Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue

    Friday, December 5, 2025 In: Threat Research Print

    Date: 12/05/2025

    Severity: High

    Summary

    Despite U.S. sanctions, Intellexa continues selling its Predator spyware and remains one of the most aggressive exploit operators, rapidly developing or acquiring mobile zero-days. The group is linked to 15+ zero-day vulnerabilities, including CVE-2025-48543, CVE-2025-6554, CVE-2023-41993, CVE-2023-41992, CVE-2023-41991, CVE-2024-4610, and multiple Chrome and Android V8/Skia flaws dating back to 2021, enabling RCE, sandbox escapes, and privilege escalation across major platforms.

    Indicators of Compromise (IOC) List

    Hash

    150393c8c3d4c0c0f5da65721168df0d

    a590ecb6221e90afcb57dcdeca9ae682

    0078cd0894564699252c4b9ca657a91ee7799a5e

    ca83880d9c62eaf8cefbda95e5813046561a955d

    85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750

    e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("150393c8c3d4c0c0f5da65721168df0d","a590ecb6221e90afcb57dcdeca9ae682")

    Detection Query 2 :

    sha1hash IN ("ca83880d9c62eaf8cefbda95e5813046561a955d","0078cd0894564699252c4b9ca657a91ee7799a5e")

    Detection Query 3 :

    sha256hash IN ("e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac","85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue/


    Tags

    VulnerabilityZero-dayExploitCVE-2025CVE-2023CVE-2024United States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.