Home/Threat Actor/QuaDream / Reign
Threat Actor

QuaDream / Reign

quadream_reign · israel_commercial_cyber_mercenary · active since 2019

QuaDream / Reign (canonical company naming "QuaDream Ltd" (Hebrew: קוודרים בע"מ) founded c. 2016-2019 in Israel by founding group including two former NSO Group employees Guy Geva and Nimrod Reznik per Citizen Lab April 2023; primary spyware platform "REIGN" per Microsoft canonical description "suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices".

iOS implant "KingsPawn" per Microsoft naming; iOS zero-click exploit "ENDOFDAYS" per Citizen Lab naming; Microsoft canonical DEV-0196 / Carmine Tsunami threat actor tracking with April 2023 weather-taxonomy rename; Cypriot subsidiary intermediary "InReach" sales channel for international customers) is an Israeli private offensive cyber operations contractor / commercial spyware vendor, operationally one of two cyber- mercenary clusters in this curated corpus to have publicly ceased operations (alongside potentially Candiru's 2025 Integrity Partners corporate restructuring), with QuaDream shutting down May 2023 due to Israeli government export restrictions following Citizen Lab + Microsoft April 11, 2023 canonical joint disclosure + blocked asset sale.

active publicly from January 2021 earliest ENDOFDAYS observed activity through May 2023 shutdown.

signature minimal public presence operational tradecraft per Citizen Lab ("QuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence", much public- record information came from QuaDream-InReach legal dispute over hidden money owed)

signature ENDOFDAYS iCloud calendar zero-click exploit (cluster-defining iOS 14.4 + 14.4.2 zero-day uniquely using invisible backdated iCloud calendar invitations as infection vector , operationally distinct from sibling cyber-mercenary clusters' iMessage zero-click vectors.

likely relied on same flaw as NSO Group's FORCEDENTRY (CVE-2021-30860) per The Register hypothesis, though direct CVE attribution to QuaDream remains contested)

KingsPawn 4-module iOS spyware architecture per Microsoft (module 1 record microphone + module 2 extract iCloud Keychain + module 3 steal SQLite database data from various apps + module 4 estimate victim location + additional capability generating iCloud 2FA passwords)

signature InReach Cypriot subsidiary sales channel for international customers + Ectoplasm Factor forensic artifact (Citizen Lab-named forensic indicator, traces left behind on infected devices after spyware self-destruct feature removed) + spyware self-destruct feature cleaning up various traces left behind.

600+ servers + 200+ domain names infrastructure scale per Citizen Lab late 2021 - early 2023.

250 Meta-banned test accounts December 2022; documented customer footprint Singapore + Saudi Arabia + Mexico + Ghana confirmed customers (Indonesia + Morocco pitched services) with suspected operator locations across Bulgaria + Czechia + Hungary + Ghana + Israel + Mexico + Romania + Singapore + UAE + Uzbekistan.

5 civil society victims identified by Citizen Lab across North America + Central Asia + Southeast Asia + Europe + Middle East including journalists + political opposition figures + NGO worker.

Ghana 2020 election special project allegation (14 Israeli tech workers including alleged QuaDream employees travelled to Accra three months prior to presidential election, Haaretz could not confirm specific QuaDream participation)

Apple iOS 14.4.2 March 2021 mitigation may have unknowingly addressed ForcedEntry-class vulnerability used by ENDOFDAYS per The Register hypothesis.

fills the 6th cyber-mercenary cell in the curated corpus following NSO Group (1st) + Candiru (2nd) + Intellexa (3rd) + Paragon Solutions (4th) + DarkMatter UAE (5th), operationally significant as one of two cyber-mercenary clusters that have publicly ceased operations (alongside Candiru 2025 restructuring), operationally distinct from sibling cyber-mercenary clusters that have continued operations through sanctions waves.

israel_commercial_cyber_mercenary confidence: high 23 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited1

Profile

QuaDream / Reign (canonical company naming "QuaDream Ltd" (Hebrew: קוודרים בע"מ) founded c. 2016-2019 in Israel by founding group including two former NSO Group employees Guy Geva and Nimrod Reznik per Citizen Lab April 2023; primary spyware platform "REIGN" with iOS implant "KingsPawn" per Microsoft naming + iOS zero-click exploit "ENDOFDAYS" per Citizen Lab naming.

Microsoft canonical DEV-0196 / Carmine Tsunami threat actor tracking.

