Spyware Vendor Intellexa Used 15 Zero-Days Since 2021, Deploying Predator via “smack” iOS Exploit Chain
Ddos 
The mercenary spyware industry remains a persistent and adaptable threat, with the notorious vendor Intellexa continuing to expand its arsenal despite facing significant geopolitical headwinds. A new report from the Google Threat Intelligence Group (GTIG) reveals that the company, known for its “Predator” spyware, is not only surviving US sanctions but actively “evading restrictions and thriving” by exploiting a steady stream of zero-day vulnerabilities.
Intellexa has carved out a formidable reputation in the surveillance market. According to Google’s analysis, the vendor has “solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers”.
The scale of their operations is staggering. Since 2021, Google has tracked approximately 70 zero-day vulnerabilities used in the wild. Of those, “Intellexa accounts for 15 unique zero-days, including Remote Code Execution (RCE), Sandbox Escape (SBX), and Local Privilege Escalation (LPE) vulnerabilities”.
The report details a sophisticated iOS exploit chain, referred to internally by Intellexa as “smack,” which was deployed against targets in Egypt to install the Predator spyware .
This chain relied on a framework Google calls “JSKit”. This modular toolkit is designed to execute native code on Apple devices by parsing Mach-O binaries directly in memory. Interestingly, Google researchers assess that Intellexa likely didn’t build this themselves.
“We believe that Intellexa acquired their iOS RCE exploits from an external entity, as we have seen this exact same JSKit framework used by other surveillance vendors and government-backed attackers since 2021,” the report states.
Once the device is compromised, a payload tracked as PREYHUNTER is deployed. This stage consists of “helper” and “watcher” modules that ensure the implant remains hidden while performing surveillance tasks. Using custom hooking frameworks (“DMHooker” and “UMHooker”), the malware can record VOIP calls, run keyloggers, and capture photos.
Intellexa’s reach extends beyond iPhones. The group has also deployed custom frameworks to exploit Chrome, specifically targeting the V8 JavaScript engine. Most recently, in June 2025, they were observed exploiting CVE-2025-6554 in Saudi Arabia—a type confusion error that allowed them to leak memory objects .
In a concerning shift in tactics, the vendor has also moved into the advertising space. “We have also observed another tactic with a few customers—the use of malicious advertisements on third-party platforms to fingerprint users and redirect targeted users to Intellexa’s exploit delivery servers”.
In response to these findings, Google is taking direct action to warn potential victims. “We have made the decision to simultaneously deliver our government-backed attack warning to all known targeted accounts associated with Intellexa’s customers since 2023,” the report announces.
This mass notification covers hundreds of users across Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan, signaling a major escalation in the tech giant’s fight against the commercial spyware trade.
Donate