A security audit by the European Parliament has unearthed attempts to plant high-end surveillance software on the phone of a Greek lawmaker and there are fresh reports linking the hack attempt to a known North Macedonia spyware vendor.
The company, called Cytrox, was previously exposed as the makers of Predator, a tool capable of launching sophisticated exploits on Apple’s iOS-powered devices. Now, according to published reports out of Greece, the surveillance tool has been linked to an attempted hack of a phone belonging to Nikos Androulakis, a member of the European Parliament.
Androulakis, who is head of the Greek socialist party, said he received a text message on his mobile phone that read “Let’s get a little serious about this, my friend, we have something to win” and contained a malicious URL capable of infecting the phone from a single click.
Androulakis did not click on the link and the attempted hack was only discovered after the European Parliament started checking lawmakers’ devices for signs of infections from high-end surveillance spyware.
[ READ: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem? ]
Israel’s NSO Group, which markets Pegasus hacking tools, is in the midst of a global controversy that includes major corporate lawsuits and crippling sanctions from the U.S. government.
The University of Toronto’s Citizen Lab recently teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry.
In a detailed technical report, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians. The malware, called Predator, was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp.
In one case, exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating and eventually found evidence of two different spyware programs — managed by two different government APT actors — running on the device. Citizen Lab has attributed this attack to the Egyptian government, which is a known Cytrox customer.
[ READ: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware ]
A separate advisory issued by Meta’s security team listed Cytrox alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business.
These companies manage the reconnaissance, engagement and exploitation phases of advanced malware campaigns for governments and law enforcement agencies around the world, including some governments that aim these exploits at journalists, politicians and members of civil society.
The discovery of these spyware vendors has forced Apple into a cat-and-mouse game of rolling out mitigations and patches for flaws exploited as zero-day by these exploit brokers.
Earlier this month, Apple announced plans to add a new ‘Lockdown Mode’ that significantly reduces attack surface and adds technical roadblocks to limit sophisticated software exploits.
According to Apple, the new Lockdown Mode will be an extreme, optional OS version for a tiny percentage of its users who are targeted with sophisticated exploits capable of silently infecting iPhones without the user clicking on malicious links or surfing to rigged websites.
Related: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware
Related: Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’
Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware
Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation
Related: US Puts New Controls on Israeli Spyware Company NSO Group

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Sentra Raises $30 Million for DSPM Technology
- Saviynt Raises $205M; Founder Rejoins as CEO
- OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
- Tenable Launches $25 Million Early-Stage Venture Fund
- VMware Plugs Critical Code Execution Flaws
Latest News
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
