Imagine receiving a seemingly innocent message on WhatsApp, only to discover it's a sophisticated trap designed to spy on your every move. This is the chilling reality exposed by the recent Intellexa leaks, which reveal the inner workings of the Predator spyware and its alarming delivery methods. But here's where it gets even more disturbing: the leaks suggest that this invasive tool has been used to target a human rights lawyer in Pakistan's Balochistan province, marking the first known instance of a civil society member in the country falling victim to such an attack. According to Amnesty International, the suspicious link sent via WhatsApp was a 'Predator attack attempt,' characterized by technical signatures consistent with previously observed 1-click infection links. Pakistan, however, has vehemently denied these claims, stating there's 'not an iota of truth' in them. But is this just the tip of the iceberg?
These revelations stem from a joint investigation by Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss tech site Inside IT, based on leaked documents, internal communications, sales materials, and training videos from Intellexa. The company is behind Predator, a mercenary spyware tool akin to NSO Group's Pegasus, capable of covertly extracting sensitive data from Android and iOS devices. Interestingly, Predator has also been marketed under aliases like Helios, Nova, Green Arrow, and Red Arrow, highlighting the complexity and secrecy surrounding its operations.
What makes Predator particularly insidious is its use of zero-day exploits and ads-based vectors for delivery. These methods exploit undisclosed vulnerabilities in popular messaging platforms, requiring victims to click on a malicious link to initiate the infection. Once clicked, the spyware leverages browser exploits in Google Chrome or Apple Safari to gain access to the device and download its payload. Google's Threat Intelligence Group (GTIG) has linked Intellexa to the exploitation of multiple zero-days, including:
- CVE-2025-48543: Use-after-free in Android Runtime (Google)
- CVE-2025-6554: Type confusion in V8 (Google Chrome)
- CVE-2023-41993: WebKit JIT RCE (Apple Safari)
- CVE-2023-41992: Kernel IPC Use-After-Free (Apple)
- CVE-2023-41991: Certificate validation bypass in Security framework (Apple)
- CVE-2024-4610: Use-after-free in Bifrost GPU and Valhall GPU Kernel Driver (Arm)
- CVE-2023-4762: Type confusion in V8 (Google Chrome)
- CVE-2023-3079: Type Confusion in V8 (Google Chrome)
- CVE-2023-2136: Integer overflow in Skia (Google Chrome)
- CVE-2023-2033: Use-After-Free in V8 (Google Chrome)
- CVE-2021-38003: Inappropriate implementation in V8 (Google Chrome)
- CVE-2021-38000: Insufficient validation of untrusted input in Intents (Google Chrome)
- CVE-2021-37976: Information leak in memory_instrumentation (Google Chrome)
- CVE-2021-37973: Use-after-free in Portals (Google Chrome)
- CVE-2021-1048: Use-After-Free in Android Kernel (Google)
One notable example is the iOS zero-day exploit chain used in Egypt in 2023, which leveraged CVE-2023-41993 and the JSKit framework to execute native code. Alarmingly, the same exploit was later observed in a watering hole attack by Russian state-backed hackers against Mongolian government websites, raising questions about the origin and proliferation of these tools. Google describes JSKit as a 'well-maintained' framework capable of parsing in-memory Mach-O binaries and executing them directly from memory, making it a powerful tool for attackers.
But here's the part most people miss: Once installed, Predator doesn't just collect data—it actively monitors and records everything from messaging app conversations and emails to device locations, screenshots, and even passwords. It can also activate the device's microphone and camera, turning everyday tools into instruments of surveillance. The collected data is then exfiltrated to an external server located in the customer's country, adding another layer of complexity to the ethical and legal implications of such tools.
Intellexa and its executives faced U.S. sanctions last year for developing and distributing Predator, yet Recorded Future's Insikt Group detected Predator-related activity in over a dozen countries, primarily in Africa, as recently as June 2025. This suggests a growing demand for spyware tools, despite public outcry and regulatory actions. And this is where it gets controversial: The leaks reveal that Intellexa staff allegedly had the ability to remotely access the surveillance systems of their customers, including those of governmental entities, using TeamViewer. This raises serious questions about the company's human rights due diligence and potential liability in cases of misuse.
Amnesty International's Jurre van Bergen aptly notes, 'If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse.' This interpretation underscores the urgent need for greater transparency and accountability in the spyware industry.
Another alarming aspect is Intellexa's use of tactical and strategic delivery vectors to trigger the opening of malicious links without user interaction. These include systems like Triton, Thor, and Oberon, as well as network injection systems like Mars and Jupiter, which rely on cooperation with mobile operators or ISPs to execute adversary-in-the-middle (AitM) attacks. Perhaps most concerning is the Aladdin system, which exploits the mobile advertising ecosystem to carry out zero-click attacks simply by displaying a specially-crafted ad on the target's device. Amnesty explains, 'This malicious ad could be served on any website which displays ads,' highlighting the pervasive nature of this threat.
Google has identified companies like Pulse Advertise and MorningStar TEC as likely tied to the Aladdin infection vector and has worked to shut down their accounts. However, evidence suggests that Intellexa customers in countries like Saudi Arabia, Kazakhstan, Angola, and Mongolia continue to communicate with Predator's infrastructure, indicating ongoing use of the spyware.
As we grapple with these revelations, a critical question arises: How can we balance national security interests with the fundamental right to privacy? The Intellexa leaks not only expose the technical sophistication of modern spyware but also the ethical dilemmas they pose. What do you think? Is the use of such tools ever justifiable, or do they inherently violate human rights? Share your thoughts in the comments below, and don't forget to follow us on Google News, Twitter, and LinkedIn for more exclusive insights into the world of cybersecurity.
