkovksi carrying a “More Money” shirt, and mimicking the conceal of Apple co-founder Steve Jobs’ biography. Source.

On the time of writing, we reflect that Cytrox’s CEO is Ivo Malinkovksi, as acknowledged on his LinkedIn page. Seriously, Malinkovksi’s now-private Instagram account contains a 2019 image of him in front of the Pyramids of Giza in Egypt.

A 2019 fable in Forbes states that Cytrox used to be “rescued” by Tal Dilian, a aged Israel Defence Forces (IDF) Unit 81 commander, whose company WiSpear (which appears to be like to possess been renamed Passitora Ltd.) relies mostly in Limassol, Cyprus and reportedly purchased Cytrox in 2018 in accordance to the Atooro Fund. Dilian is customarily acknowledged because the founder of Circles, a prominent cell network surveillance company. In December 2020, the Citizen Lab printed an investigation into Circles’ authorities customers. Dilian is additionally the founder and CEO of Intellexa.

1.2. Cytrox, a Segment of the “Intellexa Alliance”

The next fragment isn’t any longer a entire accounting of the connection between Cytrox and various entities. It is in step with a evaluation of a mixture of media studies and a nonexhaustive evaluation of company registries across varied jurisdictions. Extra compare into Intellexa and the companies that have faith this marketing alliance could perhaps presumably provide precious perception into how commercial surveillance companies make exercise of advanced industry structures and exercise measures that obfuscate their operations.

Cytrox is portion of the so-known as “Intellexa alliance,” a marketing stamp for a range of mercenary surveillance distributors that emerged in 2019. The consortium of companies contains Nexa Technologies (previously Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with various unnamed entities, purportedly making an attempt to search out to compete in opposition to various gamers within the cyber surveillance market equivalent to NSO Community and Verint.

At the beginning essentially essentially based in Cyprus, a contemporary fable indicates that Intellexa now operates from Greece, which is additionally listed because the LinkedIn net net page of its founder, Dilian. A preliminary evaluation of company registry documentation suggests that the alliance has a company presence in no longer handiest Greece (Intellexa S.A.), but additionally in Eire (Intellexa Small).3 The Dun & Bradstreet entry for Intellexa S.A. and Intellexa Small show Sara-Aleksandra Fayssal Hamou (or Sara Hamou) as a key main in both companies. Hamou is reportedly Dilian’s 2nd valuable other.

In our preliminary compare, the particular hyperlink between Cytrox and Intellexa, as properly as various companies within the “alliance,” remains shadowy at handiest. In reviewing filings within the Israeli industry registry, we seen a 2020 switch of all shares held by Cytrox Holdings Zrt (Hungary) in Cytrox EMEA Ltd./Balinese Ltd. (Israel) to Aliada Community Inc., an entity registered within the British Virgin Islands (registration no. 1926732). Forward of this fragment switch, Cytrox Holdings Zrt appears to be like to possess been the one real shareholder of shares in Cytrox EMEA Ltd./Balinese and after this fragment switch it appears to be like to remain the one real shareholder in Cytrox Tool Ltd./Peterbald. Further, a chunk of writing from Intelligence Online in 2017 notes that WiSpear Systems is “owned by Aliada Community Inc.”

Recordsdata on Aliada Community Inc. is comparatively scant. The identical 2017 article from Intelligence Online notes that Aliada Community Inc. is “backed by the non-public equity firm Mivtach-Shamir, which spent $3.5 million to develop a 32% stake in Aliada in December 2016, along with an contrivance to develop an additional 5%.” Mivtach-Shamir is “a publicly-traded Israeli investment company” essentially based by Meir Shamir. In reviewing entries for WiSpear/Passitora Ltd. in Cyprus’ industry registry, we illustrious that “Mivtah Shamir Technologies (2000) Ltd.” is listed as a director of Passitora Ltd., along with Dilian. We additionally chanced on an entry within the Israeli industry registry for a “Mivtach Shamir Technologies (2000) Ltd.,” which used to be it sounds as if integrated in 2000.

