Intellexa’s Predator Exploit Chain: New Details Emerge After Google Publishes Samples

What Google Published 

Google’s Threat Intelligence team released a new article titled “Intellexa’s Prolific Zero-Day Exploits Continue,” in which they provide updated insight into the continued activity of Intellexa and its Predator spyware platform.

The publication includes samples connected to the 2023 Predator exploit chain. These samples illustrate how Intellexa combined multiple zero-day vulnerabilities—spanning WebKit, the iOS kernel, and CoreTrust—to achieve remote infection, privilege escalation and persistent execution on targeted devices.

The newly released samples give the security research community unprecedented insight into how the 2023 Predator chain was constructed—and confirms findings previously obtained from independent analysis.

Our Earlier Analysis: “Trust Broken at the Core”

In June 2025, we published, “Trust Broken at the Core,” analyzing one of the loader components used in the Predator 2023 chain. A central aspect of the exploit was the CoreTrust bypass, which allowed a maliciously entitled binary to be executed on iOS as if it were a legitimate App Store application. There is a public version of an exploit that reversed the vulnerability to use the capability in TrollStore, which is an app to side load applications with arbitrary entitlements.

Our analysis showed:

• The code signature used by the loader contained two different signers.

• One signer was a legitimate, valid App Store–signed application, which satisfied CoreTrust’s trust-anchor validation.

• The second signer contained the malicious entitlements, enabling the loader to request and obtain capabilities far beyond those of a normal application.

Both our analysis and the public exploit showed that both signatures need to be valid CMS Signatures

At that time, we redacted the Team ID of the public App Store application embedded into the signature because we could not establish any direct link between the developer of the public app and Intellexa. With today’s release of the samples by Google, the context is clearer, and we can expand our analysis.

New Details from the Samples

disarm --signature predator
#...
Code Directory (60151 bytes)
		Version:     20500
		Flags:       none
		CodeLimit:   0x5d8050
		Identifier:  com.elanbenami.EnneaApp (@0x60)
		Team ID:     5PN8QLT2JN (@0x78)
		Executable Segment: Base 0x0 Limit: 0x00464000 Flags: 0x00000001 
		Runtime Version: 25455.11885
		Preencrypt Hashes (@0x83)
		# of hashes: 1497 code (4K pages) + 7 special
		Hashes @30211 size: 20 Type: SHA-1
# [...]
		0: Designated Requirement (@20, 108 bytes): Ident(Watcher) AND Apple Generic Anchor Cert field [subject.CN] = 'CMS Test Signer' AND (Cert Generic[1] = WWD Relations CA) 
# [...]
Warning: Blob 44693729e171907cebd7b85cea00200e69c6bec6 Mismatches special slot 7: a059895edbae5e89ebfd2b43560be449b094f3b8
BLOB IS INVALID
Code Directory (3275 bytes)
		Version:     20400
		Flags:       none
		CodeLimit:   0x5bca0
		Identifier:  Watcher (@0x58)
		Team ID:     RUQSQXY3U9 (@0x60)
		Executable Segment: Base 0x0 Limit: 0x00044000 Flags: 0x00000011 
		# of hashes: 92 code (4K pages) + 7 special
		Hashes @331 size: 32 Type: SHA-256
Blob Wrapper (7002 bytes) (0x10000 is CMS (RFC3852) signature)
		CA: Apple Certification Authority 	CN: Apple Root CA
		CA: Apple Certification Authority 	CN: Apple Root CA
		Timestamp: 23:11:15 2023/09/07

We can see here that the first part of the Code Signature contains a Bundle ID (com.elanbenami.EnneaApp) and a TeamID (5PN8QLT2JN) for a valid and existing AppStore app. The second Code Signature contains Watcher as an Identifier and RUQSQXY3U9 as the Team ID. Internally Intellexa refers to the Watcher component as Guard in their OPSEC Documentation. (See here for additional information: https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed)

Additional Information on the App Store App Used: com.elanbenami.EnneaApp

On searching for com.elanbenami.EnneaApp on Google we can find the link to the app in the AppStore:

https://apps.apple.com/us/app/enneaapp/id668055887

We did some investigation into the developer of the app and the app itself but found no link between the developer and Intellexa. Because the vulnerability only required any valid public AppStore signature, Intellexa could have just copied it. We don’t know if there is any relationship between the developers of the exploit and the EnneaApp or why the app was chosen for the valid signature.

But the second signature (Watcher) had also to be valid, as it was used to sign the binary and the entitlements.

Additional Information on the Team ID Used by Intellexa:

The second signer used as a Team Identifier RUQSQXY3U9. We could not find any application or any other public information by just Googling or searching for the Team ID, but to the best of our knowledge, the second code signature with this Team ID has to be cryptographically valid as well. This means that:

a) Intellexa had access to private keys and or certificates of this developer,
b) The developer is working together with Intellexa,
c) There is a part of the vulnerability and bypass that is not fully understood yet.

Part of these insights were made possible through a partnership with  Lookout, which did additional investigation on other apps the developer was publishing. 

What This Means

Despite US sanctions, public exposure and ongoing legal proceedings in Greece, Intellexa continues to operate. Google's research confirms it remains one of the most prolific exploiters of zero-day vulnerabilities against mobile browsers, with at least 15 unique zero-days attributed to the company since 2021.

The coordinated releases from Google, Amnesty International, and Recorded Future this week paint a picture of a company that has adapted to scrutiny by shifting infrastructure, obscuring ownership, and continuing to sell to the highest bidders. Its latest delivery mechanism, abusing the advertising ecosystem for zero-click infections, makes detection even harder. These threats aren't limited to high-profile dissidents. Governments have used commercial spyware against journalists' sources, family members of primary targets and employees at organizations of strategic interest.

If You've Been Targeted

If you find an infected device or received an Apple Threat Notification, reach out to us so we can help investigate.

Scan Your Device

Want to check your own device for spyware? Download iVerify Basic for free (limited time) on iOS or Android and run an on-demand threat scan.