Cypriot subsidiary intermediary "InReach" sales channel) is an Israeli private offensive cyber operations contractor / commercial spyware vendor, operationally one of two cyber-mercenary clusters in this corpus to have publicly ceased operations (alongside potentially Candiru's 2025 corporate restructuring), with QuaDream shutting down May 2023 due to Israeli government export restrictions following Citizen Lab + Microsoft April 11, 2023 canonical joint disclosure. Active publicly from January 2021 (earliest ENDOFDAYS observed activity per Citizen Lab) through May 2023 shutdown, with primary operational mission objectives of commercial spyware sales to government clients via signature minimal-public-presence operational tradecraft. Operational phases: (1) CORPORATE EMERGENCE (c. 2016-2019). Founded by group including former NSO Group employees Guy Geva and Nimrod Reznik. (2) ENDOFDAYS EARLIEST ACTIVITY (January 2021). Earliest observed ENDOFDAYS iCloud calendar zero-click against iOS 14. (3) HAARETZ FIRST DISCLOSURE (June 2021). Saudi Arabia + Ghana client attribution disclosed. (4) iOS 14.4.2 APPLE MITIGATION (March 2021). Apple addressed ForcedEntry-class vulnerability operationally neutralizing ENDOFDAYS capability. (5) REUTERS FIRST INTERNATIONAL DISCLOSURE (2022). QuaDream brochure + REIGN platform capabilities disclosed. (6) META SURVEILLANCE-FOR-HIRE ATTRIBUTION (December 2022). 250 QuaDream-attributed accounts banned across Meta platforms. (7) CITIZEN LAB + MICROSOFT CANONICAL JOINT DISCLOSURE (April 11, 2023). Comprehensive QuaDream / REIGN / KingsPawn / DEV-0196 disclosures published simultaneously.

(8) MICROSOFT DEV-0196
  • CARMINE TSUNAMI RENAME (April 2023). Microsoft weather-taxonomy threat actor naming framework rename. (9) QUADREAM SHUTDOWN (May 2023). Operations ceased due to Israeli government export restrictions; asset sale blocked.
Signature operational tradecraft
  • Founder lineage from NSO Group (cluster-defining): founded by group including two former NSO Group employees Guy Geva and Nimrod Reznik, operationally distinct former-NSO-alumni provenance pattern in cyber-mercenary ecosystem.
  • Minimal public presence operational tradecraft (signature): per Citizen Lab, "QuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence." Much public- record information came from QuaDream-InReach legal dispute.
  • ENDOFDAYS iCloud calendar zero-click exploit (cluster-defining): signature iOS 14.4 + 14.4.2 zero- day uniquely using invisible iCloud calendar invitations as infection vector. Backdated calendar invitations automatically processed and added to user's calendar without notification on iOS 14. Operationally distinct from sibling cyber-mercenary clusters' iMessage zero- click vectors. Likely originally relied on same flaw as NSO Group's FORCEDENTRY (CVE-2021-30860) per The Register hypothesis, though direct CVE attribution to QuaDream remains contested.
  • KingsPawn 4-module iOS spyware architecture: signature Microsoft-identified modular structure, module 1 (record microphone) + module 2 (extract iCloud Keychain) + module 3 (steal SQLite database data from various apps) + module 4 (estimate victim location). Additional capability: generating iCloud 2FA passwords.
  • InReach Cypriot subsidiary sales channel (signature): operationally unique non-Israeli sales channel via Cypriot subsidiary InReach. QuaDream-InReach legal dispute over hidden money owed operationally exposed cluster operations to public record.
  • REIGN platform commercial offering (signature): Microsoft canonical description "REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.".
  • Ectoplasm Factor forensic artifact (signature): Citizen Lab-named forensic indicator, traces left behind on infected devices after spyware self-destruct feature removed.
  • Self-destruct feature: signature spyware capability to clean up various traces left behind by spyware itself per Citizen Lab analysis.
  • 600+ servers + 200+ domain names infrastructure scale: signature Citizen Lab infrastructure attribution late 2021.
  • early 2023.
  • 250 Meta-banned test accounts (December 2022): signature Meta-attributed iOS + Android spyware capability test infrastructure.
  • Documented customer footprint: Singapore + Saudi Arabia + Mexico + Ghana confirmed customers; Indonesia + Morocco pitched services. Suspected operator locations: Bulgaria + Czechia + Hungary + Ghana + Israel + Mexico + Romania + Singapore + UAE + Uzbekistan.
  • Ghana 2020 election special project allegation: signature cyber-mercenary election-cycle deployment pattern (alleged but unconfirmed by Haaretz).
  • May 2023 shutdown trajectory (signature): first publicly-documented case of major cyber-mercenary vendor ceasing operations due directly to Israeli MoD export- licensing-regime restrictions following industry public disclosure. The cluster fills the 6th cyber-mercenary cell in this curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd) + intellexa_predator (3rd) + paragon_solutions_graphite (4th) + darkmatter_uae_project _raven (5th). Operationally significant as one of two cyber-mercenary clusters that have publicly ceased operations (alongside potentially Candiru's 2025 restructuring), operationally distinct from sibling cyber-mercenary clusters that have continued operations through sanctions waves.

