Spyware vendor targets Egyptian orgs with rare iOS exploit chain

An Israeli surveillanceware company used the three Apple zero-day vulnerabilities disclosed last week to develop an exploit chain for iPhones, and a Chrome zero-day to exploit Androids — all in a novel attack on Egyptian organizations.

According to a recent report from Google’s Threat Analysis Group (TAG), the company — which calls itself “Intellexa” — used the special access it gained through the exploit chain to install its signature “Predator” spyware against unnamed targets in Egypt.

Predator was first developed by Cytrox, one of a number of spyware developers that have been absorbed under the umbrella of Intellexa in recent years, according to TAG. The company is a known threat: Intellexa had previously deployed Predator against Egyptian citizens back in 2021.

Intellexa’s iPhone infections in Egypt began with man-in-the-middle (MITM) attacks, intercepting users as they attempted to reach http sites (encrypted https requests were immune).

“The use of MITM injection gives the attacker a capability where they don’t have to rely on the user to take a typical action like clicking a specific link, opening a document, etc.,” TAG researchers note via email. “This is similar to zero-click exploits, but without having to find a vulnerability in a zero-click attack surface.”

They added, “this is yet another example of the harms caused by commercial surveillance vendors and the threats they pose not only to individuals, but society at large.”

3 Zero-Days in iOS, 1 Attack Chain

Using the MITM gambit, users were redirected to an attacker-controlled site. From there, if the ensnared user was the intended target — each attack being aimed only at specific individuals — they would be redirected to a second domain, where the exploit would trigger.

To read the complete article, visit Dark Reading.