A spyware, manufactured by an Israeli company, was being actively used in Pakistan, according to an investigation by Amnesty International on Thursday.
Predator, a highly invasive spyware that has been linked to human rights abuses in multiple countries, was manufactured by the Israeli company Intellexa. Israel, the country where the company is based, has no diplomatic relations with Pakistan.
The investigation, titled “Intellexa Leaks,” described the story of a human rights lawyer based in Balochistan. He approached Amnesty International in the summer of 2025 after receiving a suspicious link on WhatsApp from an unknown number. Amnesty Security Lab investigated the link and identified it as a Predator attack attempt based on the technical behavior of the infection server. Specific characteristics of the one-time infection link were also consistent with previously observed Predator one-click links.
This was the first case reported in Pakistan.
Intellexa Leaks is based on a combination of highly sensitive documents and other material leaked from the company, including internal company documents, sales and marketing materials, and training videos.
The months-long investigation was published in collaboration with Inside Story in Greece, Haaretz in Israel, and WAV Research Collective in Switzerland.
Amnesty International previously sent detailed questions to Intellexa about its products, operations and corporate structure. Intellexa declined to answer the questions.
In 2023, Intellexa was fined by the Greek Data Protection Authority for failing to comply with its investigations into the company.
Google started sending spyware threat notifications to several hundred of its users across various countries, including Pakistan. The accounts were identified as Predator spyware targets.
How Predator works
Intellexa’s Predator relies on “1-click” attacks to infect a device, which require a malicious link to be opened in the target’s phone. The malicious link then loads a browser exploit for Chrome or Safari to gain initial access to the device and download the full spyware payload.
Once the spyware is installed, it can access encrypted instant messaging apps like Signal and WhatsApp, audio recordings, emails, device locations, screenshots and camera photos, stored passwords, contacts, and call logs. It also activates the device’s microphone.
The spyware then communicates with, and uploads surveillance data to, a Predator backend server physically located in the customer’s country.
All data from the spyware is first relayed through a chain of anonymization servers, termed the “CNC Anonymization Network” to prevent the risk of exposure for the operator with the 1-click attack link.
The surveillance company overcame the limitation of exposure by using different approaches to trigger the opening of an infection link on the target’s phone, without requiring the target to manually click the link.
Intellexa also developed a strategic infection vector, ‘Aladdin,’ which could enable silent zero-click infections of target devices anywhere in the world. The vector exploits the commercial mobile advertising ecosystem to carry out these infections.
Intellexa is a surveillance company that develops spyware, with Predator as its signature product, and sells it for use by governments. According to the investigation, the company’s internal operations remained largely unknown to researchers.
