CarderPlanet
Professional
Which countries were found to be illegally spying on their citizens?
Last month, Citizen Lab published a report on the use of the Predator spy software developed by Cytrox by hackers against the iPhone of former Egyptian MP Ahmed Eltantawi.
In August and September of this year, Eltantavi was attacked with redirection to malicious web pages that used zero-day vulnerabilities in iOS (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) to install Predator spyware. The attack is believed to have been politically motivated.
In the past, Cytrox has already attracted attention by using Predator to target public figures. Then both Citizen Lab and the now-banned Meta studied the activities of Cytrox, as well as its parent company Intellexa.
In December 2021, SEKOIA specialists also released a report investigating possible links between Cytrox customers (tracked under Operation Lycantrox) and Candiru customers (tracked under Operation Karkadann). Both spy campaigns used similar infrastructure to compromise their targets.
Most recently, while investigating the infrastructure used by Lycantrox, SEKOIA experts identified many domains associated with this group. Examples include "bitshort [.] info", disguised as a link shortening service, and "elwatnanews [.] com", which pretends to be a news resource.
In total, the researchers found 121 unique domain names that are associated with the Lycantrox infrastructure with a high degree of confidence. Many of these domains have connections to servers that accept payments in cryptocurrency and, in one way or another, are associated with cybercrime activities.
A detailed analysis of the threat revealed that servers associated with the identified domains are located in Madagascar, Indonesia, Kazakhstan, and Angola. According to researchers, they are used for cyber espionage by local government services for various political figures, activists and journalists.
The experts provided in their report all the identified indicators of compromise of the Lycantrox espionage campaign and promised to continue monitoring the actions of cyber hires from Cytrox and Intellexa, publicly covering their activities and disclosing the infrastructure.
Last month, Citizen Lab published a report on the use of the Predator spy software developed by Cytrox by hackers against the iPhone of former Egyptian MP Ahmed Eltantawi.
In August and September of this year, Eltantavi was attacked with redirection to malicious web pages that used zero-day vulnerabilities in iOS (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) to install Predator spyware. The attack is believed to have been politically motivated.
In the past, Cytrox has already attracted attention by using Predator to target public figures. Then both Citizen Lab and the now-banned Meta studied the activities of Cytrox, as well as its parent company Intellexa.
In December 2021, SEKOIA specialists also released a report investigating possible links between Cytrox customers (tracked under Operation Lycantrox) and Candiru customers (tracked under Operation Karkadann). Both spy campaigns used similar infrastructure to compromise their targets.
Most recently, while investigating the infrastructure used by Lycantrox, SEKOIA experts identified many domains associated with this group. Examples include "bitshort [.] info", disguised as a link shortening service, and "elwatnanews [.] com", which pretends to be a news resource.
In total, the researchers found 121 unique domain names that are associated with the Lycantrox infrastructure with a high degree of confidence. Many of these domains have connections to servers that accept payments in cryptocurrency and, in one way or another, are associated with cybercrime activities.
A detailed analysis of the threat revealed that servers associated with the identified domains are located in Madagascar, Indonesia, Kazakhstan, and Angola. According to researchers, they are used for cyber espionage by local government services for various political figures, activists and journalists.
The experts provided in their report all the identified indicators of compromise of the Lycantrox espionage campaign and promised to continue monitoring the actions of cyber hires from Cytrox and Intellexa, publicly covering their activities and disclosing the infrastructure.
