Predator spyware resurfaces with signs of activity, Recorded Future says | CyberScoop<\/title> <meta name=\"description\" content=\"Sanctions and public exposure might have driven Intellexa into silence for months, but that doesn\u2019t mean its Predator spyware is gone for good.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Predator spyware resurfaces with signs of activity, Recorded Future says\"> <meta property=\"og:description\" content=\"Sanctions and public exposure might have driven Intellexa into silence for months, but that doesn\u2019t mean its Predator spyware is gone for good.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-09-05T14:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-09-04T21:47:21+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1721926675g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1725476969g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1724269863g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/81646\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=81646\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fpredator-spyware-resurfaces-with-signs-of-activity-recorded-future-says%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fpredator-spyware-resurfaces-with-signs-of-activity-recorded-future-says%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-81646 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.952380952381\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2024 CyberScoop 50 awards! <\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/vote\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.883858267717\">\n<div class=\"single-article__header-content\" readability=\"31.274809160305\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> Sanctions and public exposure might have driven Intellexa into silence for months, but that doesn\u2019t mean its Predator spyware is gone for good. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Congolese soldiers sit in their military vehicle at the base of the United Nations Organization Mission for the Stabilization of the Congo (MONUSCO) in Kamanyola, eastern Democratic Republic of Congo, on Feb. 28. (Photo by Glody MURHABAZI \/ AFP) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"30.976860254083\"><body readability=\"64.900417827298\"><\/p>\n<p>It was probably only a matter of time, after a quiet spell, before the Predator spyware showed new signs of life.<\/p>\n<p>Recorded Future\u2019s Insikt Group, in <a href=\"https:\/\/www.recordedfuture.com\/research\/predator-spyware-infrastructure-returns-following-exposure-sanctions\">research published Thursday<\/a> and shared exclusively with CyberScoop, said it has observed new infrastructure and domains connected to the infamous spyware, which has targeted members of the U.S. Congress, United Nations officials and more. It also identified a likely new customer in the Democratic Republic of the Congo among the four clusters of activity.<\/p>\n<p>Predator is the handiwork of European-based Intellexa. U.S. sanctions, along with exposure in the media and by threat researchers, may have <a href=\"https:\/\/cyberscoop.com\/sanctioned-and-exposed-predator-spyware-maker-group-has-gone-awfully-quiet\/\">dented its operations for many months<\/a>, leading to lower visibility. But it was unclear to observers how long it might take for the spyware to resurface.<\/p>\n<p>\u201cOur findings show that while Predator operators did modify certain aspects of their infrastructure in response to public reporting, including elements of their higher-tier infrastructure and tactics for detection evasion, they maintain their operations with minimal changes and often reuse previously identified infrastructure, in line with previous observations,\u201d according to Recorded Future.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The report states that one change to the infrastructure has made country-specific attribution more difficult. But the firm was able to trace three of the four clusters to \u201clikely\u201d customers in Angola, Saudi Arabia and Congo. The fourth has potential connections to Madagascar and the United Arab Emirates.<\/p>\n<p>The signs of Predator activity don\u2019t necessarily invalidate the notion that the sanctions and public reporting made life harder on Intellexa, said Julian-Ferdinand V\u00f6gele, a threat researcher with the Insikt Group. Intellexa has been forced to adjust to the exposure \u2014 including dismantling some of the exposed infrastructure, according to the report \u2014 and could still be suffering reputational damage with potential customers, he told CyberScoop.<\/p>\n<p>In the case of Congo, Recorded Future\u2019s assumption is that the customer is tied to the government, but it\u2019s a \u201cgray area\u201d that could include contractors, V\u00f6gele said.<\/p>\n<p><a href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2023\/10\/global-predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials\/\">The Predator Files project<\/a> last year found evidence of Predator products being sold in a number of countries, including Congo. V\u00f6gele said the purpose of the customer in Congo would be speculation, but the report mentioned conflicts between Congolese authorities and armed groups, and said that one of domains \u201cassociated with the cluster linked to the DRC has a clear connection to the eastern provinces,\u201d nyirangongvrai[.]com. \u201cMount Nyiragongo, a volcano located within Virunga National Park, is situated in a region heavily affected by armed conflict.\u201d<\/p>\n<p>The Congo embassy in Washington, D.C., directed inquiries for this story to an email account. That account did not respond to a request for comment.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Predator spyware resurfaces with signs of activity, Recorded Future says<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2605,2606,655,1024,302,1629,2607,1630,268,2015,482,2292,2293,871],"tags":[2608,2609,657,1025,306,1632,2610,1633,274,2017,484,2301,2302,872],"class_list":["post-5157","post","type-post","status-publish","format-standard","hentry","category-angola","category-congo","category-congress","category-europe","category-geopolitics","category-intellexa","category-madagascar","category-predator","category-privacy","category-recorded-future","category-spyware","category-united-arab-emirates","category-united-arab-emirates-uae","category-united-nations","tag-angola","tag-congo","tag-congress","tag-europe","tag-geopolitics","tag-intellexa","tag-madagascar","tag-predator","tag-privacy","tag-recorded-future","tag-spyware","tag-united-arab-emirates","tag-united-arab-emirates-uae","tag-united-nations"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/angola\/\" rel=\"category tag\">Angola<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/congo\/\" rel=\"category tag\">Congo<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/congress\/\" rel=\"category tag\">Congress<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/europe\/\" rel=\"category tag\">Europe<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/intellexa\/\" rel=\"category tag\">Intellexa<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/madagascar\/\" rel=\"category tag\">Madagascar<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/predator\/\" rel=\"category tag\">Predator<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/privacy\/\" rel=\"category tag\">Privacy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/recorded-future\/\" rel=\"category tag\">Recorded Future<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spyware\/\" rel=\"category tag\">spyware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/united-arab-emirates\/\" rel=\"category tag\">United Arab Emirates<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/united-arab-emirates-uae\/\" rel=\"category tag\">United Arab Emirates (UAE)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/united-nations\/\" rel=\"category tag\">United Nations<\/a>","tag_info":"United Nations","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5157"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5157\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5157,"date":"2024-09-05T09:00:00","date_gmt":"2024-09-05T14:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=81646"},"modified":"2024-09-05T09:00:00","modified_gmt":"2024-09-05T14:00:00","slug":"predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/05\/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says\/","title":{"rendered":"Predator spyware resurfaces with signs of activity, Recorded Future says"},"content":{"rendered":"