Further, a 2020 Haaretz article illustrious that Avi Rubinstein, a “excessive-tech entrepreneur, filed a lawsuit in opposition to Dilian in Tel Aviv District Court docket.”4 In step with Haaretz, Aliada Community Inc. is described within the litigation as “a crew of cyberweapon companies whose merchandise are branded under the title Intellexa.” Two various other folks, OzLiv, who used to be additionally a commander in Unit 81, and Meir Shamir, are additionally named as defendants. In step with Haaretz, these two other folks, along with Rubinstein, who filed the suit, and Dilian, are all shareholders in Aliada Community Inc.

Haaretz additional notes that Rubinstein is accusing Dilian, Liv, and Shamir of performing “illegally to dilute [Rubinstein’s] occupy shares thru a pyramid of companies net net page up distant places. A pair of of those companies had been established thru front men connected to Dilian, including his 2nd valuable other, Sara Hamou” (as illustrious above, Hamou’s title appears to be like in company registry listings within the Dun & Bradstreet database for Intellexa entities in Eire and Greece). The lawsuit additionally reportedly claimed that “this switch of Aliada’s activities out of Israel thru shell companies, first to the British Virgin Islands and later Eire, violated both Israeli and foreign protection export regulate guidelines.”

In step with the BVI Registrar of Company Affairs, as of the date of e-newsletter of this fable, Aliada Community Inc.’s correct net net page is “in penalty” attributable to nonpayment of annual fees. Apart from, the registered agent filed an intent to resign on November 12, 2021. The reason for the resignation is as yet unclear.

Intellexa’s Products

A prior model of the Intellexa net pages markets “intelligence solutions” including “tactical interception.” The marketing of interception used to be additionally underscored in Dilian’s 2019 Forbes interview. Alternatively, on the time of writing, the get pages is significantly more imprecise regarding the corporate’s activities. In its contemporary have faith, Intellexa’s net pages and linked videos pitch a product known as “Nebula” which is described as a ‘holistic’ intelligence gathering and evaluation platform.

Pick 3: Text from the Intellexa net pages at time of writing.

The company’s net pages prominently ingredients the claim that it’s “EU-essentially essentially based and regulated.” This claim is fascinating given the track file of some of Intellexa’s taking portion company entities, which possess been riddled with correct points and various controversy. As an instance, in June 2021, executives of Amesys and Nexa Technologies had been indicted by investigating judges with the crimes in opposition to humanity and war crimes unit of the Paris Judicial Court docket for complicity in torture in the case of product sales to the Libyan authorities and complicity in torture and pressured dissapearance in the case of product sales to the Egyptian authorities.

Dilian has additionally been followed by studies of correct and various irregularities, both one day of his time within the Israeli militia and in his new occupation as a mercenary surveillance tech vendor. In 2019, after courting publicity with a demonstration to Forbes of a “$9 million indicators intelligence van” with communications hacking capabilities in Cyprus, WiSpear and Tal Dilian attracted police passion. The van used to be confiscated by Cypriot authorities, several WiSpear/Passitora Ltd. workers had been arrested and rapid detained, and Dilian used to be wanted for questioning.

In step with a 2020 Reuters article Dilian—who characterised the Cypriot investigation as a “witch hunt” in opposition to him—fled Cyprus after an arrest warrant used to be issued in his title. An article in CyprusMail from November 2021 notes that the Criminal expert-Neatly-liked’s space of job determined to “tumble all charges” in opposition to all three other folks angry regarding the “search for van” case (the case in opposition to WiSpear/Passitora Ltd. used to be no longer dropped). Reporting from the an identical month notes that WiSpear used to be fined nearly 1 million Euros for privacy violations.

2. Assaults in opposition to the Two Targets

Nour first turned into suspicious after looking at that his iPhone used to be “running sizzling.” We realized of Nour’s case and reviewed logs from his cellphone. In the wreck, we definite that his instrument had been exploited and contaminated with two separate mercenary spyware tools: Pegasus spyware, made by NSO Community, and Predator, which is developed by Cytrox.

