Predator Spyware Pakistan: Leaked Intellexa Files Expose New Targets as Scandal Widens

A global investigation has uncovered new victims of Predator, an invasive spyware tool developed by the Intellexa consortium, exposing how the company continued operating and selling hacking systems despite U.S. sanctions and mounting international scrutiny. The latest findings point to fresh infection attempts, ad-based zero-click attacks, and active clients in Egypt and Saudi Arabia, while leaked documents reveal Predator activity in Pakistan for the first time.

The “Intellexa Leaks”, a new joint investigation by Inside Story, Haaretz and WAV Research Collective with technical analysis provided by Amnesty International, exposes the internal operations of Intellexa, a company notorious for selling highly invasive spyware Predator linked to human rights abuses in multiple countries.

Reporters from Greece, Israel, and Switzerland analyzed the material, which provides the clearest picture yet of how the spyware maker adapted its business practices after facing global enforcement action.

New Targets Identified Through Malicious TikTok Links

Among the most concerning discoveries is the use of malicious TikTok-themed links designed to lure new victims. These links acted as infection pathways for Predator, tricking targets into opening fake pages that triggered the spyware’s covert installation. Investigators say the tactic marks a shift toward mainstream social platforms, expanding the reach and sophistication of infection attempts.

Security analysts confirmed that the TikTok-based vectors were tied to the same backend infrastructure previously associated with Predator operations, reinforcing suspicions that the spyware is still being actively deployed and refined across multiple regions.

Pakistan Lawyer Incident Leads to Broader Findings

One of the newly confirmed cases involves a human rights lawyer in Pakistan, who received a WhatsApp message last summer from a supposedly reputable journalist. The link appeared to direct to a legitimate European media website but instead routed to a counterfeit page embedded with Predator infection code.

Sensing something was off, the lawyer forwarded the link to Amnesty International’s Security Lab. Forensic analysis confirmed digital fingerprints tied to Predator’s attack servers. Subsequent examination of leaked Intellexa materials suggested that other individuals in Pakistan, including political figures, received similar malicious links, indicating a broader targeting campaign.

The incident marks the first documented use of Predator spyware in Pakistan, a country that does not maintain diplomatic relations with Israel, making the finding both politically sensitive and geopolitically significant.

Ad-Based Infection Vectors Confirmed

Leaked documents also validate long-suspected “ad-based infections”, in which Predator operators exploit the global mobile advertising ecosystem to trigger silent or semi-silent device compromises. These attacks can push malicious code to targeted devices through manipulated ad placements, allowing infections to occur without a user manually clicking a suspicious link.

Intellexa’s internal files reference a strategic infection tool known as “Aladdin”, capable of enabling zero-click attacks through digital advertising channels anywhere in the world. Researchers say this method dramatically expands the reach of Predator, bypassing traditional security awareness and rendering routine web browsing a potential attack surface.

Egypt and Saudi Arabia Reported as Active Clients

Despite two years of U.S. sanctions intended to limit Intellexa’s global operations, the leaked materials show that Egypt and Saudi Arabia remain active clients, continuing to purchase and operate Predator systems. The documents outline updated service agreements, training modules, and operational logs dated well after sanctions took effect.

Investigators say these findings contradict claims that Intellexa’s business was crippled by international restrictions, suggesting the company has maintained and possibly expanded its client base through alternative channels and offshore entities.