Home/Threat Actor/Intellexa / Predator / Cytrox
Threat Actor

Intellexa / Predator / Cytrox

intellexa_predator · multinational_commercial_cyber_mercenary · active since 2017

Intellexa / Predator / Cytrox (canonical consortium naming "Intellexa" / "Intellexa Consortium" / "Intellexa Alliance" founded by Tal Jonathan Dilian former IDF intelligence officer attaining rank of general, previously associated with NSO Group.

primary spyware product "Predator" / "Nova" with original developer Cytrox founded 2017 in North Macedonia receiving initial funding from Israel Aerospace Industries which sold shares to Intellexa early 2019) is a multinational private offensive cyber operations contractor / commercial spyware vendor consortium operating across 9+ jurisdictions: Greece (Intellexa S.A. + Athens operational hub) + Cyprus (operational hub) + Israel (Predator development origin) + North Macedonia (Cytrox AD current Predator developer) + Hungary (Cytrox Holdings ZRT) + Ireland (Intellexa Limited + Thalestris Limited) + France (Nexa Group surveillance companies as part of Intellexa Alliance) + Czech Republic + British Virgin Islands (Aliada Group)

active publicly since 2017 (Cytrox founding) with primary operational mission objectives of commercial spyware sales to government clients via signature multi-jurisdictional consortium structure designed to exploit regulatory arbitrage across European jurisdictions with weaker spyware export controls compared to Israeli export-control regime regulating NSO Group + Candiru.

signature operational tradecraft is Predator/Nova mobile spyware (cluster- defining sophisticated mercenary spyware targeting both Android and iPhone devices, active since at least 2019, designed for adaptability and stealth) with Alien/Predator dual-component Android architecture per Cisco Talos + mobile zero-click + one-click exploit chains + single-use SMS link delivery vector (signature Greek 92-phone-numbers campaign disclosed by Hellenic Data Protection Authority July 2023)

2022 Greek Predatorgate wiretapping scandal operationally established canonical public exposure context, Greek National Intelligence Service EYP used Predator to surveil journalists (first confirmed victim financial journalist Thanasis Koukakis) + politicians + MEP Nikos Androulakis (PASOK party leader) + others, prompting resignations of PM Mitsotakis' nephew Grigoris Dimitriadis and EYP head Panagiotis Kontoleon.

first publicly-documented Predator deployment 2021 against exiled Egyptian politician Ayman Nour + Egyptian television journalist.

documented government clients include Greece + Egypt + Vietnam (attempted hacking of US politicians and journalists per 2023 Predator Files) + Saudi Arabia + Kazakhstan + DRC + Madagascar + Mozambique + Sudan + Indonesia + Philippines + Qatar + Germany + Switzerland + others across 25+ countries.

US Department of Commerce Entity List sanctions July 18, 2023 of Intellexa S.A. + Intellexa Limited + Cytrox Holdings ZRT + Cytrox AD.

US Treasury OFAC formal sanctions March 5, 2024, first time individuals were sanctioned by US Government for spyware misuse of Tal Dilian + Sara Hamou personally plus 5 entities.

September 16, 2024 additional Treasury sanctions of Bitzios + Harpaz + Karaoli + Gambazzi + Aliada Group BVI consortium member; Athens Predator operator training center signature operational hub per 2023 Predator Files investigation; €13.6M leaked NYT proposal pricing with one-click exploit + Predator C2 + administrative hardware/software + 18- month Android support.

boot survivability as add-on licensing feature added April 2022.

AdInt web advertising infrastructure attack vector disclosed by Amnesty International Security Lab December 2025 (Predator uses web advertising infrastructure to distribute implants)

customer-system extensive operator access per Amnesty December 2025 (Intellexa employees likely maintain extensive access to customer systems, operationally distinct from competitor cyber-mercenary vendors)

fills the 3rd cyber-mercenary / private- offensive-actor cell in the curated corpus following nso_group_pegasus (1st) and candiru_sourgum (2nd, both curated separately), operationally distinct from sibling cyber-mercenary clusters through signature multi- jurisdictional consortium structure + regulatory-arbitrage strategy.

multinational_commercial_cyber_mercenary confidence: high 23 aliases
Sigma rules200 YARA rules6 Live IOCs0 CVEs exploited0

