To Catch a Predator Intellexa Leaks Expose Predator Spyware ...

src/mobile-pentesting/android-app-pentesting/README.md

@@ -54,6 +54,48 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
 java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
 ```
 
+## Predator-Style Mobile Implant Delivery & C2 Patterns
+
+Intellexa's 2025 Predator leaks expose a full-stack mobile exploitation pipeline that red and blue teams can reuse as a playbook for high-end implants targeting both Android and iOS devices ([source](https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/)).
+
+### Single-use 1-click orchestration
+
+- Operators generate per-target infection links inside Predator Delivery Studio (PDS/HDS). Each link is wrapped by an attacker-owned shortener named `urlch<N>l1` that lives on a lure domain (often news look-alikes) before handing off to the true exploit server.
+- When the victim opens the link in Chrome/Safari, chained browser exploits drop the Predator agent. Delivery telemetry (selector, IP, UA, OS build, exploit status) is streamed into Elastic dashboards to decide whether to re-arm or burn the link.
+- For your own campaigns, treat single-use URLs as volatile secrets: bind them to selectors, throttle retries, and wipe the landing node after execution to limit forensics.
+
+### ISP, ad-tech and radio-based zero-click delivery
+
+- **Mars** performs HTTP response injection at ISP/mobile core routers: as soon as a watched selector loads any clear-text site, the middlebox injects an `<iframe>`/redirect to the exploit host.
+- **Jupiter** extends Mars to domestic HTTPS domains by terminating TLS with operator-controlled certificates, modifying HTML, then re-encrypting traffic—this only fails when the victim enforces strict certificate pinning or HSTS.
+- **Aladdin** weaponises ad-tech (ADINT): the attacker uploads a malicious creative to a DSP, narrows the campaign to a selector such as the target's public IP (sourced from cooperating telcos), and serves an auto-executing ad. Merely rendering the ad frame pulls the exploit chain—no touch required.
+- **Triton** is a tactical baseband chain: spin up a rogue 2G BTS, force Samsung Exynos devices to downgrade, then exploit the modem to gain arbitrary code execution below Android/iOS. This bypasses OS mitigations and survives many forensic triage flows because the payload never surfaces in user space.
+
+### Multi-tier anonymized CNC & backend OPSEC
+
+- Every deployment ships a "CNC Anonymization Network" composed of layered relays named `cncch<N>l<L>` (e.g., `cncch1l1` public ingress → `cncch1l2` mid-tier → customer backend). Infection frontends/shorteners follow the same convention (`urlch1l1`).
+- Backend services (`file-server`, `api-server`, `config-server`, `gatekeeper-server`) live behind the final layer and are segmented per customer, but logs from every hop are aggregated into shared Elastic clusters and accessible via `pds.my.admin:8884` (CyOP dashboard) once the correct VPN/remote-access tunnel (TeamViewer in the leak) is in place.
+- The traffic between tiers uses customer-specific HTTP multipart boundaries; reusing boundary constants or TLS certificates across customers instantly fingerprints an entire cluster, so rotate `cncch*` hostnames and boundary strings per deployment to keep operations compartmentalised.
+
+### Implant storage, throttling & forensic artifacts
+
+- Collected artifacts are staged inside an encrypted SQLCipher DB `fs.db` whose AES key is wrapped with the hard-coded `RSA_PKEY`. The `FS_KEY` string embedded in `pred_config` must match the DB passphrase per customer build. Typical paths:
+
+```text
+Android : /data/local/tmp/wd/fs.db
+Android : /data/local/tmp/wd/pred.so
+ iOS   : /private/var/logs/keybagd/fs.db
+```
+
+- The guard module watches for investigator indicators (bad TLS cert, emulator artefacts, wrong config) and self-destructs the agent while reporting the trip reason to the backend. Storage quotas plus exfil priorities (battery %, charger state, Wi-Fi vs cellular) keep traffic patterns stealthy by delaying low-priority files until benign conditions exist.
+- Predator disguises its binaries as `UserEventAgent` or `com.apple.WebKit.Networking` while launching them from `/private/var/tmp/` instead of Apple-controlled directories; cloning that tactic hides unsigned payloads but also gives responders a clean IOC, so adjust paths/names per victim.
+
+### Practical hunting & post-exploitation tips
+
+- If you compromise an operator-side jump host, look for Elastic queries mentioning `urlch*` or `cncch*` plus cached single-use URLs—those artifacts map selectors to infection attempts and often include victim device metadata.
+- Internal URLs such as `https://pds.my.admin:8884` with the `cyop` user reveal direct console access to live target lists and collected data; dumping saved browser credentials or tokens from that host frequently gives you full tasking authority over the spyware fleet.
+- When reverse engineering captured implants, grep for `RSA_PKEY`, `FS_KEY`, or the hard-coded multipart boundary string: matching those values against other samples is enough to group otherwise distinct operations under the same vendor/customer.
+
 ## Android Enterprise & Work Profile Attacks
 
 {{#ref}}
@@ -880,5 +922,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
+- [Intellexa leaks – Predator operations & OPSEC (Amnesty Security Lab, 2025)](https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/)
 
 {{#include ../../banners/hacktricks-training.md}}