Despite significant geopolitical challenges, the mercenary spyware industry remains a resilient and persistent threat; in this context, the well-known vendor Intellexa continues to expand its arsenal.
A recent report from the Google Threat Intelligence Group (GTIG) highlights how the company, famous for its “Predator” spyware, is not only resisting US sanctions , but is also actively circumventing restrictions to continue to thrive , by exploiting a steady stream of zero-day vulnerabilities.
Intellexa has built a formidable reputation in the surveillance market. According to a Google analysis , the vendor has “solidified its position as one of the most prolific, if not the most prolific, spyware vendors in exploiting zero-day vulnerabilities against mobile browsers.”
| CVE | Role | Vendor | Product | Type | Description |
| CVE-2025-48543 | SBX+LPE | Android | Memory corruption | Use-After-Free in Android Runtime | |
| CVE-2025-6554 | RCE | Chrome | Memory corruption | Type confusion in V8 | |
| CVE-2023-41993 | RCE | Apple | iOS | Memory Corruption | WebKit JIT RCE |
| CVE-2023-41992 | SBX+LPE | Apple | iOS | Memory Corruption | Kernel IPC Use-After-Free |
| CVE-2023-41991 | LPE | Apple | iOS | Code Signing Bypass | Code Signing Bypass |
| CVE-2024-4610 | LPE | ARM | Mali | Memory Corruption | Improper GPU memory processing operations |
| CVE-2023-4762 | RCE | Chrome | Memory corruption | Type confusion in V8 | |
| CVE-2023-3079 | RCE | Chrome | Memory Corruption | Type Confusion in V8 | |
| CVE-2023-2136 | SBX | Skia | Memory Corruption | Integer overflow in Skia SKSL | |
| CVE-2023-2033 | RCE | Chrome | Memory Corruption | Use-After-Free in V8 | |
| CVE-2021-38003 | RCE | Chrome | Memory Corruption | Inappropriate implementation in V8 | |
| CVE-2021-38000 | RCE | Chrome | Logic/Design Flaw | Insufficient validation of untrusted input in Intents | |
| CVE-2021-37976 | SBX | Chrome | Memory Corruption | Information leak in memory_instrumentation | |
| CVE-2021-37973 | SBX | Chrome | Memory Corruption | Use-after-free in Portals | |
| CVE-2021-1048 | SBX+LPE | Android | Memory Corruption | Use-After-Free in ep_loop_check_proc |
The scale of their operations is impressive. Since 2021, Google has tracked approximately 70 zero-day vulnerabilities in use. Of these, “Intellexa is responsible for 15 unique zero-day vulnerabilities, including Remote Code Execution (RCE), Sandbox Escape (SBX), and Local Privilege Escalation (LPE).”
The report details a sophisticated iOS exploit chain, internally referred to by Intellexa as “smack,” that was used against targets in Egypt to install Predator spyware.
This chain was based on a framework Google calls “JSKit.” This modular toolkit is designed to run native code on Apple devices by parsing Mach-O binaries directly in memory. Interestingly, Google researchers believe Intellexa likely didn’t develop it independently.
“We believe Intellexa acquired its iOS RCE exploits from an external entity, as we have seen this exact same JSKit framework used by other surveillance vendors and government-backed attackers since 2021,” the report states.
Once the device is compromised, a payload labeled PREYHUNTER is deployed. This stage consists of “helper” and “watcher” modules that ensure the implant remains hidden while performing surveillance activities. Using custom hooking frameworks (” DMHooker” and “UMHooker” ), the malware can record VOIP calls, run keyloggers, and capture photos.
Intellexa’s reach extends beyond iPhones. The group has also implemented custom frameworks to exploit Chrome, specifically targeting the V8 JavaScript engine. More recently, in June 2025, they were observed exploiting CVE-2025-6554 in Saudi Arabia, a type confusion flaw that allowed them to infringe on memory objects.
In response to these findings, Google is taking direct action to alert potential victims. “We have decided to simultaneously send our government-backed attack warning to all known targeted accounts associated with Intellexa customers since 2023,” the report states.
This mass notification affects hundreds of users in Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan, signaling a sharp escalation in the tech giant’s fight against the spyware trade.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
