December 21, 2023 at 12:18PM
Predator spyware, part of the Intellexa Alliance, offers persistent reboot capability as an add-on. It is integral to Alien, targeting Android and iOS, sold for millions and reliant on exploit chains. Intellexa offloads attack setup to customers, maintaining plausible deniability. Public attribution efforts have had limited impact on their ability to conduct business.
Based on the meeting notes, the main takeaways are:
1. Intellexa Alliance, consisting of Cytrox, Nexa Technologies, and Senpai Technologies, produces the sophisticated commercial spyware called Predator, which has the ability to persist between reboots as an “add-on feature” depending on the licensing options chosen by a customer.
2. Predator spyware, targeting both Android and iOS, is described as a “remote mobile extraction system” sold on a licensing model running into millions of dollars, making it out of reach for script kiddies and novice criminals.
3. Cisco Talos researchers identified the symbiotic relationship between Predator and another component called Alien, emphasizing the need for public disclosure of technical analyses and tangible samples of mobile spyware to drive detection efforts and impose development costs on vendors to constantly evolve their implants.
4. The delivery of Intellexa’s supporting hardware is done at a terminal or airport using the Cost Insurance and Freight (CIF) mechanism to claim plausible deniability and allowing loosening of geographic limitations for an additional fee.
5. Public exposure of private-sector offensive actors and their campaigns has had little impact on their ability to conduct and grow their business, indicating the need for broader public disclosure and scrutiny of the malware to drive detection efforts and development costs on vendors.
Let me know if you need further details or additional analysis.