Researchers find Predator spyware is being used in several countries, including Iraq

Use of spyware from a developer sanctioned by the U.S. last year appears to have slowed in 2025, though it is possible that changes in domain naming conventions may be masking increased activity by making it harder for experts to detect infrastructure, according to new research.

New evidence suggests that the company, Intellexa, is also currently being deployed in Iraq, according to the report from Recorded Future’s Insikt Group. The Record is an editorially independent unit of Recorded Future.

Researchers also found indicators “likely associated” with the use of Predator spyware by an entity tied to Pakistan. It is unclear if this activity involved targets within or tied to Pakistan or if a customer was operating from inside Pakistan, the report says. 

Intellexa manufactures Predator spyware, which has been used against members of civil society and business executives worldwide. Three former Intellexa executives are currently on trial in Greece, where scores of victims of Predator spying are located.

Researchers found evidence of Intellexa customers currently operating in Saudi Arabia, Kazakhstan, Angola and Mongolia, the report said. Meanwhile, the report said, it appears that customers in Egypt, Botswana and Trinidad and Tobago have “ceased communication” as of this spring and summer.

That could indicate customers are no longer using Intellexa in those countries or that they changed their infrastructure setups, the report said.

A Mozambique-linked cluster discovered by Insikt earlier this year remained operative until at least late June 2025, the report says.

The report builds on earlier research Insikt released on Intellexa in June — the spyware maker has changed its infrastructure setups as a result of increased scrutiny in recent years, making detection more difficult. 

Researchers also found several new companies believed to be tied to Intellexa, which like other spyware vendors has long obfuscated its activities by hiding operations inside shell companies and complex webs of interconnected firms.

At least one of the newly-detected companies appears to be charged with shipping Intellexa products to clients, the report says. Two other newly-identified companies are believed to be in the advertising sector and may be connected to a known threat vector which uses ads to deliver spyware.

Two more companies linked to Intellexa were found in Kazakhstan and the Philippines, the report says. The findings indicate an “expanding network footprint,” according to the report.

In July 2023, the Commerce Department placed Intellexa on its Entity List, which identifies organizations or individuals believed to pose risks to the national security or foreign policy interests of the United States.

In March 2024, Commerce sanctioned company founder Tal Jonathan Dilian, a former Israeli intelligence officer. Six months later, five more people and one entity linked to Intellexa were also sanctioned.

Senior administration officials told reporters at the time that more action was needed to target the company’s “opaque web of corporate entities, which are designed to avoid accountability.”

On Thursday, Amnesty International revealed that Intellexa can remotely access Predator customer logs, giving staff the ability to see “details of surveillance operations and targeted individuals [which] raises questions about its own human rights due diligence processes,” according to Jurre van Bergen, Technologist at Amnesty International’s Security Lab.

“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” van Bergen said in a statement.

Updated 12/4 at 12:15pm EST with additional reporting about Amnesty International research.