The notorious Predator spyware is more sophisticated and dangerous than previously realized, new research shows.
Predator, originally developed by Cytrox, is a sophisticated commercial spyware. Cytrox was acquired by Tal Dilian, a former Israeli military intelligence officer, in 2018. In 2019 he founded Intellexa as a marketing umbrella for multiple surveillance tools including Predator. Predator is Intellexa’s best known product.
It is almost exclusively marketed to and used by national governments and intelligence agencies. It is currently considered by many analysts to be more active and adaptive than the possibly better known NSO Group Pegasus. Both Cytrox and Intellexa have been sanctioned by the US government.
In December 2024, the Google Threat Intelligence Group (GTIG) published research on the Predator code. Now, Jamf has published new research of a separate sample detailing previously undocumented mechanisms that illustrate Predator’s sophistication.
It shows how Predator is not merely spyware, but a self-diagnostic tool, returning information to the developers on why an individual attack may have failed – it can learn from its own failures so that future versions may be improved and hardened against detection and analysis.
“What makes (the CSWatcherSpawner) architecture notable is not just the breadth of checks, but the reporting mechanism that provides operators with precise diagnostic information when deployment fails,” reports Jamf.
The researchers had discovered an error code taxonomy activated by the spyware’s anti-analysis element. These codes send information on the reason for aborting the attack (such as security / analysis tools running, HTTP proxy configured, and more) to the C2 infrastructure before the malware cleans up and exits.
Notably, although the error codes appear sequentially, there are gaps in the numbering, leading Jamf to suspect that missing codes may be reserved for future versions of Predator, may be version-specific or functions removed from earlier versions, or be part of a central taxonomy shared across multiple Intellexa tools. Whatever the reason, the use of the taxonomy and the gaps within it demonstrate the adaptive nature of the product. “This error code system transforms failed deployments from black boxes into diagnostic events,” comments Jamf.
Not all of the error detections were unknown. Google, for example, had noted that Predator detects Apple’s Developer Mode, but Jamf goes deeper to explain how the detection works. Developer Mode was introduced in iOS 16 specifically for security researchers and developers. “By detecting this, Predator effectively says: ‘If you’ve enabled developer features, you’re probably not a normal target’.”
Google also noted that Predator avoids running in the US and Israel. Jamf explains how this is done. The exclusion from the US is probably down to the US sanctions and to avoid closer inspection from the US agencies. The Israeli exclusion is less easily explained but could be connected to Dilian’s personal knowledge of the extent, activity and capability of Israel’s wider cyber intelligence operations.
One new finding in Jamf’s analysis is discovery of an anti-forensics routine linked to crash reporting. When a crash occurs that could expose Predator’s presence, the malware processes or removes the target’s crash log before it can be synced or examined. The process specifically targets memory forensics evidence. Crash logs are valuable for detecting exploitation attempts, and Predator actively suppresses them.
The message coming from Jamf is that Predator, and especially its anti-analysis capabilities, is more sophisticated than previously understood. The new details could help researchers evade their own detection by Predator, but perhaps only for this version or variant. “The presence of the is_corellium() stub shows they’re watching our tools as closely as we’re watching theirs.”
Related: Predator Spyware Resurfaces With Fresh Infrastructure
Related: Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
Related: European Lawmaker Targeted With Cytrox Predator Surveillance Spyware
Related: Spain Reopens a Probe Into a Pegasus Spyware Case After a French Request to Work Together