We attribute the assaults on the 2 targets to the Egyptian Authorities with medium-excessive confidence. We conducted scanning (Half 4) that acknowledged the Egyptian Authorities as a Cytrox Predator customer, websites conventional within the hacks of the 2 targets bore Egyptian topics, and the messages that initiated the hack had been sent from Egyptian WhatsApp numbers (Half 2.5, Half 2.7).

2.1. Confirming NSO Pegasus An infection of Ayman Nour

The logs confirmed that Nour’s cellphone had been repeatedly compromised with NSO Community’s Pegasus spyware since March 3, 2021. As an instance, evidence of execution of the following processes used to be acknowledged on Nour’s cellphone, relationship encourage to March 3, 2021:













These route of names all appear on a list of Pegasus indicators printed by Amnesty Tech and we now possess additionally independently linked them to Pegasus. Break logs additionally confirmed that on June 30, 2021, NSO Community’s FORCEDENTRY exploit (CVE-2021-30860) used to be fired on the cellphone. The exploit did no longer lead to set up of the Pegasus spyware at present.

Basically based on the traces of FORCEDENTRY, the presence of route of names linked to Pegasus, and further elements, we attain with excessive confidence that the cellphone used to be repeatedly hacked with NSO Community’s Pegasus spyware starting on March 3, 2021.

2.2. Confirming Cytrox Predator An infection of Ayman Nour

After confirming forensic traces of Pegasus on Nour’s iPhone, we acknowledged the presence of additional spyware, which we attribute with excessive confidence to Cytrox. We additional attain with excessive confidence that it’s unrelated to Pegasus spyware.

While inspecting the iPhone logs we definite that, on June 30, 2021, two instructions “/Payload2” had been running on the cellphone (PIDs 339 and 1272), and that these instructions had been launched with a single argument, a URL on distedc[.]com. The instructions had been running as root.

Pick 4: Itemizing of instructions running on Nour’s cellphone.

iPhone logs indicated that the technique names of the instructions had been UserEventAgent and, that their binaries had been resident on disk within the /private/var/tmp/ folder, and that the guilty route of for both used to be siriactionsd, which is a beneficial iOS route of that manages iOS shortcuts and automations.

Phone logs showing process names of the commands, and paths to binaries on disk.

Pick 5: Phone logs exhibiting route of names of the instructions, and paths to binaries on disk.

While iOS has beneficial binaries with the names “” and “UserEventAgent”, the binaries in Figures 5 create no longer match any acknowledged beneficial Apple model. Moreover, the beneficial iOS binaries with these names are no longer kept in /private/var/tmp/. The two suspicious processes had been running as portion of the “” launchd coalition. We chanced on two additional suspicious processes that had recently disappear on this identical coalition, named “hooker” and “takePhoto”.

2.3. Attribution to Cytrox

We regarded up the IP cope with for distedc[.]com on Web scanning carrier Censys and chanced on that, as of October 2021, it returned an HTTP 302 redirect to Concluding that this may perhaps be an figuring out habits, we built a Censys fingerprint for the redirect.

We chanced on 28 hosts on Censys matching this fingerprint in October 2021, including an IP in Northern Macedonia, 62.162.5[.]58, which used to be pointed to by dev-bh.cytrox[.]com in August 2020, and which additionally returned a redirect with dev-bh.cytrox[.]com in its Location header on port 80 one day of this interval.

Additionally, passive DNS instrument RiskIQ presentations that the IP 62.162.5[.]58 returned a certificates (0fb1b8da5f2e63da70b0ab3bba8438f30708282f) for teslal[.]xyz between July 2020 and September 2020. Since 62.162.5[.]58 on the 2nd returns a teslal[.]xyz certificates, we steal that the IP has no longer modified ownership since August 2020 and is thus accrued linked to cytrox[.]com.

Pick 6: Cytrox WordPress page from 2019, after obvious hacking and the space of an net pages positioning-hyperlink for a net on line casino.

The domain previously returned a WordPress page containing an electronic mail cope with (, which appears to be like to be the electronic mail of Ivo Malinkovski, CEO of Cytrox. The WordPress page is it sounds as if unmaintained, and used to be it sounds as if hacked to contain unsolicited mail hyperlinks to a net on line casino (Pick 6).

