Do Son 
The commercial spyware industry isn’t just building tools to spy on victims; they are building tools to spy on the researchers hunting them. In a new technical analysis released by Jamf Threat Labs, researchers have uncovered previously undocumented anti-analysis mechanisms within Intellexa’s notorious Predator spyware, revealing a level of sophistication that turns the tables on defenders.
While Googleβs Threat Intelligence Group (GTIG) exposed Predator’s zero-day exploit chains in late 2024, Jamfβs independent reverse engineering has peeled back another layer: the spywareβs obsession with self-preservation.
At the heart of these new findings is a C++ class named CSWatcherSpawner, a digital overseer designed to orchestrate a suite of detection methods. Unlike standard malware that might simply terminate if it detects a sandbox, Predator performs a comprehensive environmental scan.
The report details how this module checks for developer modes, jailbreaks, and network interception, but goes much further than simple evasion.
“This analysis reveals that Predator’s anti-analysis capabilities are more sophisticated than previously documented,” the researchers warn.
One of the most significant discoveries is a complete taxonomy of error codes, ranging from 301 to 311. These aren’t just generic failure notices; they are precise diagnostic tools that tell the spyware operators exactly why an infection failed.
Whether it was a specific security application, a jailbreak tool, or a network configuration that flagged the intrusion, the operators know.
“The error code taxonomy demonstrates that Intellexa operators have granular visibility into why deployments fail, enabling them to adapt their approaches for specific targets.”
This feedback loop allows Intellexa to fine-tune their attacks in real-time, making subsequent attempts more likely to succeed.
The analysis also highlights Predatorβs ability to manipulate the user experience to remain undetected. By hooking into the iOS SpringBoard, the spyware can actively hide recording indicators, ensuring the victim remains unaware that their microphone or camera is active.
Furthermore, the malware includes an undocumented crash reporter monitoring system. If the spyware causes the device to crashβa common side effect of unstable exploitsβit attempts to scrub the evidence before forensic analysts can retrieve it.
Perhaps the most telling find is a stubbed function explicitly checking for Corellium, a cloud-based iOS virtualization platform widely used by the security research community. While the function wasn’t active in the analyzed sample, its existence is a smoking gun.
“The presence of the is_corellium() stub shows they’re watching our tools as closely as we’re watching theirs.”
This indicates that commercial spyware vendors are not just designing products to evade consumer antivirus software; they are actively engineering their tools to detect and bypass the specific environments used by professional malware analysts.
Related Posts:
- Predator Spyware Roars Back: New Infrastructure, Evasive Tactics
- Predator Spyware Spreads: 11 Countries Now at Risk
- Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
- Spyware Vendor Intellexa Used 15 Zero-Days Since 2021, Deploying Predator via “smack” iOS Exploit Chain
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
