Predator spyware targeting Teixeira Cândido's iPhone
Malware Activity
Summary
Hide ▲
Show ▼
Predator spyware successfully targeted Teixeira Cândido's iPhone in May 2024, giving an attacker the ability to gain unrestricted access to the device. The infection was delivered through a WhatsApp infection link, and subsequent re-infection attempts were made over the following weeks. The activity matters because it shows a commercial spyware operation reaching a civil society target in Angola and exploiting a phone running iOS 16.2.
Related Happenings
WhatsApp anti-scam protections now warn on fraudulent device-linking requests
Security Tool/Service
First: 26.03.2026 16:06
Last: 26.03.2026 16:06
Sources 1
About this happening:
**WhatsApp** rolled out **anti-scam protections** that warn users when **device-linking requests** look suspicious, adding a new user-facing control against **fraudulent account-l...
WhatsApp anti-scam protections now warn on fraudulent device-linking requests
Security Tool/ServiceAbout this happening: **WhatsApp** rolled out **anti-scam protections** that warn users when **device-linking requests** look suspicious, adding a new user-facing control against **fraudulent account-l...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical Analysis
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
**Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical AnalysisAbout this happening: **Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
DarkSword iPhone exploit chain exploitation wave
Exploitation Wave
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
DarkSword iPhone exploit chain exploitation wave
Exploitation WaveAbout this happening: **DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
Latest development: 02.04.2026 16:30
Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
CampaignAbout this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
Timeline
-
18.02.2026 19:30 1 articles · 3mo ago
Predator compromises Teixeira Cândido's iPhone
Exploitation ObservedPredator spyware successfully targeted Teixeira Cândido's iPhone after he opened a WhatsApp infection link, and the infection was removed when the phone was restarted on 4 May 2024, ending an intrusion that could have given the attacker unrestricted access to the device.
Show sources
- Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody — thehackernews.com — 18.02.2026 19:30
-
18.02.2026 19:30 1 articles · 3mo ago
Repeated Predator re-infection attempts continue through 16 June 2024
Campaign Scope UpdateAfter the original Predator compromise of Teixeira Cândido's iPhone, attackers sent 11 new malicious infection links through 16 June 2024 in repeated re-infection attempts against the same journalist and press freedom advocate, and the later attempts appear to have failed because the links were not opened.
Show sources
- Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody — thehackernews.com — 18.02.2026 19:30
-
18.02.2026 19:30 2 articles · 3mo ago
Citizen Lab and Amnesty International publicly report Predator targeting of Teixeira Cândido
Initial DisclosureCitizen Lab and Amnesty International publicly reported forensic evidence that Predator targeted Teixeira Cândido's iPhone in Angola, describing the WhatsApp infection link, the iOS 16.2 device, the less-than-one-day initial infection, and the 11 re-infection attempts through 16 June 2024.
Show sources
- Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody — thehackernews.com — 18.02.2026 19:30
- Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody — thehackernews.com — 18.02.2026 19:30