Aliases

23
quadreamquadream ltdקוודרים בעמreignreign spywarereign_spywarereign platformdev_0196dev-0196carmine_tsunamicarmine tsunamikingspawnkingspawn_malwareendofdaysend_of_daysend of days exploitinreachinreach cypriot companyectoplasm_factorectoplasm factorquadream_reignquadream kingspawnquadream endofdays

Notable Campaigns

11
2023+QuaDream-InReach Legal Dispute (post-2023)
2023Citizen Lab + Microsoft Canonical Joint Disclosure (April 11, 2023)
2023QuaDream Shutdown (May 2023)
2023Microsoft April 2023 DEV-0196 - Carmine Tsunami Rename
2022Reuters 2022 First International Disclosure
2022Meta Surveillance-for-Hire QuaDream Attribution (December 2022)
2021ENDOFDAYS Earliest Observed Activity (January 2021)
2021Haaretz Israeli Media First Disclosure (2021)
2021iOS 14.4.2 Apple Mitigation (March 2021)
2020Ghana 2020 Election Special Project Allegation
2016-2019QuaDream Corporate Emergence (c. 2016-2019)

Attribution & Reporting

Attributed by
Citizen Lab (canonical Research Report No. 164 "Sweet QuaDreams" April 11 2023, Bill Marczak + John Scott-Railton + Bahr Abdul Razzak + Siena Anstis + Ron Deibert)Microsoft Threat Intelligence Center (canonical DEV-0196 / Carmine Tsunami April 11 2023 disclosure)Apple Security Research (ENDOFDAYS exploit mitigation March 2021 iOS 14.4.2)Reuters (initial 2022 disclosure citing QuaDream brochure)Haaretz (Israeli media coverage 2021-2023, Ghana customer disclosure + Saudi Arabia client + 14 Israeli tech workers Ghana 2020 election special project)Wall Street Journal (April 2023 "New Spyware Firm Said to Have Helped Hack iPhones Around the Globe")Meta / Facebook (December 2022 Surveillance-for-Hire Industry Threat Report, 250 QuaDream-attributed accounts)9to5Mac (April 2023 industry analysis)The Register (April 2023 industry analysis)Bitdefender (April 2023 analysis)SecurityAffairs (April 2023 analysis)The Hacker News (April 22, 2023 QuaDream shutdown coverage)Freemindtronic (KingsPawn analysis)MediaNama (April 2023 India-context coverage)Symantec / Broadcom Threat Hunter TeamMandiant / Google Threat Intelligence GroupSOPHOS X-OpsRecorded Future Insikt Group
Key reporting
reportCitizen Lab Research Report No. 164 (Bill Marczak + John Scott-Railton + Bahr Abdul Razzak + Siena Anstis + Ron Deibert): Sweet QuaDreams, A First Look at Spyware Vendor QuaDream's Exploits, Victims, and Customers (April 11, 2023), canonical QuaDream disclosure
reportMicrosoft Threat Intelligence Center: DEV-0196, QuaDream's KingsPawn malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia (April 11, 2023), canonical Microsoft DEV-0196 / Carmine Tsunami disclosure
reportMicrosoft Security Blog: Threat Actor Naming Taxonomy April 2023 Update, DEV-0196 - Carmine Tsunami rename
reportReuters: QuaDream brochure disclosure (2022), first international attention to QuaDream
reportHaaretz: Saudi Arabia + Ghana customer disclosure (June 2021), first publicly-documented QuaDream client attribution
reportMeta Platforms: 2022 Adversarial Threat Report, Surveillance-for-Hire Industry (December 2022), 250 QuaDream-attributed accounts
reportApple Security Research: iOS 14.4.2 ENDOFDAYS exploit mitigation (March 2021)
reportWall Street Journal: New Spyware Firm Said to Have Helped Hack iPhones Around the Globe (April 2023)
reportThe Hacker News: Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose (April 22, 2023), May 2023 shutdown coverage
reportSymantec / Broadcom Threat Hunter Team: QuaDream operational profile
reportMandiant / Google Threat Intelligence Group: QuaDream / Carmine Tsunami tracking
reportCitizen Lab: Verint surveillance provider context for QuaDream key personnel previous links
reportMalpedia Actor Profile: QuaDream

