As technology advances, so does the world of espionage. That has given birth to several companies, such as Cytrox, that specialize in creating spyware. Predator, along with other applications of its kind, has been advertised as legal spyware-for-hire. In light of recent events, however, specifically the discovery of hacking of politicians’ and journalists’ mobile phones, it seems that such apps are not as lawful as they claim to be.

WhoisXML API threat researcher Dancho Danchev took a deep dive into the threat starting with 21 email addresses known to belong to Cytrox, Predator’s creator, and found:

• More than 300 Predator command-and-control (C&C) domains registered across at least 12 countries
• Four IP address resolutions of the C&C domains geographically spread across three countries
• Seven additional domains that shared the C&C domains’ IP hosts
• Four possibly connected web properties—one IP address and three domains—were tagged “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Who Is Cytrox? What Is Predator?

Cytrox, Predator’s creator, touts of being a private surveillance-for-hire outfit based in North Macedonia. And while fellow spyware maker NSO Group was dubbed unlawful, Cytrox continued operating.

In December last year, Predator, along with other spyware, also made the headlines for connections to massive hacking campaigns targeting politicians and journalists worldwide. Meta has since banned the companies, including Cytrox, from its applications. But that didn’t put a stop to the organization’s operation, it seems, given Danchev’s recent findings.

Predator Analysis and Findings

Danchev began the investigation using 21 email addresses connected to Predator as a jump-off point.

Reverse WHOIS searches for these email addresses uncovered 378 domains that served as Predator C&C hosts. These were confirmed by OSINT analysis.

A bulk WHOIS lookup for the C&C domains revealed they were distributed across at least 12 registrant countries. A huge majority (56% to be exact) of the domain’s owners didn’t indicate their registrant countries. Of those that did show their registrant countries, 16% were from the U.S.

DNS lookups for the C&C domains pointed to four unique IP address resolutions. Two of the IP hosts were geolocated in North Macedonia, where Cytrox is based, and one each originated from the U.S. and Germany. Given the various countries whose names appeared in the analysis findings, Predator usage could indeed be spread worldwide. To date, only one of the IP hosts—99[.]83[.]154[.]118—has been dubbed “malicious” by various malware engines.

Reverse IP lookups for the IP addresses led to the discovery of eight additional domains. Predator could be using dedicated IP addresses, much like any legitimate service provider does. Of the 387 domains, only three—teslal[.]xyz, a38lasnz[.]chainmom[.]xyz, and enigmase[.]xyz—have been tagged “malicious.”

Screenshot lookups for the domains showed that:

• 23 of them continue to host live content, three seemed most interesting—szkd[.]xyz, which mimics a Windows page, and distedc[.]com and egyqaz[.]com, which advertise an app called “Badger” that is an alternative to Pegasus (another well-known spyware)

  

• The remaining 100 domains with retrievable screenshots led to blank, error, index, and parked pages

Users who wish to steer clear of getting spied on via Predator should stay away from the malicious web properties identified in this post. Organizations, specifically media outfits and government agencies, might also want to monitor the possibly connected domains and IP addresses mentioned here.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.