Aladdin
Aladdin is a zero-click mobile malware delivery mechanism associated with Intellexa and used to deploy Predator spyware. First deployed in 2024 and believed to remain operational and under active development, it leverages commercial mobile advertising systems to deliver weaponized ads to specific targets identified by public IP address and other identifiers. The ads are served through the ad-tech ecosystem, including Demand Side Platform (DSP) infrastructure, on participating websites. A targeted device can be infected simply by viewing the malicious advertisement, with no user interaction required. Reporting cited in the source material states that the ads fingerprint and redirect targeted visitors to Intellexa exploit delivery servers, where zero-day exploit chains are used to install Predator. The activity is linked to Intellexa, a commercial spyware vendor whose customers are described as governments and large corporations, and whose operations have been corroborated by investigations involving Amnesty International, Google TAG, and Recorded Future. The supporting infrastructure has been reported across multiple countries and obscured through shell companies. High-confidence defensive notes mentioned in the content are that ad blocking and hiding public IP addresses may provide partial mitigation, although mobile operators may still leak identifying information.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
First deployed in 2024 and believed to still be operational and actively developed, Aladdin leverages the commercial mobile advertising system to deliver malware. The mechanism forces weaponized ads onto specific targets identified by their public IP address and other identifiers, instructing the platforms via the Demand Side Platform (DSP) to serve it on any website participating in the ad network.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Aladdin is a zero-click exploit delivery mechanism used by Intellexa to distribute spyware such as Predator. It utilizes malicious ads on third-party platforms to fingerprint and redirect targeted users to exploit servers, enabling infection without user interaction. Aladdin is designed to minimize exposure of exploits and increase infection efficiency against selected targets.
Aladdin is a zero-click infection mechanism used by Predator spyware, delivering exploits via malicious advertisements. Targets are infected simply by viewing an ad, without any interaction required. It uses ad networks to deliver payloads to specific individuals based on identifiers like IP address.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.