{“lastseen”:”2025-12-05T14:05:12″,”description”:”Intellexa is a well-known commercial spyware vendor, servicing governments and large corporations. Its main product is the Predator spyware.\\n\\nAn investigation by several independent parties describes Intellexa as one of the most notorious mercenary spyware vendors, still operating its Predator platform and hitting new targets even after being placed on US sanctions lists and being under active investigation in Greece.\\n\\nThe investigation draws on highly sensitive documents and other materials leaked from the company, including internal records, sales and marketing material, and training videos. Amnesty International researchers reviewed the material to verify the evidence.\\n\\nTo me, the most interesting part is Intellexa\u2019s continuous use of zero-days against mobile browsers. Google\u2019s Threat Analysis Group (TAG) posted a blog about that, including a list of 15 unique zero-days.\\n\\nIntellexa can afford to buy and burn zero-day vulnerabilities. They buy them from hackers and use them until the bugs are discovered and patched\u2013at which point they are \u201cburned\u201d because they no longer work against updated systems.\\n\\nThe price for such vulnerabilities depends on the targeted device or application and the impact of exploitation. For example, you can expect to pay in the range of $100,000 to $300,000 for a robust, weaponized Remote Code Excecution (RCE) exploit against Chrome with sandbox bypass suitable for reliable, at\u2011scale deployment in a mercenary spyware platform. And in 2019, zero-day exploit broker Zerodium offered millions for zero-click full chain exploits with persistence against Android and iPhones.\\n\\nWhich is why only governments and well-resourced organizations can afford to hire Intellexa to spy on the people they\u2019re interested in.\\n\\nThe Google TAG blog states:\\n\\n\\u003e \u201cPartnering with our colleagues at CitizenLab in 2023, we captured a full iOS zero-day exploit chain used in the wild against targets in Egypt. Developed by Intellexa, this exploit chain was used to install spyware publicly known as Predator surreptitiously onto a device.\u201d\\n\\nTo slow down the \\”burn\\” rate of its exploits, Intellexa delivers one-time links directly to targets through end-to-end encrypted messaging apps. This is a common method: last year we reported how the NSO Group was ordered to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.\\n\\nThe fewer people who see an exploit link, the harder it is for researchers to capture and analyze it. Intellexa also uses malicious ads on third-party platforms to fingerprint visitors and redirect those who match its target profiles to its exploit delivery servers.\\n\\nThis zero-click infection mechanism, dubbed \u201cAladdin,\u201d is believed to still be operational and actively developed. It leverages the commercial mobile advertising system to deliver malware. That means a malicious ad could appear on any website that serves ads, such as a trusted news website or mobile app, and look completely ordinary. If you’re not in the target group, nothing happens. If you are, simply viewing the ad is enough to trigger the infection on your device, no need to click.\\n\\nZero-click infection chain \\n _Image courtesy of Amnesty International_\\n\\n## How to stay safe\\n\\nWhile most of us will probably never have to worry about being in the target group, there are still practical steps you can take:\\n\\n * **Use an ad blocker.**Malwarebytes Browser Guard is a good start. Did I mention it\u2019s a free browser extension that works on Chrome, Firefox, Edge, and Safari? And it should work on most other Chromium based browsers (I even use it on Comet).\\n * **Keep your software updated.** When it comes to zero-days, updating your software only helps after researchers discover the vulnerabilities. However, once the flaws become public, less sophisticated cybercriminals often start exploiting them, so patching remains essential to block these more common attacks.\\n * **Use areal-time anti-malware solution** on your devices.\\n * **Don\u2019t open unsolicited messages from unknown senders.** Opening them could be enough to start a compromise of your device.\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on phone security\u2014we provide it**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.”,”published”:”2025-12-05T13:31:54″,”modified”:”2025-12-05T13:31:54″,”type”:”malwarebytes”,”title”:”Leaks show Intellexa burning zero-days to keep Predator spyware running”,”source”:””,”references”:””,”id”:”MALWAREBYTES:823D3FF6E49467336A8A9700550B27D8″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/12\/leaks-show-intellexa-burning-zero-days-to-keep-predator-spyware-running”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-05T14:05:12″,”description”:”Intellexa is a well-known commercial spyware vendor, servicing governments and large corporations. Its main product is the Predator spyware.\\n\\nAn investigation by several independent parties describes…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-28870","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n