Profile

Intellexa / Predator / Cytrox (canonical consortium naming "Intellexa" / "Intellexa Consortium" / "Intellexa Alliance" founded by Tal Jonathan Dilian former IDF intelligence officer attaining rank of general.

primary spyware product "Predator" / "Nova" with original developer Cytrox founded 2017 in North Macedonia) is a multinational private offensive cyber operations contractor / commercial spyware vendor consortium operating across multiple jurisdictions: Greece (Intellexa S.A. + Athens operational hub) + Cyprus (operational hub for Dilian + Hamou activities) + Israel (Predator development origin + IAI early investor) + North Macedonia (Cytrox AD current Predator developer) + Hungary (Cytrox Holdings ZRT earlier Predator developer) + Ireland (Intellexa Limited + Thalestris Limited) + France (Nexa Group surveillance companies as part of Intellexa Alliance) + Czech Republic (supply chain) + British Virgin Islands (Aliada Group). Active publicly since 2017 (Cytrox founding) with primary operational mission objectives of commercial spyware sales to government clients via signature multi-jurisdictional consortium structure designed to exploit regulatory arbitrage across European jurisdictions with weaker spyware export controls (Cyprus + Greece + North Macedonia + Hungary + Ireland) compared to Israeli export-control regime that regulates NSO Group + Candiru. Operational phases: (1) CYTROX EMERGENCE NORTH MACEDONIA (2017). Founded as startup, IAI initial investor. (2) INTELLEXA GROUP CONSOLIDATION (2018-2019). Dilian founded Intellexa Group 2018. Intellexa Alliance May 2019 consolidation with Nexa French surveillance companies + Cytrox acquisition. (3) PREDATOR ANDROID REVAMP + iOS PORT (April 2020 + May 2020). Per Cisco Talos: Android revamp completed April 2020, iOS port from Android began May 2020. (4) AYMAN NOUR EGYPTIAN POLITICIAN FIRST DOCUMENTED CASE (2021). Citizen Lab canonical first Predator deployment disclosure. (5) META SURVEILLANCE-FOR-HIRE BAN (December 2021). 1,500+ FB+IG accounts banned across 7 vendors including Cytrox. (6) GREEK PREDATORGATE SCANDAL (2022). Greek EYP National Intelligence Service Predator use against journalists + politicians + MEP Androulakis. (7) US COMMERCE ENTITY LIST SANCTIONS (July 18, 2023). 4 Intellexa entities sanctioned. (8) CISCO TALOS CANONICAL TECHNICAL ANALYSIS (January 2024). Comprehensive Predator/Nova analysis. (9) US TREASURY OFAC FIRST-EVER SPYWARE-MISUSE INDIVIDUAL SANCTIONS (March 5, 2024). Dilian + Hamou personally sanctioned + 5 entities sanctioned. (10) US TREASURY ADDITIONAL SANCTIONS (September 16, 2024). Bitzios + Harpaz + Karaoli + Gambazzi + Aliada Group sanctioned. (11) RESURGENCE 2025. Per Recorded Future + ICIJ: operational continuation through new corporate entities. (12) AMNESTY ADINT DISCLOSURE (December 2025). Web advertising infrastructure abuse signature attack vector disclosed.