We analyzed binaries linked with the spyware (Half 3), which published that the spyware is named “Predator.” We performed additional fingerprinting and scanning (Half 4) that allowed us to name additional ingredients of Cytrox consumer infrastructure.

2.4. Observation of Extra Domains

Apart from to distedc[.]com, we seen additional domains linked with the Predator set up on the 2 sufferer phones.

Arena Where Viewed
distedc[.]com As argument to running Predator route of in machine logs; in iOS automation for Predator persistence
gosokm[.]com iOS machine logs for running Predator processes confirmed info exfiltration here


Predator configuration echoed to machine logs
egyqaz[.]com Interior Android Predator sample downloaded from distedc[.]com; Safari historical previous of compromised instrument


Safari historical previous of compromised instrument timestamped ~1ms forward of egyqaz[.]com

Table 1: Domains seen in Predator spyware conventional to hack Egyptian targets.

2.5. How Ayman Nour used to be Hacked with Predator

We searched Nour’s cellphone for these domains and chanced on that an Egyptian number on WhatsApp (+201201407978), purporting to be a “Dr. Rania Shhab,” sent four sure hyperlinks to almasryelyuom[.]com and qwxzyl[.]com to Nour’s instrument. The hyperlinks had been sent as pictures containing URLs. The identical WhatsApp account sent a hyperlink to youtu-be[.]get, which we assess is additionally linked, for the explanation that server response for youtu-be[.]get suits that of almasryelyuom[.]com and qwxzyl[.]com.

The next are examples of pictures accompanying the hyperlinks sent by the attacker, extracted from Nour’s cellphone:

Pick 7: A image accompanying a Cytrox Predator hyperlink sent to Nour reads: “Turkey asks the Egyptian opposition channels to shut criticizing Egypt, and Cairo feedback on the lunge…”

Pick 8: A image accompanying a Cytrox Predator hyperlink sent to Nour reads: “The 2nd a automobile fell from the head of the [6th] October Bridge in Ramses.”

Pick 9: A image accompanying a Cytrox Predator hyperlink sent to Nour purports to be a hyperlink to the beneficial net pages of the Al Masry Al Youm newspaper. The right kind hyperlink goes to a faux lookalike domain, almasryelyuom[.]com.

Pick 10: A image accompanying a Cytrox Predator hyperlink sent to Nour reads: “Breaking news.. Alexandria enlighten accident on the present time. Beefy indispensable facets…”

2.6. Evidence of Predator and Pegasus Running Concurrently

Phone logs existing that on June 22, 2021, Pegasus and Predator had been running concurrently on Nour’s cellphone, as these four processes had been seen running concurrently:

PID Activity Spyware
4219 /private/var/db/ Pegasus
4257 /private/var/db/ Pegasus
4265 /private/var/tmp/UserEventAgent Predator
4412 /private/var/tmp/ Predator

Table 2: Pegasus and Predator processes running concurrently on Nour’s cellphone on June 22, 2021.

The cellphone logs existing that the instrument used to be contaminated with Pegasus on June 22 at 13: 26 GMT. Different Library/SMS/Attachments folders had been created between 13: 17 and 13: 21, and there had been no entries whatsoever within the Attachments table of the sms.db file for June 22, suggesting that a nil-click on exploit could goal possess been the vector for Pegasus set up. Roughly an hour later, a Predator hyperlink sent to Nour on WhatsApp used to be opened in Safari at 14: 33 GMT on the an identical day and Predator used to be installed on the instrument two minutes later at 14: 35 GMT.

2.7. How 2nd Purpose used to be Hacked with Predator

The 2nd target, an Egyptian journalist in exile who is the host of a popular news program, purchased one message on WhatsApp from an unknown number (+201201407595) with a hyperlink to the an identical almasryelyuom[.]com net pages.

Pick 11: 2nd target is centered with Predator.

The individual who sent the hyperlink claimed that they had been an Assistant Editor on the Al Masry Al Youm newspaper.