Operational

State sponsor

Israeli private offensive cyber operations contractor / commercial spyware vendor founded c. 2016-2019 in Israel by founding group including two former NSO Group employees: Guy Geva and Nimrod Reznik per Citizen Lab Research Report No. 164 April 11, 2023 canonical disclosure compiled from corporate documents + legal filings + media analysis. Per Citizen Lab key individuals review: list includes Geva and Reznik who were involved in the Pegasus spyware development at NSO Group. Additional key individuals identified by Citizen Lab: former Israeli military official Ian Dabelstein + California-based Israeli businessman Roy Galsberg Keller.

Operationally Israeli private-sector offensive actor (PSOA) per Microsoft DEV-0196 / Carmine Tsunami canonical naming (Microsoft Threat Intelligence Center). Per Microsoft April 11, 2023: "Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel- based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes.

REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices." Signature minimal public presence operational tradecraft: per Citizen Lab April 2023 canonical disclosure: "QuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence." Much of the information extractable about QuaDream came from legal disputes between it and InReach (Cypriot intermediary subsidiary) over latter's attempt to hide money owed to the Israeli software firm. The minimal-public-presence tradecraft operationally distinguishes QuaDream from sibling cyber-mercenary clusters with more visible corporate operations (NSO Group, Intellexa, Paragon). Signature InReach Cypriot subsidiary sales channel: per Citizen Lab + Microsoft: QuaDream uses a Cypriot subsidiary known as InReach to sell Reign to government customers outside of Israel.

The InReach corporate intermediary structure operationally enables sales channeling through Cyprus-based corporate entity operationally consistent with cyber-mercenary industry jurisdictional arbitrage patterns. QuaDream-InReach relationship deteriorated into legal dispute with both companies accusing each other of fraud, theft of intellectual property, and breach of contract. Several key people associated with both companies have previous links with another surveillance provider Verint, as well as with Israeli intelligence agencies.

Operational capability + commercial business model attribution at high confidence per multiple convergent sources: (a) Microsoft Threat Intelligence Center DEV-0196 / Carmine Tsunami canonical attribution (April 11, 2023): Microsoft published canonical comprehensive disclosure of KingsPawn iOS malware attributed to DEV-0196 (subsequently renamed Carmine Tsunami under Microsoft's April 2023 weather-taxonomy threat actor naming framework). Microsoft Threat Intelligence shared with Citizen Lab two samples (Samples 1 and 2) of iOS spyware named KingsPawn and attributed them to QuaDream "with high confidence." Microsoft analyzed DEV-0196 + KingsPawn iOS malware and shared both host and network indicators. (b) Citizen Lab Research Report No. 164 canonical disclosure (April 11, 2023): "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream's Exploits, Victims, and Customers", comprehensive analysis of QuaDream operations, victims, customers, and exploit chain.

Based on analysis of samples shared by Microsoft Threat Intelligence, Citizen Lab developed indicators that enabled identification of at least 5 civil society victims of QuaDream's spyware and exploits in North America + Central Asia + Southeast Asia + Europe + Middle East. Victims include journalists + political opposition figures + NGO worker (Citizen Lab did not name victims). (c) Initial 2022 Reuters disclosure: per Microsoft April 2023 retrospective: QuaDream came to international attention in a 2022 Reuters report which cited a company brochure that described the REIGN platform and a list of capabilities.

The 2022 Reuters report notably suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit (CVE-2021-30860 iMessage zero-click). (d) Haaretz Israeli media coverage: per Microsoft retrospective: earlier Haaretz report citing QuaDream brochure revealed that QuaDream did not sell REIGN directly to customers but instead did so through Cypriot subsidiary InReach. Haaretz also reported that Saudi Arabia's government was among QuaDream's clients, as was the government of Ghana.

