Two Egyptians living in exile had their iPhones compromised in June 2021 using Predator spyware built by North Macedonian developer Cytrox (The Citizen Lab)

two egyptians iphones predator macedonian

Primary Findings

Predator malware, created and distributed by the hitherto unknown mercenary spyware firm Cytrox, was used to hack two Egyptians: exiled politician Ayman Nour and a prominent news show host (who desires to stay unidentified).
Ayman Nour’s phone was infected by two separate government customers’ spyware programmes, Predator from Cytrox and Pegasus from NSO Group, at the same time.
Predator was used to breach both targets in June 2021, and it was able to infect the most recent version (14.6) of Apple’s iOS utilising single-click links given over WhatsApp.
We acquired samples of the “loader,” the initial stage of the spyware created by Predator, and examined their operation. Using iOS automations, we discovered that Predator continues to operate even after a reboot.
The countries of Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia were among those where we discovered Predator spyware servers and potential Predator customers.
Cytrox reportedly belongs to Intellexa, the so-called “Star Alliance of spyware,” which was established to compete with NSO Group and which portrays itself as “EU-based and regulated, with six facilities and R&D laboratories around Europe.”
In the past

Ayman Nour, a member of the exiled Egyptian political opposition who resides in Turkey, and an Egyptian exiled journalist who presents a well-known news show but requests anonymity had their devices hacked, as we were able to establish.

Union of the Egyptian National Forces, an organisation that represents political opposition in Egypt, is led by Ayman Nour. Nour founded and served as the party’s chairman in addition to running for president of Egypt in the past. Nour campaigned against former Egyptian leader Hosni Mubarak in 2005. Following the election, Nour was found guilty of “forging signatures on petitions” submitted to start his political party, an accusation that was generally seen as being “politically driven,” and sentenced to more than four years in jail. On the basis of his health and in response to worldwide pressure, Nour was ultimately allowed to leave jail in 2009.

In the 2012 Egyptian presidential elections, Nour ran as a candidate for the Ghad Al-Thawra party. Along with several other opposition candidates, he was disqualified from the polls. After objecting to the military takeover headed by President Abdel Fattah El-Sisi in 2013, Nour left Egypt for Lebanon. Nour left Lebanon in 2015 for Turkey, where he has lived since since the Egyptian embassy in Lebanon denied to renew his passport. He continues to speak out against Sisi’s government and calls it a “oppressive military regime.” Additionally, he has charged Sisi’s administration with “severe human rights breaches” and with transforming Egypt into a “totally authoritarian state.”

An Egyptian journalist in exile who has been a vocal opponent of the Sisi government was the second target whose phone we confirmed had been compromised by Cytrox’s Predator malware. This subject wants to remain unidentified.

1.1. Start Cytrox

Founded in 2017, Cytrox’s line of work involves offering governments a “operational cyber solution” that includes data collection from devices and cloud services, according to a terse description on Crunchbase. Their technology is described in Pitchbook as “cyber intelligence systems designed to offer security” to governments and help with “designing, managing and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices and from cloud services.”