Predator spyware uses new infection vector for zero-click attacks

News

Featured
Latest

Critical React, Next.js flaw lets hackers execute code on servers

North Korea lures engineers to rent identities in fake IT worker scheme

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Marquis data breach impacts over 74 US banks, credit unions

Hackers are exploiting ArrayOS AG VPN flaw to plant webshells

NCSC's ‘Proactive Notifications’ warns orgs of flaws in exposed devices

Predator spyware uses new infection vector for zero-click attacks

Russia blocks FaceTime and Snapchat for alleged use by terrorists

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityPredator spyware uses new infection vector for zero-click attacks

Predator spyware uses new infection vector for zero-click attacks

By Bill Toulas

December 4, 2025
03:47 PM
0

The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed “Aladdin,” which compromised specific targets by simply viewing a malicious advertisement.
This powerful and previously unknown infection vector is meticulously hidden behind shell companies spread across multiple countries, now uncovered in a new joint investigation by Inside Story, Haaretz, and WAV Research Collective.
The investigation is based on 'Intellexa Leaks' - a collection of leaked internal company documents and marketing material, and is corroborated by technical research from forensic and security experts at Amnesty International, Google, and Recorded Future.

Leaked Intellexa marketing materialSource: Amnesty International
Ad-based spyware delivery
First deployed in 2024 and believed to still be operational and actively developed, Aladdin leverages the commercial mobile advertising system to deliver malware.
The mechanism forces weaponized ads onto specific targets identified by their public IP address and other identifiers, instructing the platforms via the Demand Side Platform (DSP) to serve it on any website participating in the ad network.
“This malicious ad could be served on any website that displays ads, such as a trusted news website or mobile app, and would appear like any other ad that the target is likely to see,” explains Amnesty International’s Security Lab.
“Internal company materials explain that simply viewing the advertisement is enough to trigger the infection on the target’s device, without any need to click on the advertisement itself.”

Overview of AladdinSource: Amnesty International
Although no details are available on how the infection works, Google mentions that the ads trigger redirections to Intellexa’s exploit delivery servers.
The ads are funneled through a complex network of advertising firms spread across multiple countries, including Ireland, Germany, Switzerland, Greece, Cyprus, the UAE, and Hungary.
Recorded Future dug deeper into the advertising network, connecting the dots between key people, firms, and infrastructure, and naming some of those companies in its report.
Defending against those malicious ads is complex, but blocking ads on the browser would be a good starting point.
Another potential defense measure would be to set the browser to hide the public IP from trackers.
However, the leaked documents show that Intellexa can still obtain the information from domestic mobile operators in their client’s country.

Countries confirmed to host Predator activitySource: Recorded Future
Samsung Exynos and zero-day exploits
Another key finding in the leak is confirmation of the existence of another delivery vector called 'Triton', which can target devices with Samsung Exynos with baseband exploits, forcing 2G downgrades to lay the ground for infection.
Amnesty International’s analysts are unsure whether this vector is still used and note that there are two other, possibly similar delivery mechanisms, codenamed 'Thor' and 'Oberon', believed to involve radio communications or physical access attacks.
Google’s researchers name Intellexa as one of the most prolific commercial spyware vendors in terms of zero-day exploitation, responsible for 15 out of the 70 cases of zero-day exploitation TAG discovered and documented since 2021.
Google says Intellexa develops its own exploits and also purchases exploit chains from external entities to cover the full spectrum of required targeting.
Despite sanctions and ongoing investigations against Intellexa in Greece, the spyware operator is as active as ever, according to Amnesty International.
As Predator evolves into becoming stealthier and harder to trace, users are recommended to consider enabling extra protection on their mobile devices, like Advanced Protection on Android and Lockdown Mode on iOS.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
Google enables Pixel-to-iPhone file sharing via Quick Share, AirDropNew Android spyware ClayRat imitates WhatsApp, TikTok, YouTubeGoogle fixes two Android zero days exploited in attacks, 107 flawsMulti-threat Android malware Sturnus steals Signal, WhatsApp messagesGoogle to flag Android apps with excessive battery use on the Play Store

Advertisement
Android
Intellexa
iOS
Mobile
Predator
Predator Spyware
Spyware

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Marquis data breach impacts over 74 US banks, credit unions

North Korea lures engineers to rent identities in fake IT worker scheme

Sponsor Posts

Empowering IT teams with intelligence driven cyber threat research.

Overdue a password health-check? Audit your Active Directory for free

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

AI is a data-breach time bomb: Read the new report

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Predator spyware, developed by Intellexa, represents a significant escalation in the tactics employed by commercial surveillance entities. The operation, dubbed “Predator,” utilizes a novel zero-click infection vector, “Aladdin,” to compromise mobile devices, marking a shift towards more sophisticated and discreet attack methods. This spyware’s development and deployment highlight a concerning trend: the increasing availability and utilization of commercially available, highly targeted surveillance technologies.

The core of the Aladdin mechanism hinges on leveraging the commercial mobile advertising system. Instead of relying on traditional click-based infection methods, Intellexa cleverly exploits Demand Side Platforms (DSPs) to deliver weaponized advertisements directly to specific individuals. These ads, appearing on any website displaying advertisements, trigger an infection upon a user’s simple viewing of the ad, without requiring any user interaction. This bypasses conventional security measures and dramatically increases the potential attack surface. The sophistication of this approach underscores a deliberate effort to minimize user awareness and resistance.

A critical element of the Predator operation is its complex and dispersed infrastructure. Intellexa utilizes a network of advertising firms across multiple countries—including Ireland, Germany, Switzerland, Greece, Cyprus, the UAE, and Hungary—to obfuscate its activities and circumvent regulatory scrutiny. This multi-layered approach, combined with the seemingly innocuous nature of the attack, makes it exceedingly difficult to trace the origin of the operation or identify those directly responsible. Recorded Future’s investigation successfully mapped this network, identifying key individuals, firms, and infrastructure components, although the full extent of Intellexa’s operations remains largely concealed.

Beyond Aladdin, the “Triton” delivery vector adds another layer of complexity to the Predator attack. Triton specifically targets devices with Samsung Exynos chipsets, leveraging baseband exploits to force a downgrade to 2G. This downgrade enables the installation of malware, representing a highly targeted and technically demanding strategy. The existence of Triton, along with the other suspected delivery mechanisms, “Thor” and “Oberon,” further highlights Intellexa's technical capabilities and resource investment. The fact that these vectors are potentially still active demonstrates the ongoing nature of this threat.

Intellexa’s prominence in the commercial spyware market is underscored by Google’s research, which identifies the company as responsible for 15 out of 70 zero-day exploitation TAGs discovered since 2021. This positions Intellexa as a prolific operator, indicating a significant financial investment in research and development, as well as a proactive approach to identifying and exploiting vulnerabilities. The company's modus operandi includes both the development of its own exploits and the acquisition of exploit chains from external parties, illustrating a comprehensive strategy for maximizing its surveillance reach. Despite ongoing sanctions and investigations against Intellexa in Greece, the operation continues, demonstrating resilience and a continued dedication to its clandestine activities.

The threat posed by Predator has prompted recommendations for enhanced user security, including enabling advanced protection features on Android and Lockdown Mode on iOS. These measures represent a basic level of defense against a highly targeted and stealthy threat, but don’t fully mitigate long-term risks. It is crucial to recognize that the intelligence gathered through Predator represents a serious risk of privacy violations and potential misuse of information, particularly by governments or intelligence agencies. The investigation reveals a troubling trend and raises serious questions regarding the ethical considerations and potential abuses associated with the widespread availability of such powerful surveillance technologies.