3. Evaluation of Cytrox’s Predator Spyware

We purchased Android and iOS payloads from distedc[.]com and chanced on them to be copies of a loader for a spyware product known as Predator. We reflect that these payloads are invoked by a old exploit section that we create no longer possess.

3.1. Initialization

The iPhone executable is a 64-bit Mach-O binary which, like its Android counterpart, expects two arguments when the binary’s indispensable feature is named, which seem like a kernel route of task port and a pid price. The indispensable feature then calls kmem_init with these values, which proceeds to enable Predator stage 1 for persevered execution. The Android sample passes its arguments to shared constants SHMEMFD_VSS and SHMEMFD_VSS.

Each and every the iOS and Android samples then name a startPy feature to load a bundled Python 2.7 runtime. In the iOS sample, two additional built-in objects are added to the runtime: predutils and predconfig. The Android sample comprises additional additional built-in objects: injector, pc2, recorder, and voip_recorder. Upon initialization, startPy hundreds a frozen Python module named loader which begins by importing the Predator config from the interpreter’s predconfig module.

The iOS and Android configurations are a small bit various. Your entire configurations are available in Appendix 1. As soon as Predator iOS hundreds its configuration, it hundreds one other frozen Python module named km_ios, a utility module that offers kernel memory management helper capabilities enabling additional Predator module capabilities.

The iOS payload additionally comprises a _check feature, which queries the cellphone number and the cellphone’s contemporary locale country code. If the locale country code is equal to “IL” (the country code for Israel), or the cellphone number begins with “+972” (the phone country code for Israel) then the spyware terminates. Alternatively, the methodology that Predator makes exercise of to ask the cellphone number, CTSettingCopyMyPhoneNumber, could goal no longer work in contemporary variations of iOS. We could perhaps no longer make a choice how (or if) the _check feature is named.

3.2. Python Loader

Apart from to the frozen loader module, “src/” (“frozenpyc/src/” within the Android sample), we additionally chanced on copies of what seem like older variations of the module that create no longer seem like invoked by Predator: “src/”, “src/” and “src/loaderBackup03”. All of the loader variations occupy more than one references to “Predator.”

Pick 12: An excerpt of code from the loader module that mentions “Predator.”

After loading the Predator configuration, the iOS loader then wipes the instrument’s rupture logs by weeding out all info in “/private/var/cell/Library/Logs/CrashReporter/”. Then, it downloads a configuration file and further stages of the spyware from the server (specified by predconfig’s INS_URL parameter, which is net net page to https://bity[.]ws).

Pick 13: Predator on iOS wipes the rupture logs.

On Android, the loader module additionally downloads more info from the server (specified by predconfig’s INS_URL parameter, which is net net page to https://egyqaz[.]com).

3.3. Persistence on iOS

On iOS, the loader calls a get_configuration_persistency feature, which downloads an iOS shortcuts automation from the spyware server to guarantee that persistence. The persistent payload is belief as “Nahum,” which is the title of a minor biblical prophet. Nahum’s prophecy appears to be like within the Hebrew Tanakh and the Christian Feeble Testomony, and foretells the total destruction of Nineveh, a sturdy fortress metropolis.

Nineveh is destroyed, abandoned, desolate! Hearts soften with ache; knees tremble, strength is gone; faces develop gentle. Where now is the metropolis that used to be like a den of lions, the space the save young lions had been fed, the save the lion and the lioness would trudge and their cubs would be proper?

Nahum 2: 10-11 GNB

The iOS automation is brought on when definite apps are opened, including a host of built-in Apple apps, such because the App Store, Digicam, Mail, Maps, Safari, as properly as third-birthday celebration apps including Twitter, Instagram, Fb Messenger, LinkedIn, Skype, SnapChat, Viber, Wire, TikTok, Line, OpenVPN, WhatsApp, Signal, and Telegram.

Pick 14: Automation on Purpose 2’s contaminated instrument as seen within the “Automations” tab of the “Shortcuts” app.

