When U.S. and EU sanctions hit Intellexa, the company behind the Predator spyware platform, many observers predicted the mercenary‑surveillance market would retreat. Instead, freshly released telemetry from Recorded Future’s Insikt Group shows Predator morphing rather than melting away. Their latest report maps brand‑new command‑and‑control (C2) servers in Mozambique, the first public evidence of a customer there, plus infrastructure tied to a Prague‑based company and a brief Eastern‑European test cluster.
The findings are a reminder that sanctions alone won’t stop well‑funded spyware vendors. They also give defenders practical indicators of compromise and an up‑to‑date view of Predator’s latest evasion tactics.
What’s new in the report?
- Mozambique joins the client list. Predator’s footprint now spans at least 14 countries, more than half of them in Africa.
- Czech corporate link confirmed. An entity in Prague appears to be acting as a procurement or hosting partner, reinforcing earlier investigative journalism about European middlemen.
- Short‑lived Eastern‑European cluster. A group of servers active from August to November 2024 looks like a staging ground for new exploits before global rollout.
- New infrastructure camouflage. Operators are spinning up four decoy templates: fake 404 pages, bogus logins, “under construction” placeholders and spoofed conference sites, to disguise their C2 endpoints.
Why Predator Spyware keeps bouncing back
Sanctions pressure vs. adaptive corporate structures
Since July 2023, the Intellexa consortium and its subsidiaries have landed on multiple U.S. and EU sanction lists. Activity dipped for a few months but rebounded as the company splintered into new shell entities and shifted infrastructure to less regulated jurisdictions. Expect the same playbook after any future crackdowns.
A mid‑tier price tag fuels demand
Predator licenses reportedly cost €8‑10 million — cheaper than NSO Group’s Pegasus but still lucrative for the vendor. That affordability keeps smaller or resource‑constrained intelligence services in the game, driving expansion into emerging markets such as Mozambique.
Predator Spyware’s new infrastructure tricks
“Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries and other companies.” — Julian‑Ferdinand Vögele, threat researcher at Recorded Future.
Researchers identified four decoy templates that mask Tier‑1 C2 servers:
- Fake 404 error pages
- Counterfeit login or registration portals
- “Site under construction” placeholders
- Spoofed conference or organisation pages
All of these front sites ultimately resolve to the same back‑end IP ranges. Although the façade changes, the back‑end patterns, self‑issued TLS certificates and uncommon high ports, remain consistent enough for detection.
Impact analysis
Telcos & ISPs
Mozambique’s appearance underscores how national carriers can become unknowing conduits for silent over‑the‑air phone injections. Filtering traffic to the newly published Predator hostnames can give defenders a head start.
Enterprise security teams
- Deploy mobile threat‑defence agents that watch for suspicious sideloads and abuse of Android Accessibility Services.
- Enforce regular device reboots; Predator is less persistent than Pegasus and often loses its foothold on restart.
- On iOS, enable Lockdown Mode for high‑risk personnel.
Journalists & NGOs
Victims rarely detect Predator until after data exfiltration. Free tools such as the Mobile Verification Toolkit (MVT) can scan backups for known Predator artefacts, but always coordinate with a trusted lab before public disclosure.
Detection & mitigation checklist
- DNS/TLS logging. Subscribe to fresh lists of Predator hostnames and either block or alert when they appear. Enrich SIEM events with passive‑DNS data to catch fast‑flux domain swaps.
- Mobile‑device management. Enforce Lockdown Mode on iPhones used by executives and prevent installation of unmanaged configuration profiles. Roll out per‑role mobile‑threat models and least‑privilege app permissions.
- User training. Add “mercenary spyware phishing” to security‑awareness curriculum and run spear‑phish simulations that mimic Predator lure themes.
Final Thoughts
With multilateral export‑control talks scheduled for the third quarter of 2025 and new EU legislation on mercenary spyware procurement working its way through committee, Predator Spyware fresh footholds will feature prominently in policy debates. History suggests that without universal enforcement and transparency, sanctions alone cannot eliminate demand. Defenders should therefore prepare for a future in which tools like Predator are harder to spot but no less potent.
Bottom line: Predator isn’t dead, it’s diversifying. Treat the Mozambique and Czech revelations as a bellwether for further spyware proliferation in emerging markets.
