Massive leak exposes how banned surveillance firm retained remote access to government systems, weaponized advertising platforms for "zero-click" infections, and continues targeting activists worldwide despite international sanctions.
Despite US sanctions and criminal investigations across multiple countries, mercenary spyware vendor Intellexa has not only continued operations but dramatically expanded its surveillance capabilities, according to new findings from Google's Threat Intelligence Group and Amnesty International.
The coordinated disclosures—combining Google's technical analysis with leaked internal Intellexa documents obtained by Inside Story, Haaretz, and WAV Research Collective—reveal the Cyprus-based company responsible for the notorious Predator spyware has exploited 15 unique zero-day vulnerabilities since 2021, representing over 21% of all zero-days discovered by Google's security researchers during that period.
Exploiting the Advertising Ecosystem
Perhaps most alarming among the revelations is Intellexa's development of "Aladdin," a sophisticated infection system that weaponizes the digital advertising ecosystem to deliver spyware through malicious ads on legitimate websites and mobile applications—no user interaction required.
The leaked documentation shows Aladdin was designed to use targets' public IP addresses as unique identifiers, which Predator operators could obtain from domestic mobile carriers. When a target views the malicious advertisement on any ad-supported platform, their device becomes infected automatically—a true "zero-click" attack vector that bypasses traditional security awareness.
"Evidence that Intellexa is subverting the digital advertising ecosystem to hack phones demands urgent attention and action from the advertising industry," said Jurre van Bergen, Technologist at Amnesty International's Security Lab. Based on analysis of Predator infrastructure, Amnesty believes the Aladdin vector was operational in active deployments throughout 2024, with development continuing into 2025.
Google confirmed it worked with partners to identify and shut down advertising companies Intellexa created to infiltrate the ad ecosystem, though researchers warn multiple mercenary spyware vendors are actively developing similar advertising-based infection methods.
Unprecedented Access to Customer Systems
The leaked materials expose another shocking reality: Intellexa retained remote access capabilities to government customer surveillance systems through TeamViewer, allowing company staff to view logs and technical details from live operations.
A mid-2023 internal training video obtained by investigators shows an Intellexa instructor remotely accessing at least 10 different customer deployments, identified by codenames including 'Dragon', 'Eagle', 'Falcon', 'Phoenix', and others. The video reveals Intellexa staff could access the customer Predator dashboard—the main control panel used to add targets, create infection links, and view collected surveillance data.
This contradicts standard industry claims about operational separation between spyware manufacturers and government customers. NSO Group, maker of competing Pegasus spyware, has explicitly stated it "does not operate Pegasus and is not privy to the data collected." The Intellexa revelations suggest a fundamentally different model with potentially significant legal implications for liability in cases of abuse.
Active Global Operations Continue
Google simultaneously delivered government-backed attack warnings to several hundred accounts across Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan—all linked to Intellexa's customer base since 2023.
Amnesty International confirmed a new Predator infection attempt against a human rights lawyer in Pakistan's Balochistan province during summer 2025, delivered via WhatsApp from an unknown number. This marks the first documented evidence of Predator deployment in Pakistan, targeting civil society during a period of severe internet restrictions in the province.
The most recent technical attack occurred in June 2025 when Intellexa deployed CVE-2025-6554, a type confusion vulnerability in Chrome's V8 engine, against targets in Saudi Arabia. Chrome rapidly mitigated the issue through a configuration change before issuing a full patch.