The automation first tests if the cellphone’s battery degree is bigger than 9% (i.e., if the cellphone isn’t any longer in a low-battery anxiousness). If the cellphone’s battery degree is ample, then the automation downloads JavaScript code from the spyware server and substitutes this code proper into a block of HTML contained within the shortcut. We had been unable to compose this JavaScript code. The HTML within the shortcut additionally comprises a JavaScript feature “make_bogus_transform” which appears to be like to manufacture an XSLT transformation that will likely be invoked by the downloaded JavaScript code. The HTML code with the substituted JavaScript is then Unsuitable64-encoded, its contents are prepended with “info:text/html,” and then the automation passes this URL to WebKit to render. This presumably triggers the exploit and finally ends up within the set up of the Predator spyware.

While automations customarily net net page off visible notifications after they’re disappear, the Predator shortcut runs fully within the background, invisible to the person, because of Predator additionally changes an contrivance to disable automations from triggering notifications.

The get_configuration_persistency feature additionally downloads an iOS profile named “com.[name redacted].disable-shortcuts-notifications”, from the spyware server.

We located a profile with the an identical title publicly launched by [name redacted], a instrument engineering pupil. We are redacting the title of the pupil here because of we create no longer reflect they’re angry about Cytrox Predator fashion. The profile’s sole feature is to prevent iOS from showing notifications when an automation is disappear. Thus, users who possess been hacked with Predator create no longer glimpse notifications when the spyware is launched.

Pick 15: Profile to disable automations notifications conventional by Predator.

There is nothing in particular particular or advanced about this particular profile, and Predator’s builders can possess with out complications crafted their very occupy an identical profile that duplicated this efficiency with out declaring the instrument engineering pupil by title.

The get_configuration_persistency feature additionally downloads binaries known as “takePhoto,” “agent.dylib,” “inject,” and “hooker” on iOS14, but doesn’t secure these info on iOS13, as a replacement logging the message “iOS 13, don’t need hooker.” We did no longer compose these info, but we reflect that “hooker” and “takePhoto” are the an identical binaries we saw running in Half 2.2.

3.4. Extra Android Crucial facets

We did no longer secure a mechanism for persistence on Android, nor values within the Android configuration file that existing persistence toughen. Alternatively, we chanced on some additional code within the Android sample, including code to disable SELinux and code for an audio recording ingredient.

Predator retail outlets additional Python modules and native ELF binaries within the fs.db SQLite file which is found on the route net net page in DB_FILE. The Python interpreter has a frozen module known as sqlimper which is guilty for interacting with this database. The database comprises a table known as info which has a column known as file_hash and a column known as file_data. The file_hash is conventional quite than a file title and is computed the exercise of the following routine, the save n is the title:

The injector module declares one feature, inject, that would goal inject a shared object proper into a running route of. Curiously, there may perhaps be a feature known as earlier than injection which attempts to disable SELinux enforcement thru the SELinuxFS.

It may perhaps perhaps perhaps goal accrued be illustrious that this reach likely isn’t any longer going to succeed on devices which possess additional tests and protections spherical SELinux enforcement—as an instance, Samsung RKP. Alternatively, there are artifacts linked with Predator that advocate approaches like RKP could perhaps be defeated by stomping on the SELinux derive admission to vector cache entries to grant the wanted permissions.

The pc2 module comprises a single feature, pc2_send_command, that is conventional as an IPC mechanism to send instructions to Predator’s audio recording ingredient. The supported instructions are START_VOIP, STOP_VOIP, START_MICRORECORDER, STOP_MICRORECORDER, and POLL_VOIP. This module works along with the recorder and voip_recorder modules. Every of the recorder modules possess a beginning and close feature that are conventional to beginning/close Predator’s sizzling mic (recorder) and name recording (voip_recorder) capabilities. Recordings are kept in /info/local/tmp/wd/r/ in MP3 structure.

4. Scanning to Accumulate Cytrox Customers

We fingerprinted the habits of the domains from Table 1 and chanced on additional domains thru Shodan and Censys.

Table 3: Shodan and Censys fingerprints for Cytrox domains.

