Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries.

By analyzing the domains likely used to deliver the spyware, analysts at Recorded Future’s Insikt Group were able to spot potential Predator customers in Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.

No Predator customers within Botswana and the Philippines had been identified before Recorded Future’s analysis. The Record is an editorially independent unit of Recorded Future.

Predator is a sophisticated spyware developed by the Israeli-owned spyware consortium Intellexa. It has been deployed since at least 2019, infecting both Android and iPhone devices. A consortium of journalists, activists and cyber experts previously examined the spyware in a project called the Predator Files.

Predator can gain access to a device’s microphone, camera, and all stored or transmitted data, including contacts, messages, photos, and videos. It’s highly invasive and leaves very limited traces on the target device, making it challenging to investigate.

Insikt Group hasn’t identified specific victims or targets of the latest Predator activity.

“Since Predator spyware is typically delivered to individual victim devices via vulnerability exploitation, identifying targets is challenging without direct access to those devices,” the researchers said.

It starts with spoofing

During the latest analysis, the Insikt Group identified a new multi-level Predator delivery network, comprising delivery servers, upstream servers and infrastructure highly likely associated with Predator customers.

The delivery servers were likely used for device exploitation and initial access. These servers typically host a domain, spoofing websites for specific entities that might be of interest to the target. Some of these domains posed as legitimate news outlets, weather forecast websites or specific companies, such as real estate businesses.

For example, the domains krisha-kz.com and kollesa.com appear to be spoofing a real estate company and an auto sales platform in Kazakhstan. The country’s history of using cyber surveillance vendors such as NSO Group, FinFisher, and RCS Lab to target activists and politicians further suggests that it is likely a Predator customer. Over half of the domains identified by Insikt Group were linked to Kazakhstan, indicating a potentially heightened level of spyware activity, researchers said.

Read More: Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case

Other parts of the Predator network discovered by researchers include virtual private servers upstream from the delivery servers. They were likely used for anonymizing traffic and to reduce the likelihood of associating the delivery servers with specific Predator customers.

The anonymization network that obscures the operator’s location and identity makes the attribution of attacks more challenging, according to the report.

These upstream servers communicated with static in-country internet service provider addresses that were likely associated with Predator customers.

“Based on our findings and the fact that organizations in these countries were almost all historically reported to be Predator customers, it is highly likely these organizations will very likely continue to employ Predator spyware,” researchers said.

Not just law enforcement

Spyware technologies such as Predator and Pegasus are marketed as tools sold for counterterrorism and law enforcement usage. However, they are continuously abused to target civil society, including journalists, politicians and activists.

In September of last year, for example, the phone of an Egyptian opposition politician was targeted with Predator, in a campaign that researchers at the digital forensics organization Citizen Lab believe was carried out with the knowledge of the Egyptian government.

Other Predator victims include Greek journalist Thanasis Koukasis, former Meta employee Artemis Seaford, and a member of the European Parliament, Nikos Androulakis.

Predator customers usually target high-profile individuals who are expected to have significant intelligence value. This is due to the high deployment costs with charges per infection, according to the Insikt Group.

“Domestic use of mercenary spyware such as Predator outside of serious crime and counterterrorism poses privacy, legal, or physical safety risks for end targets, their employers, and the entities conducting this activity,” researchers said.