Signature operational tradecraft
  • Predator/Nova mobile spyware (cluster-defining): sophisticated mercenary spyware targeting both Android and iPhone devices, active since at least 2019. Designed for adaptability and stealth, leaving little evidence on compromised devices and complicating external investigations. Provides complete access to device microphone + camera + all data including contacts + messages + photos + videos.
  • Alien/Predator dual-component Android architecture: signature Android architecture per Cisco Talos analysis, Alien loader component + Predator spyware payload.
  • Mobile zero-click + one-click exploit chains: signature mobile-platform-focused exploitation capability.
  • Single-use SMS link delivery vector: signature Greek 92-phone-numbers campaign delivery mechanism.
  • Athens Predator operator training center: signature operational hub per 2023 Predator Files, training facility originally planned for Skopje but established in Athens, overseen by "Greek Cypriot" individual.
  • Multi-jurisdictional consortium structure: signature operationally-distinctive corporate architecture spanning 9+ jurisdictions designed for regulatory arbitrage.
  • AdInt web advertising infrastructure attack vector: signature Predator attack vector disclosed by Amnesty Security Lab December 2025, Predator system makes use of web advertising infrastructure to distribute its implants.
  • Persistence as add-on licensing feature: per Cisco Talos signature pricing model, boot survivability is an add-on feature based on customer licensing options (Android boot survivability added April 2022).
  • €13.6M leaked NYT proposal pricing: signature pricing model, one-click exploit + Predator C2 + administrative hardware/software + project plans + 18- month Android support per July 2022 leaked proposal.
  • Customer-system extensive operator access: signature per Amnesty December 2025, Intellexa employees likely maintain extensive access to customer systems (operationally distinct from competitor cyber-mercenary vendors). The cluster fills the 3rd cyber-mercenary / private- offensive-actor cell in this curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd, curated this same slice). Operationally distinct from sibling cyber-mercenary clusters through multi-jurisdictional consortium structure + signature regulatory-arbitrage operational strategy + Predator/Nova mobile-focused spyware specialization + 2022 Greek Predatorgate public exposure context + first-ever spyware-misuse individual sanctions by US Treasury OFAC March 5, 2024.

Aliases

23
intellexaintellexa consortiumintellexa allianceintellexa_consortiumintellexa_alliancecytroxcytrox adcytrox_ad_north_macedoniacytrox_holdings_zrtcytrox holdingsintellexa_saintellexa_limitedthalestris_limitednexa_groupaliada_grouppredatorpredator spywarepredator_spywarenovaintellexa_predatorintellexa_cytroxpredatorgate clustergreek wiretapping scandal actor

Notable Campaigns

15
2025Amnesty International Security Lab AdInt Advertising Infrastructure Disclosure (December 2025)
2025Predator Spotted in Mozambique First Time (2025)
2025Recorded Future Insikt Group Intellexa Resurgence Analysis (June 2025)
2024-2026Continued Operations Through 2024-2026
2024Cisco Talos Canonical Intellexa + Predator Technical Analysis (January 2024)
2024US Treasury OFAC Additional Sanctions (September 16, 2024)
2024US Treasury OFAC Sanctions, First Spyware-Misuse Individual Sanctions (March 5, 2024)
2023Hellenic Data Protection Authority 220 Text Messages Investigation (July 2023)
2023US Department of Commerce Entity List Sanctions (July 18, 2023)
2023Artemis Seaford US-Greek Dual National + Meta Targeting (March 2023)
2022Greek Predatorgate Wiretapping Scandal (2022)
2021Meta Surveillance-for-Hire Industry Ban (December 2021)
2021Ayman Nour Egyptian Politician, First Documented Predator Case (2021)
2018-2019Intellexa Group Consolidation (2018-2019)
2017Cytrox Corporate Emergence (North Macedonia, 2017)

