Intellexa's Predator Spyware Compromises Angolan Journalist's iPhone in Targeted Cyberattack
A government client of sanctioned spyware vendor Intellexa successfully compromised the mobile device of a prominent journalist in Angola, according to a recent investigation by Amnesty International. This incident represents the latest documented case of commercial surveillance software being weaponized against civil society members.
The human rights organization released a comprehensive report Tuesday detailing multiple intrusion attempts targeting local journalist and press freedom advocate Teixeira Cândido throughout 2024. The attack vector involved a series of malicious links delivered via WhatsApp, one of which was ultimately activated by the target.
Following forensic analysis, Amnesty International confirmed that Cândido's iPhone was successfully compromised using Intellexa's proprietary spyware solution, designated as Predator. The investigation adds to mounting evidence that government clients of commercial surveillance vendors are systematically deploying spyware against journalists, political figures, and civil society critics.
Previous research has documented Predator deployment and abuse across multiple jurisdictions:
• Egypt• Greece
• Vietnam, where the government reportedly targeted U.S. government officials through link-based attacks distributed via X (formerly Twitter)
Technical Analysis and Attribution
Amnesty researchers established attribution to Intellexa by analyzing forensic artifacts recovered from Cândido's compromised device. The investigation identified infection infrastructure previously associated with Intellexa's operational spyware deployment network.
Notably, Cândido inadvertently mitigated the compromise by rebooting his device several hours post-infection, which effectively purged the spyware from system memory. The exact exploitation chain remains unclear, as the target device was running an outdated iOS version at the time of compromise.
Forensic analysis revealed that Predator employed sophisticated evasion techniques, including process masquerading to impersonate legitimate iOS system services, thereby avoiding detection by standard security mechanisms.
Operational Scope and Timeline
Amnesty International's investigation suggests Cândido may represent only one target within a broader surveillance campaign in Angola. Researchers identified multiple domain infrastructure elements linked to Intellexa operations within the country.
"The earliest domains associated with Angola were deployed in March 2023, indicating initial Predator testing or operational deployment in the region," the researchers noted. However, they acknowledged limitations in definitively identifying the specific government client responsible for targeting Cândido.
"Current evidence does not permit conclusive identification of the Predator spyware customer operating within the country," the report states.
Regulatory Context and Sanctions
Intellexa has emerged as one of the most controversial commercial spyware vendors in recent years, utilizing multiple jurisdictions to circumvent export control regulations and maintaining what U.S. government officials have characterized as an "opaque web of corporate entities" to obscure operational activities.
In 2024, concurrent with the targeting of Cândido, the Biden administration imposed sanctions on Intellexa, its founder Tal Dilian, and business partner Sara Aleksandra Fayssal Hamou. Earlier this year, the Treasury Department lifted sanctions against three additional Intellexa-affiliated executives, a decision that prompted Senate Democrats to demand accountability from the Trump administration.
Dilian did not respond to requests for comment on the findings.
Operational Capabilities and Access
Previous reporting based on leaked internal documentation revealed that Intellexa personnel maintained remote access capabilities to customer systems, potentially providing the vendor with visibility into government surveillance operations and targeted individuals.
These disclosures, combined with the current findings, demonstrate that despite regulatory sanctions and international scrutiny, Intellexa has maintained operational capacity and continues serving government clients.
"We've now documented confirmed abuses across Angola, Egypt, Pakistan, Greece, and additional jurisdictions — and for every identified case, numerous undiscovered abuses likely remain concealed," stated Donncha Ó Cearbhaill, Head of Security Lab at Amnesty International.
