Amnesty International said a human rights lawyer in Pakistan’s Balochistan province received a suspicious WhatsApp link from an unknown number, describing the message as a Predator attack attempt based on the technical behaviour of the infection server and the characteristics of the one-time link. Pakistan’s government dismissed the allegations, telling Dawn that “there is not an iota of truth in it.”
The findings reported by human rights monitors follow a joint investigation published with Haaretz and other outlets and are based on documents, sales and marketing materials, and training videos leaked from the company.
Intellexa is identified in the materials as the developer of a commercial spyware product called Predator, described as capable of covertly harvesting data from Android and iOS devices. Google Threat Intelligence Group linked Predator to the exploitation of multiple zero-day vulnerabilities and Google explained technical details of an associated exploitation framework used in some attacks.
Leaked materials and technical analysis outline chains that start with a malicious link delivered via messaging platforms and, if opened, load browser exploits to gain initial access. One chain described against iOS targets used a WebKit JIT exploit and a framework called JSKit to perform native code execution, then leveraged additional bugs to escape the browser sandbox and deploy a payload named PREYHUNTER that included modules called Watcher and Helper for stability checks and data collection.
Once installed, the tool is said to collect messages, calls, emails, location data, screenshots and other on-device information, and to be able to activate microphones and cameras. The report also says company personnel could remotely access some customer surveillance systems and logs using TeamViewer, a capability that Amnesty International technologist Jurre van Bergen said raises human rights due diligence and liability questions.
The leaks describe multiple delivery vectors, including tactical tools named Triton, Thor and Oberon, network-injection systems called Mars and Jupiter that require cooperation from a mobile operator or ISP, and an advertising-based zero-click vector known as Aladdin. Amnesty and Google materials note that Aladdin can deliver malicious advertisements to targets; the Aladdin system is linked to reporting by Aladdin and was reported to have been under development since at least 2022; Google said it worked with partners to identify companies tied to malicious ad activity and to shut those accounts.
In a separate technical report, Recorded Future added that two companies, Pulse Advertise and MorningStar TEC, appear linked to the advertising vector and that evidence shows Predator-related infrastructure communicating with customers in countries including Saudi Arabia, Kazakhstan, Angola and Mongolia, while communications with customers in Botswana, Trinidad and Tobago and Egypt ceased earlier in 2025. The company and some executives were also subjected to U.S. sanctions last year, the leaked material states.