Predator Spyware Firm Unleashes 15 Zero-Day Attacks on iOS Devices Over Three Years

Intellexa, the surveillance vendor behind the notorious Predator spyware, continues to sidestep sanctions and thrive in the global spyware market.

Despite U.S. government restrictions and widespread exposure from threat researchers, new findings from Google’s Threat Intelligence Group (GTIG) reveal that the company remains one of the world’s most aggressive exploit developers targeting mobile platforms.

Sponsored

class="wp-block-heading" id="h-prolific-use-of-zero-days">Prolific Use of Zero-Days

Since 2021, Intellexa has been linked to at least 15 zero-day vulnerabilities across iOS, Android, and Chrome, out of roughly 70 such exploits tracked by Google TAG and GTIG.

These flaws include Remote Code Execution (RCE), Sandbox Escape (SBX), and Local Privilege Escalation (LPE) vulnerabilities.

Most were high-impact memory-corruption bugs in system components, such as Chrome’s V8 engine and Apple’s iOS kernel.

Examples include CVE-2023-41993, an RCE in Safari’s WebKit engine, and CVE-2023-41992, a kernel-level Use-After-Free exploited to escape the iOS sandbox.

Other notable cases include CVE-2023-2033 and CVE-2025-6554, both Chrome V8 type confusion flaws, and CVE-2021-1048, a privilege escalation issue in Android’s kernel. All have been patched by their respective vendors following disclosure.

GTIG’s research suggests that Intellexa either develops its exploits or purchases individual elements of exploit chains from third parties.

In one iOS intrusion campaign uncovered in Egypt, researchers captured a complete exploit chain internally named “smack,” which combined WebKit and kernel vulnerabilities to install Predator spyware on targets.

The initial stage used the “JSKit” exploit framework, a modular engine capable of executing native code directly from memory and bypassing Apple’s Pointer Authentication Code (PAC).

The final payload, codenamed PREYHUNTER, demonstrated highly evasive behaviors, detecting developer tools, specific locales (U.S. or Israeli), and anti-virus apps before activating surveillance modules.

Sophisticated Delivery and Policy Response

Intellexa’s infection vectors typically involve one-time links distributed via encrypted messaging applications.

Recently, however, GTIG observed the group abusing online advertising platforms to profile users and redirect them to exploit servers. Google and its partners have since shut down related ad accounts to block further deliveries.

In response to ongoing activity, Google has sent “government-backed attack” warnings to hundreds of potential victims across several countries, including Egypt, Saudi Arabia, and Pakistan. All identified domains are now blocked under Safe Browsing protections.

Efforts are also underway through the Pall Mall Process, an international initiative to curb the proliferation of commercial surveillance tools.

While the global spyware industry remains persistent and profitable, coordinated action from technology providers, researchers, and governments continues to limit the reach of firms like Intellexa.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Predator Spyware Firm Unleashes 15 Zero-Day Attacks on iOS Devices Over Three Years appeared first on Cyber Security News.