(e) Meta surveillance-for-hire industry report (December 2022): Meta detected activity on their platforms attributed to QuaDream including the use of "about 250 accounts" assessed as being used to test the capabilities of QuaDream's iOS and Android spyware. (f) Infrastructure scale per Citizen Lab: Citizen Lab identified 600+ servers and 200+ domain names linked with high confidence to QuaDream's spyware between late 2021 and early 2023. Documented QuaDream / Reign customers per Citizen Lab + Microsoft + Haaretz + Hacker News: Singapore + Saudi Arabia + Mexico + Ghana (confirmed customers) + Indonesia + Morocco (pitched services per media reports).

Suspected operator locations / customer footprint based on Citizen Lab infrastructure analysis: Bulgaria + Czechia + Hungary + Ghana + Israel + Mexico + Romania + Singapore + United Arab Emirates + Uzbekistan. QuaDream's involvement in 14-Israeli-tech-workers Ghana election special project (alleged): Israeli press + Ghanaian press reported that QuaDream employees may have been among 14 Israeli tech workers from different companies who travelled to Accra, Ghana in 2020 to meet with the incumbent administration three months prior to the presidential election for purposes of a "special project relating to it", operationally consistent with cyber-mercenary election-cycle deployment patterns, though Haaretz could not confirm the specific QuaDream participation allegations. Operational shutdown: per Hacker News April 22, 2023 + Freemindtronic + industry analysis: in May 2023, QuaDream ceased its activities due to Israeli government's restrictions on its spyware export.

QuaDream tried to sell its assets to other players, but the Israeli government blocked them. It remains unknown if the KingsPawn spyware is still active and used post-shutdown, or who controls it. The May 2023 shutdown operationally represents the first publicly-documented case of a major cyber-mercenary vendor ceasing operations due directly to Israeli MoD export-licensing-regime restrictions following industry public disclosure.

Operational classification: cyber-mercenary / commercial spyware vendor, operationally distinct from sibling cyber-mercenary clusters through founder NSO Group lineage + minimal public presence tradecraft + ENDOFDAYS iCloud calendar zero-click vector + InReach Cypriot subsidiary sales channel + 2023 shutdown trajectory. The cluster fills the 6th cyber-mercenary cell in this curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd) + intellexa_predator (3rd) + paragon_solutions_graphite (4th) + darkmatter_uae_project _raven (5th, the first non-Israeli cyber-mercenary cluster). Operationally significant as one of two cyber-mercenary clusters in this corpus where the cluster has publicly ceased operations (alongside potentially Candiru's 2025 Integrity Partners acquisition restructuring).

Motivations
commercial_spyware_sales_to_government_clients, private_offensive_cyber_operations_for_government_clients, mobile_zero_click_ios_exploitation_capability_provision, icloud_calendar_invisible_invitation_zero_click_vector_specialization, minimal_public_presence_operational_security_tradecraft, cypriot_intermediary_subsidiary_sales_channel_arbitrage, government_intelligence_collection_via_commercial_capability, high_value_individual_targeting_journalists_activists_politicians_dissidents, civil_society_surveillance_per_documented_abuse_patterns, nso_group_alumni_offensive_cyber_capability_continuation
Sectors
journalistspolitical_opposition_figuresngo_workerscivil_society_organizationshuman_rights_activistsdissidentsghana_election_targetspresidential_administration_targets
Regions
north_americacentral_asiasoutheast_asiaeuropemiddle_eastsingaporesaudi_arabiamexicoghanaindonesiamoroccobulgariaczechiahungaryisraelromaniaunited_arab_emiratesuzbekistan

Techniques Used

60
T1003T1005T1010T1016T1020T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.005T1059.006T1059.007T1068T1070T1070.004T1070.006T1071T1071.001T1074T1078T1082T1083T1087T1090T1090.001T1106T1113T1114T1114.001T1119T1123T1125T1129T1133T1140T1190T1203T1204T1213T1218T1430T1497T1539T1543T1543.001T1543.004T1547T1548T1552T1555

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)10/60 · 16%
File / malware (YARA)1/60 · 1%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
META 250 QUADREAM ATTRIBUTED ACCOUNTS DECEMBER 2022MINIMAL PUBLIC PRESENCE NO WEBSITE NO MEDIA NO SOCIAL MEDIAMODULE 1 RECORD MICROPHONEMODULE 2 EXTRACT ICLOUD KEYCHAINMODULE 3 SQLITE DATABASE THEFTMODULE 4 LOCATION ESTIMATIONSELF-DESTRUCT FEATURE CLEANS UP TRACES

CVEs Exploited

1
CVECVE-2021-30860
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin