CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Predator Spyware Exploits Zero-Click Infection Vector via Malicious Ads

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information. New research has confirmed that Predator spyware was used to target an Angolan journalist, Teixeira Cândido, in May 2024 via a WhatsApp link. The infection lasted less than one day and was removed when the device was restarted. Attackers made 11 additional attempts to re-infect the device, all of which failed. Predator spyware incorporates advanced anti-analysis mechanisms and has explicit checks to avoid running in U.S. and Israeli locales.

Timeline

  1. 05.12.2025 13:47 1 articles · 2mo ago

    Intellexa Targets Human Rights Lawyer in Pakistan

    A human rights lawyer from Pakistan's Balochistan province received a suspicious WhatsApp link, marking the first time a civil society member in the country was targeted by Intellexa's Predator spyware. The link was identified as a Predator attack attempt based on the technical behavior of the infection server and specific characteristics of the one-time infection link.

    Show sources
    Open in new tab
  2. 04.12.2025 22:47 4 articles · 2mo ago

    Predator Spyware Uses Zero-Click Infection Vector via Malicious Ads

    Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. The infection occurs when a target views the ad, triggering a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms across multiple countries. Another delivery vector, Triton, targets Samsung Exynos devices with baseband exploits, forcing 2G downgrades for infection. Intellexa remains active and prolific in zero-day exploitation despite sanctions and investigations, including fines from the Greek Data Protection Authority. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information. New research has confirmed that Predator spyware was used to target an Angolan journalist, Teixeira Cândido, in May 2024 via a WhatsApp link. The infection lasted less than one day and was removed when the device was restarted. Attackers made 11 additional attempts to re-infect the device, all of which failed. The spyware incorporates advanced anti-analysis mechanisms, including a crash reporter monitoring system and SpringBoard hooking, allowing operators to selectively enable or disable modules based on target activity and have granular visibility into failed deployments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks. The campaign involves threat actors masquerading as 'Signal Support' or a support chatbot named 'Signal Security ChatBot' to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them. The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification. Similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).

Open in new tab

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Open in new tab

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab

State-Backed Hackers Abuse AI Models for Advanced Cyber Attacks

Google's Threat Intelligence Group (GTIG) has identified new malware families that leverage artificial intelligence (AI) and large language models (LLMs) for dynamic self-modification during execution. These malware families, including PromptFlux, PromptSteal, FruitShell, QuietVault, and PromptLock, demonstrate advanced capabilities for evading detection and maintaining persistence. PromptFlux, an experimental VBScript dropper, uses Google's LLM Gemini to generate obfuscated VBScript variants and evade antivirus software. It attempts persistence via Startup folder entries and spreads laterally on removable drives and mapped network shares. The malware is under development or testing phase and is assessed to be financially motivated. PromptSteal is a data miner written in Python that queries the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect information and documents in specific folders and send the data to a command-and-control (C2) server. It is used by the Russian state-sponsored actor APT28 in attacks targeting Ukraine. State-backed hackers from China (APT31, Temp.HEX), Iran (APT42), North Korea (UNC2970), and Russia have used Gemini AI for all stages of an attack, including reconnaissance, phishing lure creation, C2 development, and data exfiltration. Chinese threat actors used Gemini to automate vulnerability analysis and provide targeted testing plans against specific US-based targets. Iranian adversary APT42 leveraged Gemini for social engineering campaigns and to speed up the creation of tailored malicious tools. The use of AI in malware enables adversaries to create more versatile and adaptive threats, posing significant challenges for cybersecurity defenses. Various threat actors, including those from China, Iran, and North Korea, have been observed abusing AI models like Gemini across different stages of the attack lifecycle. The underground market for AI-powered cybercrime tools is also growing, with offerings ranging from deepfake generation to malware development and vulnerability exploitation.

Open in new tab

Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

Operation ForumTroll, discovered in March 2025, targeted Russian organizations and individuals using a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, delivered malware linked to the Italian spyware vendor Memento Labs. The attacks used phishing emails with malicious links to infect victims, targeting media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia and Belarus. The malware, identified as LeetAgent and Dante, was used to steal data and maintain persistence on compromised systems. Memento Labs, formed after InTheCyber Group acquired Hacking Team, presented its Dante spyware at a conference in 2023. The malware was used in attacks dating back to at least 2022. The attacks involved sophisticated techniques to ensure only targeted victims were compromised. The zero-day vulnerability (CVE-2025-2783) was discovered and reported to Google by researchers at Kaspersky Lab earlier in 2025. The exploit bypassed Chrome's sandbox protections by exploiting a logic vulnerability in Chrome caused by an obscure quirk in the Windows OS. The exploit used pseudo handles to disable sandbox functionality, allowing unauthorized access to privileged processes. The exploit represents a new class of vulnerabilities that could affect other applications and Windows services. The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities. In a new wave of attacks detected in October 2025, the threat actor targeted individuals in Russia, specifically scholars in political science, international relations, and global economics, working at major Russian universities and research institutions. The latest attack wave used emails claiming to be from eLibrary, a Russian scientific electronic library, with messages sent from the address 'support@e-library[.]wiki'. The domain was registered in March 2025, six months before the start of the campaign, indicating preparations for the attack had been underway for some time. The emails contained links to a malicious site to download a plagiarism report, which, when clicked, downloaded a ZIP archive named with the victim's last name, first name, and patronymic. The links were designed for one-time use, displaying a Russian language message stating 'Download failed, please try again later' if accessed more than once. The archive contained a Windows shortcut (LNK) that, when executed, ran a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload contacted a URL to fetch a final-stage DLL and persist it using COM hijacking, also downloading and displaying a decoy PDF to the victim. The final payload was a command-and-control (C2) and red teaming framework known as Tuoni, enabling remote access to the victim's Windows device. ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022.

Open in new tab