Of the Shodan and Censys outcomes, we acknowledged several servers that returned HTTP Server headers with the price “Server,” quite than “nginx,” These servers had been in total hosted on person broadband connections available to local subscribers handiest, quite than cloud-net net hosting companies that could perhaps be procured internationally. We reflect that the “Server: Server” IPs on person broadband connections are endpoint IPs that existing areas of customers. We chanced on endpoint IPs within the following countries, so we attain that these governments are likely amongst Cytrox’s customers:

Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, Serbia

Scanning additionally unearths a range of domains conventional by Cytrox which possess country-particular topics, which leads us to suspect that they’ll be namely centered in the case of these countries. We list a subset of these in Table 4.

Nation Theme Cytrox Arena
Egypt aramexegypt[.]com












Ivory Hover adibjan[.]get


Madagascar tribune-mg[.]xyz
Mali actumali[.]org
Saudi Arabia niceonase[.]com


Serbia novosti[.]repeat


Trinidad & Tobago forwardeshoptt[.]com


Table 4: Some Cytrox Predator domains indicating country topics.

We additionally acknowledged additional domains impersonating customary companies and online websites (Table 5).

Official Carrier Cytrox Arena
Apple applepps[.]com
Fox Recordsdata ffoxnewz[.]com
Google Play Store playestore[.]get
Instagram instegram[.]co
LinkedIn lnkedin[.]org
Sephora sephoragroup[.]com
Tesla Motors teslal[.]shop


Twitter twtter[.]get


WhatsApp wha.tsapp[.]me
XNXX xnxx-hub[.]com
YouTube youtu-be[.]get



Table 5: Some Cytrox Predator domains impersonating beneficial companies or websites.

Special Existing: Predator after Pegasus for Saudi Arabia?

An IP cope with in Saudi Arabia appears to be like to possess begun matching our Cytrox Predator fingerprints on the head of July 2021, and we classify this IP cope with as that of a likely Predator customer. NSO Community’s June 30, 2021 transparency fable mentions that NSO lower off a consumer, later reported to be Saudi Arabia by the Recent York Instances, it sounds as if in response to the revelations of spying on Al Jazeera journalists. That is also a demonstration that Saudi Arabia has switched from Pegasus to Predator.

5. Disclosure & Enforcement

In step with the Citizen Lab’s vulnerability disclosure policy, we shared copies of Cytrox Predator forensic artifacts with Apple, which has confirmed to the Citizen Lab that they are investigating. Apart from, given the abuse of WhatsApp for Predator concentrated on, the Citizen Lab shared forensic artifacts with Meta’s security crew.

On the present time, Thursday, December 16th, Meta is taking an enforcement action in opposition to Cytrox, which comprises weeding out roughly 300 Fb and Instagram accounts linked to Cytrox. Their investigation additionally unearths an intensive list of lookalike domains conventional as portion of social engineering and malware assaults, that are integrated in Appendix A of their fable.

The Meta fable states that they reflect Cytrox customers contain entities in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany, and that they acknowledged additional abusive concentrated on initiated by Cytrox customers across the field.

6. Conclusion

This fable is the first investigation to sight Cytrox’s mercenary spyware being abused to target civil society. Remarkably, one of many victims used to be concurrently contaminated with NSO Community’s Pegasus spyware. NSO Community has purchased outsized publicity in contemporary years, thanks to a increasing customer list, spiraling abuse complications, and groundbreaking investigative work by civil society. Cytrox and its Predator spyware, meanwhile, are quite unknown.

The concentrated on of a single individual with both Pegasus and Predator underscores that the follow of hacking civil society transcends any particular mercenary spyware company. As an replacement, it’s a sample that we quiz will persist as lengthy as autocratic governments are in a position to compose refined hacking skills. Absent international and domestic guidelines and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future.

The Mercenary Spyware Ecosystem

Each and every the Citizen Lab and Amnesty World’s Security Lab possess produced wide technical studies on NSO Community. While prominent, the mercenary spyware firm used to be no longer the first nor is it the handiest spyware firm of its fashion whose skills has been linked to abuse complications. In actual fact, the market for offensive intrusion capabilities is obvious, varied, and proliferating internationally.