Attribution & Reporting

Attributed by
Citizen Lab (Bill Marczak + John Scott-Railton + others, canonical Cytrox + Predator tracking 2021+)Amnesty International Security Lab (canonical Intellexa + Predator + AdInt tracking)Cisco Talos (Vitor Ventura + others, canonical Intellexa + Cytrox Predator technical analysis January 2024)Meta / Facebook (Surveillance-for-hire industry coverage December 2021)Google Threat Analysis Group (TAG, Predator 0day exploit chain disclosures)Microsoft Threat Intelligence CenterUS Department of Commerce (Entity List July 18, 2023)US Department of Treasury Office of Foreign Assets Control (OFAC sanctions March 5, 2024 + September 16, 2024)US Department of State (visa restrictions February 2024)Recorded Future Insikt Group (canonical infrastructure tracking June 2024 + 2025)ICIJ International Consortium of Investigative Journalists (Cyprus Confidential investigation November 2023)European Investigative Collaborations (Predator Files 2023)Haaretz (canonical Israeli media coverage)Hellenic Data Protection Authority (Greek investigation July 2023, 220 text messages to 92 phone numbers)Greek Parliamentary committee (Predatorgate investigation)Mandiant / Google Threat Intelligence GroupSymantec / Broadcom Threat Hunter TeamSOPHOS X-Ops
Key reporting
reportCitizen Lab: Pegasus vs Predator, Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware (December 2021), canonical Cytrox/Predator first disclosure
reportCisco Talos (Vitor Ventura + Aliaksandr Trafimchuk): Intellexa and Cytrox, From fixer-upper to Intel Agency-grade spyware (January 31, 2024), canonical Cisco Talos technical analysis
reportAmnesty International Security Lab: Predator Files investigation (October 2023), canonical European Investigative Collaborations coverage
reportPredator Files: European Investigative Collaborations comprehensive 2023 investigation
reportICIJ International Consortium of Investigative Journalists: Cyprus Confidential investigation (November 2023), Dilian + Hamou Cyprus hub exposé
reportRecorded Future Insikt Group: Intellexa's Global Corporate Web (December 2025), multi-jurisdictional corporate structure analysis
reportRecorded Future Insikt Group: Intellexa Resurgence Analysis (June 2025)
reportCitizen Lab: Multiple Predator targeting disclosures 2021-2025 (Bill Marczak + John Scott-Railton)
reportMeta Platforms: Surveillance-for-Hire Industry Report (December 2021)
reportGoogle Threat Analysis Group (TAG): Predator 0day exploit chains tracking
reportHellenic Data Protection Authority: Greek Predator 92-phone-numbers investigation (July 2023)
reportGreek Parliamentary committee: Predatorgate investigation
reportUS Treasury OFAC: Treasury Sanctions Members of the Intellexa Commercial Spyware Consortium press release JY2155 (March 5, 2024), formal US Government sanctions
reportUS Department of Commerce: Intellexa Entity List Final Rule (July 18, 2023)
reportSymantec / Broadcom Threat Hunter Team: Intellexa adjacent tracking
reportMITRE ATT&CK Software S1011, Predator
reportMalpedia Software Profile: Predator (elf.predator)

Operational

State sponsor

Multinational private offensive cyber operations contractor / commercial spyware vendor consortium operating across multiple jurisdictions: Greece (Intellexa S.A. + Athens operational hub) + Cyprus (operational hub for Tal Dilian + Sara Hamou activities) + Israel (Predator development origin via Cytrox + Israel Aerospace Industries early investor) + North Macedonia (Cytrox AD current Predator developer) + Hungary (Cytrox Holdings ZRT earlier Predator developer) + Ireland (Intellexa Limited + Thalestris Limited) + France (Nexa Group surveillance companies as part of Intellexa Alliance) + Czech Republic (supply chain via Dvir Horef Hazan affiliated companies) + British Virgin Islands (Aliada Group consortium member). Founded by Tal Jonathan Dilian, former Israeli Defence Forces (IDF) intelligence officer attaining the rank of general, previously associated with NSO Group per Forbes reporting + multiple media sources. Dilian founded Intellexa Group in 2018, with Intellexa Alliance consolidated May 2019 combining Intellexa Group with Nexa (French surveillance companies).

Took over Cytrox in 2019 (Cytrox originally founded 2017 as startup in North Macedonia, received initial funding from Israel Aerospace Industries which sold its shares around early 2019 to Intellexa per Haaretz). Operationally established Cyprus as a hub for surveillance activities, per US Treasury OFAC: Dilian used Cyprus as his base for surveillance activities exploiting "the island's lax regulatory oversight to create one of the world's most secretive cyber-surveillance operations" per ICIJ Cyprus Confidential investigation. Expanded operations into Cyprus and Greece, "where export control laws on surveillance technologies are less developed" per Times of Israel + Greek Reporter.

Per US Treasury OFAC: Intellexa Consortium "has acted as a marketing label for a variety of offensive cyber companies that offer commercial spyware and surveillance tools to enable targeted and mass surveillance campaigns... These tools are packaged as a suite of tools under the brand- name 'Predator' spyware, which can infiltrate a range of electronic devices through zero-click attacks that require no user interaction for the spyware to infect the device." Operational capability + commercial business model attribution at high confidence per: (a) US Department of Commerce Entity List sanctions July 18, 2023: Intellexa S.A. (Greece) + Intellexa Limited (Ireland) + Cytrox Holdings ZRT (Hungary) + Cytrox AD (North Macedonia) added to Entity List for trafficking in cyber exploits used to gain access to information systems, threatening privacy and security of individuals and organizations worldwide.

