Sekoia Discovers Global Network of Malicious Sites Linked to Cytrox's Predator Spyware
Cybersecurity firm Sekoia has uncovered a network of malicious websites linkedin to Cytrox's Predator spyware. The discovery follows recent improvements in Cytrox's reverse proxies and reveals potential state involvement in political surveillance.
Sekoia found a list of virtual private servers (VPS) hosting fake URL shorteners and malicious sites, including typosquatting news portals, in Predator. These findings suggest a sophisticated operation to bypass security measures and infect targets' devices.
The domain names discovered by Sekoia span multiple continents, with links to Angolan, Indonesian, and Madagascar-based websites. In Madagascar, the government is suspected of using Predator for domestic political surveillance ahead of the presidential election. Sekoia's assessment is supported by a reported contract between the Madagascar government and Intellexa, Cytrox's parent company.
Other domain names were found in Egypt, Portugal, Kazakhstan, and the Persian Gulf, indicating a widespread use of Predator. However, Sekoia's search results do not provide specific information on which governments are directly linkedin to the spyware.
Mobile users can now check for the presence of Cytrox's domain names on their devices using 'MVT for analysis' or 'Spyguard' apps, raising awareness about potential infections.
The discovery of Predator-linkedin malicious websites in multiple countries raises concerns about state-sponsored surveillance. While the Madagascar government is suspected of using the spyware for political purposes, further investigation is needed to identify other potential users. Mobile users are advised to stay vigilant and use available tools to protect their devices.
