Predator spyware operators have the ability to recognize why an infection failed, and the tech has more sophisticated capabilities for averting detection than previously known, according to research published Wednesday.

Jamf Threat Labs found from an analysis of a Predator sample that it has an error code system that can alert operators to why an implant didn’t stick, with “error code 304” signifying that a target was running security or analysis tools.

“This error code system transforms failed deployments from black boxes into diagnostic events,” Shen Yuan and Nir Avraham wrote for the company. “When an operator deploys Predator against a target and receives error code 304, they know the target is running security tools — not that the exploit failed, not that the device is incompatible, but specifically that active analysis is occurring.

“This has direct implications for targeted individuals: if security analysis tools like Frida are running, Predator will abort deployment and report error code 304 to operators, who can then troubleshoot why their deployment failed,” they continued.

Furthermore, the capability to detect specific security tools reveals more about Predator’s workings.

“The inclusion of netstat is noteworthy — it suggests Predator is concerned about targets who might be monitoring their own network connections, not just researchers with specialized tools,” the researchers wrote. “A privacy-conscious user simply checking their network connections would trigger this detection.”

And Predator suppresses crash logs that can help detect infection attempts, Jamf concluded.

It’s the second time in as many months that researchers have uncovered capabilities that differentiate Predator, made by Intellexa, from competitors.

Jamf said the results of its analysis show that Predator is interested in dodging both spyware researchers and security products, and overall point to better anti-analysis capabilities than those that have been previously documented.

The post Predator spyware demonstrates troubleshooting, researcher-dodging capabilities appeared first on CyberScoop.

The Trump administration this week removed three Iranians from its sanctions list who were previously accused of working for Intellexa, the consortium behind the Predator spyware that recent investigations say has circumvented human rights safeguards.

The Biden administration imposed sanctions against the trio in 2024 as part of a broader move to sanction spyware operators. The Treasury Department noted the deletions this week as part of other sanctions moves.

Under the prior sanctions designations, the Biden administration said that Merom Harpaz was manager of Intellexa S.A., a member of the consortium; that Andrea Nicola Constantino Hermes Gambazzi was functionally the owner of Thalestris Limited and Intellexa Limited, two other consortium members; and that Sara Aleksandra Fayssal Hamou was a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium.

While the Tuesday notice about the sanctions removal provided no explanation, “this removal was done as part of the normal administrative process in response to a petition request for reconsideration,” a U.S. official told CyberScoop.

“Each individual has demonstrated measures to separate themselves from the Intellexa Consortium and it has been determined that the circumstances resulting in the sanction no longer apply,” the official said. “The power of sanctions derive not only from the ability to designate individuals, but also from our willingness to remove sanctions consistent with the law.”

Only last month, an investigation concluded that despite sanctions against those three individuals and others, Intellexa had retained the capacity to remotely access the systems of Predator customers, raising human rights questions. Other reports from last month found evidence of expanded Predator targeting and exploitation of malicious mobile advertisements to infect targets.

Researchers and advocates who work on spyware issues found the sanctions removals concerning.

“The public deserves to know what evidence exists to prove that these individuals have ceased their involvement with Intellexa,” Natalia Krapiva, senior tech-legal counsel at Access Now, wrote on Bluesky.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said on X that he found the removals “puzzling,” adding that “Some in the mercenary spyware ecosystem are probably reading today’s Intellexa exec [delisting] as: ‘scoff at US, help hack Americans & you can still skirt consequences with the right lobbying.’”

The post Treasury removes Intellexa spyware-linked trio from sanctions list appeared first on CyberScoop.

Leaked training videos suggest that Intellexa retained the ability to remotely access the systems of customers who had used its Predator spyware, raising questions about human rights safeguards, according to an investigation published Thursday.

That was just one finding from a series of separate but overlapping probes released over the past 24 hours. The training video revelations came via a joint investigation by Inside Story, Haaretz and WAV Research Collective in partnership with Amnesty International. Google and Recorded Future also published research Thursday about Intellexa.

“The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals [—] raises questions about its own human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty International Security Lab, said in a news release.

“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” he continued.

The “Intellexa Leaks” investigation learned more about the U.S.-sanctioned company’s operations as well. One revelation was that Intellexa was exploiting malicious mobile advertisements to infect targets, a vector named “Aladdin,” investigators concluded.

Other findings include confirmation of Predator domains imitating legitimate Kazakhstani news sites, and additional evidence linking Predator spyware to surveillance of prominent Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis, according to Amnesty. And the news publications reported on the first reported Predator infection in Pakistan, of a human rights lawyer, and additional targeting in the country.

A lawyer for Intellexa founder Tal Dilian only responded in part to questions from Haaretz, the publication reported, saying that ‘progressive groups rely on biased and politically motivated international organizations that spread unfounded claims, and use journalists, as ‘useful idiots,’ who repeatedly publish so-called investigative reports directed by the same actors.”

The attorney added: “I have not committed any crime nor operated any cyber system in Greece or anywhere else. Any claim suggesting otherwise is false and defamatory. I categorically reject any attempt to link me to events in Greece or to the media campaign surrounding them. I protect my rights and will continue pursuing legal action against those who defame me.”

Recorded Future’s Insikt Group, meanwhile, published a study on individuals and groups connected to Intellexa.

“These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation,” wrote Julian-Ferdinand Vögele, principle threat researcher. “In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.”

On Wednesday, Google said it had identified the companies Intellexa had created to infiltrate the advertising ecosystems, with partners subsequently shutting down the accounts.

Additionally, the firm pointed to one way Intellexa stands out among others.

“Over the past several years, Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers,” a blog post from Google Threat Intelligence Group reads. “Despite the consistent efforts of security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers.”

The post Intellexa remotely accessed Predator spyware customer systems, investigation finds appeared first on CyberScoop.