A commercial spyware vendor known as Intellexa has been linked to at least 15 zero-day vulnerabilities exploited between 2021 and 2025, making it one of the most aggressive players in the global spyware ecosystem. Despite being sanctioned by the U.S. government, Intellexa continues to deploy its Predator spyware against targets across the world, including Saudi Arabia, Pakistan, Egypt, and several other nations.
Threat analysts warn that the company remains highly active, using advanced exploit chains to compromise both iOS and Android devices.
Intellexa: One of the Most Active Zero-Day Exploiters
According to Google Cloud security researchers, Intellexa is responsible for more zero-day exploits than nearly any other commercial spyware vendor. Out of an estimated 70 zero-day vulnerabilities discovered since 2021, Intellexa alone accounts for 15 unique exploits—many of them targeting mobile browsers and OS components.
Unlike traditional threat actors, Intellexa often buys exploit chains rather than developing everything internally. This strategy allows them to quickly shift tactics when vendors like Apple and Google release patches.
The company also hides behind front organizations to evade sanctions and continue selling Predator spyware worldwide.
How Intellexa Attacks Work: A Three-Stage Exploit Chain
Intellexa uses a highly engineered three-stage attack chain to compromise devices. In a recent campaign observed in Egypt, researchers uncovered an internally named exploit chain called “smack”, used to infect iPhones with the Predator spyware suite.
Stage 1: Remote Code Execution in Safari (CVE-2023-41993)
The attack begins with a Safari RCE vulnerability. Intellexa uses a custom exploitation framework named JSKit, which grants memory read/write access and has been reused in multiple campaigns—some linked to Russian state-backed threat groups.
Stage 2: Sandbox Escape & Kernel Privilege (CVE-2023-41991 & CVE-2023-41992)
The second stage breaks out of the Safari sandbox using kernel-level vulnerabilities. This gives Intellexa deep system access, enabling the delivery of the final payload.
Stage 3: Predator Spyware Deployment
The final stage includes two modules:
- Helper module – handles surveillance functions
- Watcher module – handles stealth, anti-forensics, and detection avoidance
The watcher module actively checks for:
- Developer mode
- Debugging tools like Frida, SSH
- Security apps (McAfee, Norton)
- U.S. or Israel device locales
If detected, the attack terminates automatically.
Stealth and Surveillance Capabilities of Predator Spyware
Once installed, the Predator spyware provides full surveillance features using custom hooking frameworks DMHooker and UMHooker, enabling:
- Recording voice calls
- Capturing keyboard input
- Taking pictures from the camera
- Accessing messages and app data
- Hiding notification alerts via SpringBoard hooks
Captured audio files are stored at:
/private/var/tmp/l/voip_%lu_%u_PART.m4a
Build artifacts reveal internal development paths such as:
/Users/gitlab_ci_2/builds/jbSFKQv5/0/roe/ios16.5-smackjs8-production/
confirming internal naming conventions and the use of CI/CD pipelines.
Intellexa Zero-Day Vulnerabilities (2021–2025)
Below is a full list of the known zero-days associated with Intellexa operations.
| CVE | Vulnerability Type | Vendor | Affected Product |
|---|---|---|---|
| CVE-2025-48543 | SBX + LPE | Android | |
| CVE-2025-6554 | RCE | Chrome | |
| CVE-2023-41993 | RCE | Apple | iOS |
| CVE-2023-41992 | SBX + LPE | Apple | iOS |
| CVE-2023-41991 | LPE | Apple | iOS |
| CVE-2024-4610 | LPE | ARM | Mali GPU |
| CVE-2023-4762 | RCE | Chrome | |
| CVE-2023-3079 | RCE | Chrome | |
| CVE-2023-2136 | SBX | Skia | |
| CVE-2023-2033 | RCE | Chrome | |
| CVE-2021-38003 | RCE | Chrome | |
| CVE-2021-38000 | RCE | Chrome | |
| CVE-2021-37976 | SBX | Chrome | |
| CVE-2021-37973 | SBX | Chrome | |
| CVE-2021-1048 | SBX + LPE | Android |
Global Threat Impact
Intellexa’s spyware campaigns pose a severe risk to:
- Journalists
- Activists
- Government officials
- Dissidents
- High-value corporate targets
The ongoing exploitation of mobile zero-days shows the increasing sophistication of the commercial spyware market.
All affected vendors—Apple, Google, ARM—have now patched the vulnerabilities, but the attacks highlight the critical need for:
- Regular OS updates
- Mobile threat detection solutions
- User awareness of malicious links
- Device hardening and exploit mitigation
Conclusion
Intellexa continues to be a major threat actor in the commercial spyware landscape, leveraging 15 zero-day vulnerabilities across iOS, Android, Chrome, and ARM Mali devices. Its Predator spyware uses multi-stage exploit chains, advanced evasion techniques, and powerful surveillance capabilities.
Staying protected requires applying vendor patches immediately, monitoring high-risk devices, and avoiding suspicious links sent via encrypted apps.
