Home / Industry

Predator Surveillance Software May Not Be Lawful at All

As technology advances, so does the world of espionage. That has given birth to several companies, such as Cytrox, that specialize in creating spyware. Predator, along with other applications of its kind, has been advertised as legal spyware-for-hire. In light of recent events, however, specifically the discovery of hacking of politicians’ and journalists’ mobile phones, it seems that such apps are not as lawful as they claim to be.

WhoisXML API threat researcher Dancho Danchev took a deep dive into the threat starting with 21 email addresses known to belong to Cytrox, Predator’s creator, and found:

  • More than 300 Predator command-and-control (C&C) domains registered across at least 12 countries
  • Four IP address resolutions of the C&C domains geographically spread across three countries
  • Seven additional domains that shared the C&C domains’ IP hosts
  • Four possibly connected web properties—one IP address and three domains—were tagged “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Who Is Cytrox? What Is Predator?

Cytrox, Predator’s creator, touts of being a private surveillance-for-hire outfit based in North Macedonia. And while fellow spyware maker NSO Group was dubbed unlawful, Cytrox continued operating.

In December last year, Predator, along with other spyware, also made the headlines for connections to massive hacking campaigns targeting politicians and journalists worldwide. Meta has since banned the companies, including Cytrox, from its applications. But that didn’t put a stop to the organization’s operation, it seems, given Danchev’s recent findings.

Predator Analysis and Findings

Danchev began the investigation using 21 email addresses connected to Predator as a jump-off point.

Reverse WHOIS searches for these email addresses uncovered 378 domains that served as Predator C&C hosts. These were confirmed by OSINT analysis.

A bulk WHOIS lookup for the C&C domains revealed they were distributed across at least 12 registrant countries. A huge majority (56% to be exact) of the domain’s owners didn’t indicate their registrant countries. Of those that did show their registrant countries, 16% were from the U.S.

DNS lookups for the C&C domains pointed to four unique IP address resolutions. Two of the IP hosts were geolocated in North Macedonia, where Cytrox is based, and one each originated from the U.S. and Germany. Given the various countries whose names appeared in the analysis findings, Predator usage could indeed be spread worldwide. To date, only one of the IP hosts—99[.]83[.]154[.]118—has been dubbed “malicious” by various malware engines.

Reverse IP lookups for the IP addresses led to the discovery of eight additional domains. Predator could be using dedicated IP addresses, much like any legitimate service provider does. Of the 387 domains, only three—teslal[.]xyz, a38lasnz[.]chainmom[.]xyz, and enigmase[.]xyz—have been tagged “malicious.”

Screenshot lookups for the domains showed that:

  • 23 of them continue to host live content, three seemed most interesting—szkd[.]xyz, which mimics a Windows page, and distedc[.]com and egyqaz[.]com, which advertise an app called “Badger” that is an alternative to Pegasus (another well-known spyware)
  • The remaining 100 domains with retrievable screenshots led to blank, error, index, and parked pages

Users who wish to steer clear of getting spied on via Predator should stay away from the malicious web properties identified in this post. Organizations, specifically media outfits and government agencies, might also want to monitor the possibly connected domains and IP addresses mentioned here.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign


Sponsored byVerisign