The Arsenal: 15 Zero-Days Across Mobile Platforms
Intellexa's exploitation capabilities span Android, iOS, and Chrome browsers, targeting memory corruption vulnerabilities and design flaws to achieve remote code execution (RCE), sandbox escape (SBX), and privilege escalation (LPE). The complete list of exploited zero-days includes:
Chrome/V8 Engine (6 vulnerabilities):
- CVE-2025-6554: Type confusion in V8 (used in Saudi Arabia, June 2025)
- CVE-2023-4762, CVE-2023-3079, CVE-2023-2033: Type confusion and use-after-free vulnerabilities in V8
- CVE-2021-38003: Inappropriate implementation in V8
- CVE-2021-38000: Insufficient validation of untrusted input in Intents
iOS/Safari (3 vulnerabilities):
- CVE-2023-41993: WebKit JIT RCE enabling initial Safari compromise
- CVE-2023-41992: Kernel IPC use-after-free for sandbox escape and privilege escalation
- CVE-2023-41991: Code signing bypass allowing unsigned code execution
Android (3 vulnerabilities):
- CVE-2025-48543: Use-after-free in Android Runtime (sandbox escape + privilege escalation)
- CVE-2021-1048: Use-after-free in ep_loop_check_proc
- CVE-2024-4610: Improper GPU memory processing in ARM Mali drivers
Chrome Browser Components (3 vulnerabilities):
- CVE-2023-2136: Integer overflow in Skia SKSL (sandbox escape)
- CVE-2021-37976: Information leak in memory_instrumentation
- CVE-2021-37973: Use-after-free in Portals
Sophisticated Multi-Stage Exploit Chains
Google's analysis of a complete iOS exploit chain, internally codenamed "smack" by Intellexa, revealed how these vulnerabilities combine into devastating attack sequences. The Egyptian operation used CVE-2023-41993 for initial Safari compromise, then CVE-2023-41992 and CVE-2023-41991 to break out of Apple's sandbox and execute malicious code with system-level privileges.
Notably, Google discovered the same "JSKit framework" used in the iOS exploit had been deployed by Russian government-backed hackers in watering hole attacks against Mongolian government websites in 2024. Debug strings in the exploit suggested it was "exploit number 7," indicating the external supplier possessed multiple iOS exploits targeting various versions.
"We believe that Intellexa acquired their iOS RCE exploits from an external entity," Google researchers stated. For Chrome attacks, Intellexa developed a custom framework capable of exploiting any vulnerability that can leak V8's "TheHole" magic object, which the company reused across at least five different CVEs between 2021 and 2025.
Forensic Proof Links Abuses
The leaked documents include Intellexa's internal "OPSEC" (operational security) guide detailing configuration options, filenames, and defensive mechanisms built into Predator. Amnesty researchers found these exact indicators matched spyware samples discovered on devices of Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis, providing conclusive forensic attribution of these attacks to Intellexa.
Cyber Kendra previously reported on Google's broader investigation into commercial surveillance vendors, noting that half of the 72 zero-days exploiting Google products since 2014 are attributed to these companies. More recently, Apple has issued emergency spyware alerts to users across 150+ countries targeted by mercenary spyware including Predator, Pegasus, and Graphite.
Four individuals, including three linked to Intellexa, currently face trial in Greece for "violating telephone communication secrecy" related to the Koukakis hacking. The new evidence of Intellexa's remote access capabilities raises fresh questions about the company's legal responsibility for surveillance abuses conducted using its products.
Protect Yourself
All 15 vulnerabilities identified in the Google report have been patched by respective vendors. Users and organizations should:
- Update immediately: Apply all available security patches to iOS, Android, Chrome, and other software
- Enable automatic updates: Ensure devices receive patches as quickly as possible
- Use Lockdown Mode: iOS users at high risk should activate Apple's enhanced security feature
- Be cautious with links: Even trusted contacts may be compromised; verify unusual messages
- Monitor suspicious activity: Excessive battery drain or data usage may indicate infection
Google has added all identified Intellexa domains to Safe Browsing protections. Organizations can access detailed indicators of compromise through Google's Threat Intelligence Collection for registered users.
Despite years of public exposure, sanctions, and criminal proceedings, the mercenary spyware industry continues thriving—with Intellexa at the forefront of innovation in surveillance technology deployment against civil society worldwide.