Spyware products from the surveillance consortium Intellexa are still thriving despite extensive US sanctions.
This comes as a months-long investigation into a set of highly sensitive documents and other materials leaked from the company has been published by Inside Story, Haaretz and the WAV Research Collective, dubbed “Intellexa Leaks”.
Following publication of the investigation, three distinct but coordinated reports into the spyware consortium’s activity have emerged detailing new attack vectors and victim lists.
These include documents by Google Threat Intelligence Group (GTIG), Recorded Future’s Insikt Group and Amnesty International’s Security Lab, which also provided the technical team to the journalists working on Intellexa Leaks, which revealed that the spyware maker continues to sell digital weapons to the highest bidders.
Among the key findings, GTIG revealed that Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers.
The spyware vendor, made up of several legal entities spanning across Greece, Ireland, Hungary, North Macedonia and beyond, is behind at least 15 of the 70 zero-day exploits documented by GTIG and its predecessor, Google’s Threat Analysis Group (TAG), since 2021.
This is despite several waves of sanctions targeting Intellexa’s businesses and individuals linked to the consortium, including sanctions by the US Treasury’s Office of Foreign Assets Control (OFAC) in March and September 2024, targeting seven individuals in total.
Additionally, Intellexa was fined by the Greek Data Protection Authority in 2023 for failing to comply with its investigations into the company.
New ‘Zero-Click’ Attack Vectors Revealed
The report from Amnesty’s Security Lab also shed light on how Predator, Intellexa’s flagship product, now sometimes marketed as Helios, Nova, Green Arrow or Red Arrow, infects target devices.
Traditionally, Predator relied almost exclusively on ‘one-click’ attacks to infect a device, which require a malicious link to be opened in the target’s phone. This is less intrusive that leveraging ‘zero-click’ attacks typical of other spyware made by competitors like NSO Group’s Pegasus.
However, the Amnesty report revealed that Intellexa has recently developed a new strategic infection vector, ‘Aladdin,’ which can enable silent zero-click infection of target devices anywhere in the world.
The vector, which was first exposed by Haaretz and Inside Story, exploits the commercial mobile advertising ecosystem to carry out infections.
Amnesty describes the attack chain as “technically complex to implement” but “conceptually simple.”
“The Aladdin system infects the target’s phone by forcing a malicious advertisement created by the attacker to be shown on the target’s phone. This malicious ad could be served on any website which displays ads, such as a trusted news website or mobile app, and would appear like any other ad that the target is likely to see. Internal company materials explain that simply viewing the advertisement is enough to trigger the infection on the target’s device, without any need to click on the advertisement itself,” the Amnesty report reads.
The Recorded Future report also revealed that two newly identified entities appearing to operate in the advertising sector may be connected to Aladdin.
Amnesty’s Security Lab shared the findings of leaked documents and footage showing Intellexa’s deep visibility into live surveillance operations, indicating that the spyware maker retains direct access to live customer spyware systems.
New Entities Linked to Intellexa Discovered
Another key finding in Amnesty’s report confirmed the previous attribution of suspected infection domains, which imitate legitimate Kazakhstani news websites, and infrastructure to Predator.
“While no victims of Predator spyware targeting have been identified in Kazakhstan, previous investigations by the Security Lab have documented the unlawful hacking of at least four Kazakhstani youth activists with Pegasus spyware in 2021,” the Amnesty report said.
Based on infrastructure analysis, Recorded Future’s Insikt Group assessed that Kazakhstan has, at least until August 2025, continued to use Predator spyware.
The report also uncovered several newly identified Intellexa nexus entities, including some linked to the consortium’s Czech cluster and one in the Philippines.
The Intellexa data examined during the investigations also showed potential new victims in Greece and Egypt and evidence that Egypt and Saudi-based clients are still active.
Over the past two years, Recorded Future’s Insikt Group has identified suspected Predator operators in more than a dozen countries, including in Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Greece, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, Sudan and Trinidad and Tobago and Vietnam.