As an instance, earlier than the Citizen Lab’s first fable on NSO Community in 2016, we documented wide abuses of Hacking Team and FinFisher mercenary spyware. (Hacking Team used to be therefore rebranded Memento Labs in 2019.) In 2017, we printed a fable on the spyware firm, Cyberbit, whose skills used to be conventional by Ethiopia to mount a international cyber espionage marketing campaign. We additionally chanced on evidence that Cyberbit used to be marketing its spyware to acknowledged human rights abusers, including the Royal Thai Army, the Uzbek secret companies, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria. Earlier this year, we printed a fable on yet one other spyware firm, Candiru, with our findings independently corroborated by Microsoft, Google, and the threat intelligence crew at ESET. Candiru used to be therefore designated alongside NSO Community on the U.S. Commerce Department’s “entity list” in November 2021 for “malicious cyber activities.”

As evidence continues to surface of most modern gamers within the spyware home, the an identical patterns of abuse will nearly no doubt persist till the international regulatory atmosphere changes.

Structures to Steer clear of Accountability

The private intelligence and mercenary surveillance marketplace is marked by advanced ownership structures, company alliances, and conventional rebranding. These practices frustrate investigation, regulation, and accountability. Mercenary spyware companies additional evade beginning air scrutiny by employing advanced accounting and incorporation suggestions acquainted to those conventional by palms traffickers, money launderers, kleptocrats, and despicable officials.

As investigative journalists and public passion researchers continue to position a highlight on mercenary spyware companies, we quiz they’ll continue their efforts to evade scrutiny and accountability.


Thanks to to M.S. and Ayman Nour. Citizen Lab investigations depend on victims and targets graciously sharing evidence with us.

Thanks to Meta for investigating this case following our notification and taking enforcement actions, and to Apple.

Thanks to TNG.

Thanks to Amnesty Tech for sharing additional WHOIS indispensable facets pointing to Intellexa.

Thanks to Team Cymru.

Appendix 1: Predator Configurations

Android Configuration:

FS_ENDPOINT heh URL ingredient when downloading additional resources
INS_URL https[:]//egyqaz[.]com/ Unsuitable URL when downloading additional resources
FIN_URL https[:]//egyqaz[.]com/{}/vmq
P_DIR /info/local/tmp/wd/ Direction to Predator working listing
DB_FILE /info/local/tmp/wd/fs.db Direction to SQLite database that comprises additional tools and Python modules
PE_METHOD QUAILEGGS The privilege escalation methodology to exercise
LIBPYTHON_GIT_COMMIT 2b2f6c3 Git commit hash of the finishing up
FS_KEY Key conventional to encrypt SQLite database

iOS Configuration:

Config Key Config Save Notes
PERSIST_FLAG persistflag Persistence boolean toggle
PERSIST https[:]//youtubesyncapi[.]com/ Persistence domain endpoint
PERSIST_ID PI112233445566778899EEEEEEDDEEFF Persistence identifier
INS_URL https[:]//bity[.]ws Unsuitable URL when downloading additional resources
INP_URL http[:]//192.168.2[.]1[:]8080
FIN_URL https[:]//bity[.]ws/{}/attain
P_DIR /private/var/logs/keybagd/ Direction to Predator working listing
DB_FILE /private/var/logs/keybagd/fs.db Direction to SQLite database that comprises additional tools and Python modules
ENC_FILE /private/var/logs/keybagd/arm64e.encrypted
SHORT_FILE /private/var/logs/keybagd/Shortcuts.realm Shortcuts persistence file
SHORT_FILE_LOCK /private/var/logs/keybagd/Shortcuts.realm.lock
JS_FILE /private/var/logs/keybagd/jsPayload.js.encrypted
JS_KEY_FILE /private/var/logs/keybagd/jskey.txt
PRED_KEY_FILE /private/var/logs/keybagd/predkey.txt
PE_METHOD NWIOS The privilege escalation methodology to exercise
LIBPYTHON_GIT_COMMIT unknown Git commit hash of the finishing up
FS_KEY TEST Key conventional to encrypt SQLite database

Join the pack! Join 8000+ others registered users, and derive chat, develop groups, put up updates and develop friends across the field!



Hey! look, i give tutorials to all my users and i help them!

you're currently offline