(b) US Treasury OFAC formal sanctions March 5, 2024: first time individuals were sanctioned by US Government for spyware misuse per ICIJ + Treasury Under Secretary Brian Nelson commentary. Sanctioned individuals: Tal Jonathan Dilian (Intellexa Consortium founder, architect of spyware tools) + Sara Aleksandra Fayssal Hamou (corporate off-shoring specialist providing managerial services to Intellexa Consortium including renting Athens office space for Intellexa S.A.). Sanctioned entities: Intellexa S.A. + Intellexa Limited + Cytrox AD + Cytrox Holdings ZRT + Thalestris Limited.

(c) September 16, 2024 additional Treasury sanctions: additional individuals and entities sanctioned including Felix Bitzios (Intellexa consortium company owner alleged to have sold Predator to unnamed foreign government) + Merom Harpaz + Panagiota Karaoli (senior Intellexa executives) + Andrea Nicola Constantino Hermes Gambazzi (consortium transaction processor) + Aliada Group (BVI- based consortium member alleged to have enabled tens of millions of dollars in consortium transactions). Documented government clients via Citizen Lab + Amnesty International Security Lab + Cisco Talos + Recorded Future Insikt Group analysis: Greece (per Greek wiretapping scandal 2022, National Intelligence Service EYP) + Egypt (per Citizen Lab 2021 Ayman Nour case + Egyptian television journalist) + Vietnam (per Citizen Lab + 2023 European Investigative Collaborations Predator Files, attempted hacking of US politicians and journalists) + Saudi Arabia + Democratic Republic of Congo + Kazakhstan + Qatar + Madagascar + Mozambique + Sudan + Indonesia + Philippines + others across 25+ countries cluster per Citizen Lab + ICIJ analysis. Per Recorded Future Insikt Group June 2025: dozen+ countries operating Predator spyware including Saudi Arabia + Democratic Republic of the Congo + Kazakhstan.

Operational classification: cyber-mercenary / commercial spyware vendor consortium, operationally distinct from sibling cyber-mercenary clusters in this curated corpus through multi-jurisdictional consortium structure operationally designed to exploit regulatory arbitrage across European jurisdictions with weaker spyware export controls (Cyprus + Greece + North Macedonia + Hungary + Ireland) compared to Israeli export-control regime that regulates NSO Group + Candiru. The cluster fills the 3rd cyber-mercenary / private- offensive-actor cell in this curated corpus.

Motivations
commercial_spyware_sales_to_government_clients, multi_jurisdictional_consortium_structure_for_regulatory_arbitrage, mobile_zero_click_exploitation_capability_provision_android_ios, private_offensive_cyber_operations_for_government_clients, athens_greece_operational_hub_for_predator_training_and_deployment, cyprus_corporate_hub_for_surveillance_business, regulatory_arbitrage_via_jurisdictions_with_weaker_spyware_export_controls, high_value_individual_targeting_journalists_activists_politicians_dissidents, greek_national_intelligence_service_eyp_state_aligned_operations
Sectors
journalistsopposition_politicianseditors_in_chiefhuman_rights_activistsdissidentsmeps_european_parliament_membersgovernment_ministersbusiness_executivesegyptian_dissidentsmeta_security_policy_managersus_government_officialsus_policy_expertscivil_society_organizations
Regions
greececyprusegyptvietnamunited_statessaudi_arabiakazakhstandemocratic_republic_of_congomadagascarmozambiquesudanindonesiaphilippinesqatargermanyswitzerlandeurope_25_countries_minimum

Techniques Used

60
T1003T1005T1010T1016T1020T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1068T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1087T1090T1090.001T1106T1113T1114T1114.001T1119T1123T1125T1129T1133T1140T1190T1203T1204T1204.001T1213T1218T1430T1497T1543T1543.001T1543.004T1547T1548T1552T1555T1555.001T1557T1559T1562T1562.001

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)54/60 · 90%
Analytics (MITRE CAR)26/60 · 43%
Runtime / container (Falco)10/60 · 16%
File / malware (YARA)1/60 · 1%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
META BANNED 1500 FACEBOOK INSTAGRAM ACCOUNTS
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin