Executive Summary
In December 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) removed three individuals previously sanctioned for their involvement with Intellexa and its Predator commercial spyware from the Specially Designated Nationals (SDN) list. The individuals—Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou—were linked to leadership and distribution roles within the Intellexa Consortium. Their removal followed a petition and OFAC’s evaluation that they had separated themselves from the Intellexa ecosystem, but no underlying details or independent confirmation were disclosed. The original sanctions stemmed from their roles in developing, distributing, and enabling Predator software, a tool implicated in high-profile surveillance of civil society figures, including journalists and activists, through stealth zero-day and social engineering attacks.
This case underscores the continued risks posed by commercial spyware vendors and associated compliance exposures. Ongoing public reporting highlights Predator’s persistent activity despite regulatory efforts, as well as geopolitical pressures that drive international balkanization and new attack trends targeting sensitive sectors. With regulatory frameworks evolving and threat actors shifting tactics, the risk of spyware misuse for human rights abuses and espionage remains acute.
Why This Matters Now
The removal of sanctions from individuals previously implicated in commercial spyware operations signals regulatory uncertainty and potential loopholes for actors seeking to legitimize or rebrand surveillance technology. As spyware threats proliferate across global supply chains and civil society targets, clear policy direction and robust compliance measures are urgently needed to mitigate the risk of abuse.
Attack Path Analysis
Attackers leveraged a Predator spyware delivery—likely via zero-click or social engineering vectors—to initially compromise victim devices. Upon gaining access, they escalated privileges to persist and evade detection, enabling the capture of sensitive data. Movement then occurred laterally, possibly traversing internal cloud workloads or device resources, to broaden access and collect additional credentials or data. Command and control channels were established via stealthy encrypted outbound connections to manage the compromised endpoints. Stolen information was then exfiltrated using covert or encrypted channels, evading standard network and cloud controls. The overall impact included unauthorized surveillance, loss of sensitive data, and potential reputational or strategic harm to targeted individuals and organizations.
Kill Chain Progression
Initial Compromise
Description
Predator spyware was delivered to targets through malicious links or messages, exploiting vulnerabilities or social engineering (such as a WhatsApp message with an exploit).
Related CVEs
CVE-2023-41993
CVSS 8.8A vulnerability in WebKit allows remote attackers to execute arbitrary code on affected iOS devices via maliciously crafted web content.
Affected Products:
Apple iOS – < 16.6.1
Exploit Status:
exploited in the wildCVE-2023-41992
CVSS 7.8A kernel vulnerability in iOS allows attackers to achieve privilege escalation via a malicious application.
Affected Products:
Apple iOS – < 16.6.1
Exploit Status:
exploited in the wildCVE-2023-41991
CVSS 7.5A security vulnerability in iOS allows attackers to bypass code signing restrictions, potentially leading to arbitrary code execution.
Affected Products:
Apple iOS – < 16.6.1
Exploit Status:
exploited in the wildCVE-2023-4762
CVSS 8.8A type confusion vulnerability in V8 allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chrome – < 116.0.5845.110
Exploit Status:
exploited in the wildCVE-2023-3079
CVSS 8.8A type confusion vulnerability in V8 allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chrome – < 114.0.5735.110
Exploit Status:
exploited in the wildCVE-2023-2033
CVSS 8.8A type confusion vulnerability in V8 allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chrome – < 112.0.5615.121
Exploit Status:
exploited in the wildCVE-2021-38003
CVSS 8.8An inappropriate implementation in V8 allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chrome – < 95.0.4638.69
Exploit Status:
exploited in the wildCVE-2021-38000
CVSS 8.8Insufficient validation of untrusted input in Intents in Google Chrome allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chrome – < 95.0.4638.69
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques mapped for SEO and filtering; mapping may be further expanded with automated STIX/TAXII enrichment.
Drive-by Compromise
User Execution: Malicious Link
Steal Web Session Cookie
Obfuscated Files or Information
Input Capture
Exfiltration Over Physical Medium
Application Layer Protocol: Web Protocols
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan Coverage
Control ID: 12.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model (ZTMM 2.0) – Endpoint Detection and Response
Control ID: Pillar: Devices, Capability: Endpoint Security
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Commercial spyware like Predator poses critical threats to government operations, requiring enhanced zero trust segmentation and threat detection capabilities for sensitive communications protection.
Law Enforcement
Predator spyware targeting creates significant operational security risks for law enforcement agencies, necessitating robust encrypted traffic protection and anomaly detection for personnel safety.
Legal Services
Commercial spyware attacks against legal professionals compromise attorney-client privilege, requiring comprehensive egress security and multicloud visibility to protect confidential case information.
Newspapers/Journalism
Predator spyware deployment against journalists threatens press freedom and source protection, demanding enhanced east-west traffic security and inline intrusion prevention capabilities.
Sources
- U.S. Treasury Lifts Sanctions on Three Individuals Linked to Intellexa and Predator Spywarehttps://thehackernews.com/2025/12/us-treasury-lifts-sanctions-on-three.htmlVerified
- To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spywarehttps://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/Verified
- Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers sayhttps://techcrunch.com/2025/12/04/sanctioned-spyware-maker-intellexa-had-direct-access-to-government-espionage-victims-researchers-say/Verified
- Treasury Sanctions Members of the Intellexa Commercial Spyware Consortiumhttps://home.treasury.gov/news/press-releases/jy2155Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic control, encrypted traffic enforcement, egress filtering, and continuous threat detection would have significantly constrained Predator spyware operations by limiting initial access, lateral movement, covert communications, and data exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline inspection could detect or block known exploit signatures in network traffic.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation would prevent elevated access or workload privilege escalation.
Control: East-West Traffic Security
Mitigation: East-west controls restrict lateral movement to permitted identities and services.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Outbound C2 channels are detected and blocked via inline signature inspection.
Control: Egress Security & Policy Enforcement
Mitigation: Egress policy enforcement blocks or alerts on suspicious data flows to unauthorized destinations.
Anomaly and threat detection generate alerts for unusual access patterns and outbound flows.
Impact at a Glance
Affected Business Functions
- Communications
- Data Security
- Legal Compliance
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive communications, personal data, and confidential business information due to unauthorized access facilitated by the Predator spyware.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation to restrict lateral movement and enforce least-privilege access across workloads.
- • Enforce east-west and egress network security controls to detect and prevent unauthorized internal or outbound communications associated with spyware or C2.
- • Deploy inline cloud firewalls and IPS solutions for signature-based threat prevention and real-time inspection of both inbound and outbound flows.
- • Ensure continuous threat detection, anomaly baselining, and behavioral monitoring to rapidly identify and respond to suspicious activity.
- • Centralize multicloud visibility and policy enforcement through a unified Cloud Native Security Fabric to monitor, audit, and control cloud traffic and identities.
