{"id":2657,"date":"2024-03-04T19:19:14","date_gmt":"2024-03-04T19:19:14","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79610"},"modified":"2024-03-04T19:19:14","modified_gmt":"2024-03-04T19:19:14","slug":"predator-spyware-infrastructure-taken-down-after-exposure","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/04\/predator-spyware-infrastructure-taken-down-after-exposure\/","title":{"rendered":"Predator spyware infrastructure taken down after exposure"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v21.7 (Yoast SEO v21.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Predator spyware infrastructure taken down after exposure | CyberScoop<\/title> <meta name=\"description\" content=\"For the second time in six months, the operators of the Predator spyware burned down their infrastructure after it was publicly documented.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/predator-spyware-infrastructure-taken-down\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Predator spyware infrastructure taken down after exposure\"> <meta property=\"og:description\" content=\"For the second time in six months, the operators of the Predator spyware burned down their infrastructure after it was publicly documented.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/predator-spyware-infrastructure-taken-down\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-03-04T19:19:14+00:00\"> <meta property=\"article:modified_time\" content=\"2024-03-04T19:46:01+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706643139g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1709569720\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1709325119\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1706739310\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79610\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79610\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fpredator-spyware-infrastructure-taken-down%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fpredator-spyware-infrastructure-taken-down%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79610 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/predator-spyware-infrastructure-taken-down\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.545454545455\">\n<div class=\"single-article__header-content\" readability=\"31.655172413793\">\n<p> For the second time in six months, the operators of the Predator spyware burned down their infrastructure after it was publicly documented. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure.jpg?resize=640%2C360&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Data center with abstract connections. (imaginima\/Getty Images). <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"32.995003028468\"><body readability=\"66.549529067879\"><\/p>\n<p>After its infrastructure <a href=\"https:\/\/cyberscoop.com\/predator-spyware-endures-after-exposure\/\">was exposed<\/a> in a pair of reports last week, the operators of the Predator spyware platform dismantled a swath of delivery servers over the weekend that are used to administer the tool. <\/p>\n<p>The move to spin down the servers came after researchers with <a href=\"https:\/\/cyberscoop.com\/predator-spyware-endures-after-exposure\/\">Recorded Future\u2019s Insikt Group<\/a> and <a href=\"https:\/\/blog.sekoia.io\/the-predator-spyware-ecosystem-is-not-dead\/\">Sekoia<\/a> separately published analyses detailing how the operators of Predator \u2014 one of a number of digital tools billed as a platform to combat crime and terrorism but <a href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2023\/10\/global-predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials\/\">widely abused<\/a> to violate human rights \u2014 had rebuilt their technical infrastructure after an earlier instance in which it had been exposed by researchers. <\/p>\n<p>The decision to pull down Predator\u2019s infrastructure is the second time in about six months that the operators of the spyware have taken down their infrastructure after it was exposed, illustrating what has become a cat-and-mouse game between researchers who seek to understand and publicly document the spyware industry and companies trying to operate undetected. <\/p>\n<p>The first wind down occurred in the weeks following the October 2023 publication of \u201c<a href=\"https:\/\/eic.network\/projects\/predator-files.html\">The Predator Files<\/a>,\u201d in which a consortium of news outlets working together with Amnesty International\u2019s Security Lab detailed how the tool <a href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2023\/10\/global-predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials\/\">had been abused<\/a> to target civil society, journalists, politicians and academics. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>That the operators took down the delivery infrastructure is \u201csomewhat unsurprising but certainly interesting,\u201d Julian-Ferdinand V\u00f6gele, a threat analyst and the lead author of the Insikt Group\u2019s report, told CyberScoop on Monday.<\/p>\n<p>When confronted about the ways their tools are being abused, spyware companies often argue that their technologies cannot be centrally administered, but the \u201ccoordinated or simultaneous nature of the takedown\u201d indicates that a central player provides and manages the infrastructure, contrary to firms\u2019 typical arguments around \u201cplausible deniability,\u201d V\u00f6gele argued. <\/p>\n<p>The operators may face pressure from clients to swiftly establish new servers to continue operations or fulfill service agreements, V\u00f6gele added, and an open question is the degree to which the infrastructure will change. When Predator reconstituted after the reports published in October, for instance, its infrastructure saw only minor changes, he said.<\/p>\n<p>\u201cThe second in-depth public reporting on their infrastructure might now compel them to rebuild in a more substantial and distinct manner this time,\u201d V\u00f6gele said. <\/p>\n<p>Predator dates to at least 2019 and was originally developed by a firm known as Cytrox, which was eventually folded into a conglomeration of multiple entities under the \u201cIntellexa alliance\u201d umbrella, Vitor Ventura, a researcher with Cisco Talos, <a href=\"https:\/\/blog.talosintelligence.com\/intellexa-and-cytrox-intel-agency-grade-spyware\/\">said in a presentation<\/a> at the September 2023 LABScon security conference in Arizona.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Both <a href=\"https:\/\/cyberscoop.com\/commerce-department-blacklists-spyware-companies\/\">Cytrox and Intellexa were blacklisted by the U.S. government<\/a> in July 2023.<\/p>\n<p>Neither Tal Dilian, the Israeli businessman behind Intellexa, nor his ex-wife and business partner who is also <a href=\"https:\/\/www.icij.org\/investigations\/cyprus-confidential\/israeli-predator-spyware-cyprus-offshore-intellexa\/\">reportedly<\/a> <a href=\"https:\/\/www.irishtimes.com\/technology\/2023\/07\/19\/who-are-intellexa-the-irish-spyware-company-placed-on-a-us-blacklist\/\">linked<\/a> to Intellexa, responded to a request for comment Monday.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2297297297297\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/predator-spyware-infrastructure-taken-down-after-exposure-1.jpg?w=640&#038;ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/predator-spyware-infrastructure-taken-down\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Predator spyware infrastructure taken down after exposure | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1628,1629,1630,482,1650,288],"tags":[1631,1632,1633,484,1651,294],"class_list":["post-2657","post","type-post","status-publish","format-standard","hentry","category-cytrox","category-intellexa","category-predator","category-spyware","category-tal-dilian","category-threats","tag-cytrox","tag-intellexa","tag-predator","tag-spyware","tag-tal-dilian","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cytrox\/\" rel=\"category tag\">Cytrox<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/intellexa\/\" rel=\"category tag\">Intellexa<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/predator\/\" rel=\"category tag\">Predator<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spyware\/\" rel=\"category tag\">spyware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/tal-dilian\/\" rel=\"category tag\">Tal Dilian<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2657"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2657\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}