Intellexa

Intellexa is a commercial spyware vendor and consortium of companies associated with the Predator mercenary spyware platform, originally developed by Cytrox. It services governments and, according to the content, large corporations, and has been described by Google as one of the most prolific commercial spyware vendors in zero-day exploitation, responsible for 15 of the 70 zero-day exploitation cases TAG documented since 2021. Intellexa has been sanctioned by the United States, added to the U.S. Commerce Department Entity List, and investigated in Greece, but multiple reports state it continues operating despite sanctions. Its primary product is Predator, spyware for Android and iOS that can covertly harvest sensitive data, access messages, calls, emails, passwords, screenshots, and location data, and remotely activate microphones and cameras. Predator has been marketed under additional names including Helios, Nova, Green Arrow, and Red Arrow. The content also describes Intellexa as a consortium that assumed control of Cytrox, and references a broader network of associated companies and front entities linked to technical, operational, advertising, infrastructure, and corporate roles. The reporting attributes both 1-click and zero-click delivery to Intellexa. Documented delivery methods include one-time exploit links sent through messaging apps, malicious advertisements, and network-injection systems. A zero-click ad-based infection vector called Aladdin is described as leveraging commercial mobile advertising ecosystems to fingerprint targets and redirect them to exploit servers; linked entities named in the content include Pulse Advertise, MorningStar TEC, and PULSE FZCO. Other delivery vectors named in the content include Triton, Thor, Oberon, Mars, and Jupiter, with Mars and Jupiter described as network-injection systems requiring ISP or mobile-operator cooperation. Intellexa has also been linked to exploit chains against Safari, Chrome V8, Android, and iOS components, and to continued procurement or use of zero-days to keep Predator operational. Predator includes extensive anti-analysis and anti-forensics features. Jamf’s reverse engineering of an iOS sample described a centralized anti-analysis framework, structured error-code reporting to C2, checks for iOS Developer Mode, jailbreak artifacts, security tools, console/debug logging, and locale restrictions for US and Israeli devices. Additional reported capabilities include crash-report monitoring, removal of crash artifacts, suppression of memory-dump capture, and SpringBoard hooking to hide microphone and camera recording indicators. Jamf assessed that the sophistication and standardization of the error-reporting and troubleshooting mechanisms suggest centralized infrastructure or a tightly controlled deployment framework, though it could not definitively determine whether C2 infrastructure was operated by Intellexa or by customers. Multiple investigations cited in the content state that Intellexa retained the ability to remotely access customer systems using Predator, including government customer environments, and had visibility into logs or surveillance systems. The content says leaked training videos and investigative reporting raised human rights and liability concerns over this access. Targets and victims described in the content include journalists, human rights defenders, political actors, elected officials, activists, government staffers, and other high-value individuals. Reported country links and deployments include Greece, Egypt, Pakistan, Iraq, Saudi Arabia, Kazakhstan, Angola, Mongolia, Mozambique, Botswana, the Philippines, DRC, Armenia, Indonesia, Oman, Trinidad and Tobago, Sudan, Vietnam, and others. The content specifically references Predator use in the Greek 'Predatorgate' scandal, targeting in Pakistan including a human rights lawyer in Balochistan, and surveillance of individuals such as Greek journalist Thanasis Koukakis and Egyptian activist Ayman Nour. Known associated entities and sub-groups directly mentioned in the content include Cytrox, the Intellexa Consortium, the Intellexa Alliance, and linked/front companies such as PULSE FZCO, Pulse Advertise, MorningStar TEC, Zelus Analytics, OOO Seven Hills, ComWorks, Krikel, and Nexa Technologies as part of the broader Intellexa-linked ecosystem described in the reporting.