Sanctioned Intellexa Continues to Deploy Multiple Mobile Zero-Day Exploits

TL;DR

Google's Threat Intelligence Group reports that Intellexa, despite US sanctions, remains an active commercial spyware vendor exploiting numerous mobile zero-day vulnerabilities. GTIG links Intellexa to at least 15 unique zero-days since 2021 and describes complex multi-stage exploit chains and delivery tactics including messaging links and malvertising.

What happened

Google’s Threat Intelligence Group (GTIG) published an analysis asserting that Intellexa, the company behind Predator spyware and subject to US sanctions, continues to obtain and use zero-day vulnerabilities against mobile browsers and operating systems. GTIG attributes 15 unique zero-days to Intellexa out of roughly 70 zero-days identified by its group since 2021; the list includes remote code execution, sandbox escape, and local privilege escalation issues affecting Android, Chrome, iOS and other components. GTIG describes a captured iOS exploit chain (internally tracked as “smack”) that used a modular framework called JSKit for renderer RCE and subsequent kernel exploits to install a payload GTIG calls PREYHUNTER, which contained helper and watcher modules capable of keylogging, VOIP recording and hiding activity. Delivery methods cited include one-time links sent over encrypted messaging apps and an increasing use of malicious advertisements to fingerprint and redirect targets.

Why it matters

• Sanctions alone have not halted the commercial operation or distribution of sophisticated exploits tied to Intellexa.
• Persistent exploitation of mobile zero-days poses ongoing risks to user privacy and high-value targets across platforms.
• Sophisticated multi-stage chains and modular frameworks enable attackers to adapt quickly and reuse components across campaigns.
• Use of ad-based fingerprinting and messaging links broadens potential reach and complicates detection and attribution.

Key facts

• GTIG links Intellexa to 15 unique zero-day vulnerabilities discovered by Google's teams since 2021.
• The zero-day set includes RCE, sandbox escapes, and local privilege escalation affecting Android, Chrome (V8), iOS (WebKit), and other components.
• All zero-days listed in GTIG’s report have been patched by the relevant vendors.
• GTIG captured an iOS exploit chain used in the wild in Egypt that relied on a JSKit framework for initial Safari RCE (CVE-2023-41993).
• GTIG observed a Chrome V8 type confusion (CVE-2025-6554) used in June 2025 in Saudi Arabia; Chrome mitigated it by configuration changes and patched it in version 138.0.7204.96.
• The multi-stage iOS chain escalated privileges via kernel vulnerabilities (CVE-2023-41991 and CVE-2023-41992) to install a payload tracked as PREYHUNTER.
• PREYHUNTER’s modules include a watcher (detects debuggers, developer mode, proxies, security apps, locales, and jailbreak indicators) and a helper (hooks APIs to record VOIP, log keystrokes, capture camera images and suppress notifications).
• GTIG assesses Intellexa both develops exploits and increasingly purchases portions of exploit chains from external parties.
• Delivery methods observed: one-time links sent by encrypted messaging apps and malicious advertisements used to fingerprint and redirect targets.

What to watch next

• Further zero-day vulnerability disclosures and attribution that expand or refine GTIG’s list of Intellexa-linked CVEs.
• Trends in ad-based exploit delivery and whether that tactic becomes more widespread among commercial vendors.
• not confirmed in the source: whether sanctions or law-enforcement actions will materially disrupt Intellexa’s operations.
• not confirmed in the source: identification of specific customers or governments currently using Intellexa tooling.

Quick glossary

• Zero-day exploit: A vulnerability in software that is unknown to the vendor and for which no patch or mitigation is yet available to users.
• Remote Code Execution (RCE): A class of vulnerability that allows an attacker to run arbitrary code on a target device or system from a remote location.
• Sandbox escape: Technique that breaks out of a restricted execution environment (sandbox) to gain broader system access.
• Exploit chain: A sequence of vulnerabilities and techniques combined to move from initial compromise to full control of a target device.
• Malvertising: The use of online advertising to deliver malware or to redirect users to malicious content or exploit servers.

Reader FAQ

Has Intellexa been sanctioned?
Yes — the report notes Intellexa was sanctioned by the US Government.

Have the vulnerabilities GTIG describes been fixed?
GTIG states that the zero-days listed in their report have been patched by the respective vendors.

Did Intellexa create all of these exploits itself?
GTIG assesses that Intellexa develops some exploits but also appears to acquire steps of exploit chains from external parties.

Were real-world targets identified?
GTIG documents an iOS exploit chain used in Egypt and observed a Chrome exploit used in Saudi Arabia; broader target lists are not detailed in the source.

Will users be fully protected from these threats?
not confirmed in the source

Introduction  Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its…

Sources

• Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
• Leaks show Intellexa burning zero-days to keep Predator …
• To Catch a Predator: Leak exposes the internal operations …
• Intellexa remotely accessed Predator spyware customer …

Related posts

• Multiple Threat Actors Exploiting React2Shell (CVE-2025-55182)
• Microsoft fixes 60+ Windows vulnerabilities in November Patch Tuesday, including zero-day
• Are Android TV Streaming Boxes Being Recruited into Botnets?