If you thought mercenary spyware companies were shrinking under geopolitical pressure, think again. Intellexa, a notorious shadowy player in the cyber surveillance sector, keeps pushing forward, exploiting unknown security holes to plant its spyware on unsuspecting users' devices. Despite sanctions aimed at throttling its operations, Intellexa simply sidesteps restrictions, quietly refining its toolkit and expanding its grip.
The tech giant Google’s Threat Intelligence Group (GTIG) has put Intellexa on the radar by revealing that since 2021, they've tracked around 70 zero-day vulnerabilities in active use, 15 of which belong to Intellexa. This isn’t a casual or minor involvement; it’s aggressive exploitation of critical vulnerabilities like Remote Code Execution (RCE), Sandbox Escape (SBX), and Local Privilege Escalation (LPE) primarily hitting mobile browsers.
Predator Spyware: More Than Just a Name
Intellexa's “Predator” spyware is not some ordinary threat. This malware provides remote criminals, governments, or whoever’s paying with deep, active control over the infected device. The full range of exploitation stretches across Android and iOS to desktop Chrome browsers, utilizing documented vulnerabilities that allow them to seize control stealthily.
The modular “JSKit” framework they use on iOS is particularly interesting. Google suspects Intellexa didn’t write this code themselves but bought or inherited it from external sources—say other surveillance companies or even government-backed hackers. It’s a well-oiled machine running native code on Apple hardware by parsing Mach-O binaries straight in memory, thereby bypassing many traditional security mechanisms.
Once the device is compromised, a complicated payload named PREYHUNTER deploys helper and watcher modules that ensure the spyware remains hidden while pulling off highly invasive tasks: recording VOIP calls, keylogging, taking photos—in short, spying in ways you wouldn’t imagine unless you were part of a spy thriller.
Targets and Tactical Reach
This isn’t a small-scale operation either. Intellexa’s spyware has been spotted dragging victims from all over the map: Egypt, Saudi Arabia, Pakistan, Kazakhstan, Angola, Uzbekistan, Tajikistan. You wouldn’t want to be on that list. The spyware’s capacity to exploit fresh zero-day vulnerabilities months or even years after discovery means you can’t just patch once and forget about it.
Let’s not forget the Chrome browser exploits focused on the V8 JavaScript engine. The use of a specific type confusion bug (CVE-2025-6554) last spotted in Saudi Arabia shows Intellexa’s continued effort to find and exploit the weak spots in the most widely used software.
Google Takes the Fight to Intellexa
Google isn’t standing idly. They've sent direct warnings to hundreds of users targeted by Intellexa-linked attacks since 2023. It might not sound glamorous—mass emails alerting users that they might be under surveillance—but it’s a necessary disruption in a long game of cat and mouse.
Yet, this public disclosure also highlights a bitter truth: companies and governments have access to intelligence on such abuses, but the ecosystem enabling spyware sales is still thriving. Sanctions or official crackdowns seem to do little against vendors nimble enough to evade restrictions through technical means and by playing low profile.
What This Means for You
If you’re an everyday internet user, you might think, "This won’t touch me." But those zero-day exploits are like open invitations to anyone with malicious intent to hack into your device. Whether it’s an activist, a journalist, a dissident, or just a regular person in a risky country, these spyware attacks are real and relentless.
What can you do? Stay updated on your device’s software, but also be aware that patching won’t always suffice because these attackers operate ahead of typical vulnerability fixes. Be vigilant about what links, attachments, or apps you open. But remember: Intellexa and companies like it aren’t your average script kiddies; they operate with resources and an aggressiveness that could scare even the most hardened cybersecurity experts.
As Intellexa continues to stretch its reach, this saga isn’t just a story about a spyware vendor. It’s about the persistent vulnerability of the digital world and how shadow markets operate, unhindered in their craft despite public exposure and sanctions. You might not be a target today, but the methods they use make the possibility less about "if" and more about "when." Stay alert.
