Connect with us

Hi, what are you looking for?


Malware & Threats

Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware

Microsoft and Citizen Lab release information on the activities, malware and victims of Israeli spyware vendor QuaDream.

iOS exploits used by Pegasus spyware

Microsoft and Citizen Lab on Tuesday released information on the activities, products and victims of an Israel-based spyware vendor named QuaDream.

QuaDream has been making an effort to keep a low profile, but its activities came to light last year, when Reuters described it as a competitor of the notorious Israeli company NSO Group, which is known for its Pegasus spyware. 

QuaDream’s activities were also described last year by Meta, which reported taking down 250 accounts associated with the firm, which the social media giant said was founded by former NSO employees.  

QuaDream has developed an exploitation platform named Reign, which has been offered to government organizations for law enforcement activities. Commercial spyware vendors typically advertise their solutions for such purposes, but investigations often reveal cases of abuse, with governments using spyware against their opponents.  

The Reign platform includes malware, exploits and infrastructure that can be used to steal data from compromised Android and iOS mobile devices. 

One distributor of this platform was a Cyprus-based company named InReach, which is currently in a legal dispute with QuaDream over its alleged refusal to transfer part of its revenue to the Israeli firm, as agreed upon. 

This lawsuit has provided some insight into the spyware vendor’s business practices and Citizen Lab has made public some information on several individuals that appear to be involved with QuaDream and InReach.

Advertisement. Scroll to continue reading.

Microsoft, which tracks QuaDream as DEV-0196, has published a blog post focusing on the analysis of the iOS malware — named KingsPawn by the tech giant — that is likely delivered as part of the Reign platform. 

The version of the malware analyzed by Microsoft targeted iPhones running iOS 14, with evidence suggesting that some of the code may have been used for Android exploits as well. At the time of the attacks targeting iOS 14, this was the latest version of the operating system. 

Apple was informed about these exploits in 2021 and the company reportedly notified targeted individuals at the time. Reuters reported that QuaDream leveraged the same iOS vulnerabilities that NSO Group used for its ForcedEntry exploit

The exploits that were designed for iOS 14 no longer work on the newer versions of the mobile operating system, but Microsoft believes the threat actor has likely updated its malware to be able to hack newer iPhones as well. Apple regularly patches zero-day flaws exploited by commercial spyware vendors. 

The malware has likely been delivered through a zero-click exploit named EndOfDays, which seemingly uses invisible iCloud calendar invitations sent by the attacker to victims for delivery. 

Once it has been deployed on a device, the KingsPawn iOS malware can record audio from calls or the device’s microphone, take pictures using the camera, exfiltrate and remove keychain items, generate iCloud 2FA passwords, track location, search files and databases on the device, and clean up its tracks.

Both Microsoft and Citizen Lab have shared indicators of compromise (IoCs) that can be used to detect the presence of QuaDream spyware. 

Citizen Lab’s investigation led to the identification of five unnamed victims located in North America, Europe, the Middle East, and Central and Southeast Asia. Victims include politicians, journalists, and one NGO worker. 

An internet scan revealed the existence of 600 QuaDream servers, including ones used to store data exfiltrated from victims and servers used for one-click browser exploits. Citizen Lab believes QuaDream servers are operated from countries such as Israel, UAE, Uzbekistan, Singapore, Hungary, Czech Republic, Romania, Bulgaria, Mexico, and Ghana. 

Hungary, Mexico, and the United Arab Emirates are known to abuse spyware to target human rights defenders (HRDs), journalists, and other members of civil society,” Citizen Lab noted. 

“We cannot determine if the systems operated from Israel are operated by the Israeli government or QuaDream itself. Nevertheless, the Israeli government is also suspected to have abused mercenary spyware to target Palestinian HRDs, as well as domestic political activists,” it added.

Related: Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston

Related: Google Blocks Domains of Hack-for-Hire Groups in Russia, India, UAE

Related: Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...