New Report on Commercial Spyware Vendors Detailing Their Targets and Infection Chains

Cybersecurity

The commercial surveillance industry has evolved into a complex, multi-billion-dollar ecosystem, presenting significant threats to various global stakeholders, including journalists, activists, and civil society members.

A detailed report by Sekoia.io’s Threat Detection & Research team highlights how commercial entities have refined spyware deployment methods, offering solutions comparable to state-sponsored cyber capabilities.

The industry gained prominence during the Arab Spring protests (2010-2013), where there was a demand for effective surveillance tools to monitor and control dissent.

Initial vendors such as Gamma Group and Hacking Team supplied products to regimes in the Middle East and North Africa, marking the emergence of a lucrative market.

From 2016 to 2021, the sector underwent industrialization, led by Israeli companies like NSO Group, Candiru, and Intellexa, which introduced zero-click exploitation techniques that require no interaction from the victim.

Sekoia analysts have documented a shift in the threat landscape due to these advancements, allowing remote device compromise through messaging application vulnerabilities.

Infection Mechanisms

Commercial spyware employs sophisticated infection mechanisms across multiple attack vectors.

Zero-click exploits are the most advanced, compromising devices automatically without user interaction. For example, Paragon’s Graphite spyware leverages WhatsApp’s content preview feature to exploit vulnerabilities.

Attack Flow:
1. Target enumeration and phone number acquisition
2. Silent addition to attacker-controlled WhatsApp group
3. Malicious PDF transmission with embedded exploit
4. Automatic content preview triggers vulnerability
5. Payload execution and persistent implant installation

One-click exploits use advanced social engineering to entice targets, often impersonating known contacts to increase engagement probability.

The command-and-control infrastructure supporting these operations is increasingly complex, with multi-tier architectures to conceal attribution.

Spyware operations like Predator now use five distinct infrastructure layers, showcasing continual vendor adaptation to evade detection and regulatory oversight.

Physical access vectors also pose a threat, particularly at border crossings where devices are inspected. Serbian authorities reportedly leveraged Cellebrite’s tools to install NoviPsy spyware for ongoing surveillance.

This blend of legitimate forensic tools and commercial spyware highlights the blurred lines between lawful investigation and unauthorized surveillance.