Key Findings Based on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators that enabled us to identify at least five civil society victims of QuaDream’s spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Victims include journalists, political opposition figures, and an NGO worker. We are not naming the victims at this time. We also identify traces of a suspected iOS 14 zero-click exploit used to deploy QuaDream’s spyware. The exploit was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions. The suspected exploit, which we call ENDOFDAYS, appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims. We performed Internet scanning to identify QuaDream servers, and in some cases were able to identify operator locations for QuaDream systems. We detected systems operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan. QuaDream has had a partnership with a Cypriot company called InReach, with whom it is currently embroiled in a legal dispute. Numerous key individuals associated with both companies have prior connections with another surveillance vendor, Verint, as well as Israeli intelligence agencies. 1. Background: QuaDream and InReach
QuaDream
QuaDream Ltd (קוודרים בע”מ) is an Israeli company that specialises in the development and sale of advanced digital offensive technology to government clients. The company is known for its spyware marketed under the name “Reign”, which, like NSO Group’s
Read more