Microsoft and Citizen Lab have collaborated to reveal information about QuaDream, an Israel-based company known for their spyware.
QuaDream is an Israeli spyware vendor that has been keeping a low profile since it was first reported on by Reuters last year. QuaDream is a competitor of the notorious Israeli company NSO Group, which is known for its Pegasus spyware. QuaDream has developed an exploitation platform known as Reign, which is reportedly offered to government organizations for law enforcement activities. However, investigations have often revealed cases of abuse, with governments using spyware against their opponents.
Microsoft and Citizen Lab have shared information on the activities, products and victims of QuaDream. Microsoft has published a blog post focusing on the analysis of the iOS malware — named KingsPawn by the tech giant — that is likely delivered as part of the Reign platform. The malware has the ability to record audio from calls or the device’s microphone, take pictures using the camera, exfiltrate and remove keychain items, generate iCloud 2FA passwords, track location, search files and databases on the device, and clean up its tracks.
Citizen Lab’s investigation led to the identification of five unnamed victims located in North America, Europe, the Middle East, and Central and Southeast Asia. Victims include politicians, journalists, and one NGO worker. Citizen Lab also discovered 600 QuaDream servers, including ones used to store data exfiltrated from victims and servers used for one-click browser exploits.
Microsoft and Citizen Lab have shared indicators of compromise (IoCs) that can be used to detect the presence of QuaDream spyware. Apple was informed about the exploits in 2021 and has reportedly notified targeted individuals.
Key Points:
- QuaDream is an Israeli spyware vendor that has been keeping a low profile since it was first reported on by Reuters last year.
- QuaDream has developed an exploitation platform named Reign, which has been offered to government organizations for law enforcement activities, often leading to abuse.
- Microsoft has published a blog post focusing on the analysis of the iOS malware KingsPawn that is likely delivered as part of the Reign platform.
- Citizen Lab’s investigation led to the identification of five unnamed victims located in North America, Europe, the Middle East, and Central and Southeast Asia.
- Microsoft and Citizen Lab have shared indicators of compromise (IoCs) that can be used to detect the presence of QuaDream spyware.
- Apple was informed about the exploits in 2021 and has reportedly notified targeted individuals.