Predator Spyware Resurges: New Infrastructure, Evasion Tactics, and Mozambique Customer Uncovered

Despite mounting international pressure, public exposures, and a barrage of sanctions, the Predator spyware continues to evolve — and expand. In its latest Cyber Threat Analysis, Insikt Group reveals a troubling resurgence of Predator operations, identifying new infrastructure, novel obfuscation tactics, and a previously unreported customer in Mozambique.

“Predator activity has not stopped,” Insikt warns. “In recent months, we have observed a resurgence of activity, reflecting the operators’ continued persistence.”

Originally developed by Cytrox and operated under the Intellexa Consortium, Predator is among the most sophisticated mercenary spyware tools on the market, capable of full surveillance over both Android and iOS devices. Once implanted, it grants operators access to messages, microphones, cameras — even encrypted content — all without the victim’s knowledge.

While Predator had seemingly gone dark following U.S. sanctions and the UK-France Pall Mall Process aimed at curbing spyware abuse, new evidence suggests these efforts were not enough.

“Insikt Group has identified new infrastructure associated with Predator, indicating continued operations despite public exposure, international sanctions, and policy interventions.”

One of the revelations in the report is the appearance of Predator activity in Mozambique, marking the first public link between the country and this spyware.

Insikt attributes several domains to a suspected Mozambican Predator operator, including:

• flickerxxx[.]com (a likely impersonation of Flickr)
• noticiafresca[.]net (posing as a local news outlet)
• mundoautopro[.]com

The infrastructure shares technical fingerprints consistent with previous Predator campaigns. Recorded Future’s network telemetry places the activation of these domains in early 2024, with activity still ongoing.

“This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent.”

The report also uncovers a technical and financial trail linking Predator infrastructure to a Czech entity: FoxITech s.r.o. This marks the first known link between Predator’s digital architecture and the companies affiliated with Intellexa.

A financial investigation revealed Intellexa had transferred nearly €3 million to Czech entrepreneur Dvir Horef Hazan and his companies. Domains and IP addresses under Hazan’s corporate network have now been tied to Tier 5 servers — a deeper layer of Predator’s infrastructure previously hidden from public scrutiny.

“This establishes a link between Predator’s multi-tiered infrastructure and the Czech entity, marking the first technical connection made between Predator infrastructure and corporate entities associated with the Intellexa Consortium.”

Predator operators are growing more elusive. Insikt reports a shift from mimicking real websites to using random English word combinations in domain names — such as boundbreeze[.]com and branchbreeze[.]com. Fake 404 pages, bogus login portals, and under-construction sites are now part of its evasion playbook.

The architecture itself is growing more complex. What was once a three-tier network has now expanded to five distinct infrastructure layers, each serving to hide the true origin and purpose of the spyware.

“The addition of a fourth layer in the current design is likely intended to further obscure the identification of countries suspected of deploying Predator.”

Although Predator is marketed for counterterrorism, its deployment tells another story. Targets include journalists, opposition politicians, and civil society groups, particularly in countries with poor human rights records.

Insikt emphasizes that “given Predator’s expensive licensing model, its use is typically reserved for high-value, strategic targets,” including corporate leaders and public officials — making it not only a privacy threat, but a geopolitical one.

Insikt Group urges organizations and individuals at risk to:

• Regularly reboot devices and apply security updates.
• Use Lockdown Mode on iOS where available.
• Implement Mobile Device Management (MDM) tools.
• Separate personal and corporate devices.
• Reduce data exposure through security awareness.

Related Posts:

• Predator Spyware Roars Back: New Infrastructure, Evasive Tactics
• Unmasking Predator: Cisco Talos Exposes Spyware’s Hidden Depths
• Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
• Predator Spyware Spreads: 11 Countries Now at Risk

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy