A new iOS zero-day exploit chain has been linked to mercenary spyware used for silent device surveillance against high‑risk users.
The operation, attributed to the commercial surveillance vendor Intellexa, chains multiple previously unknown flaws to move from a single link click in Safari to full spyware deployment on targeted iPhones.
The campaign has been seen against civil society and political targets, underscoring how well‑funded spyware vendors continue to weaponize browser and kernel bugs for long‑term, covert monitoring.
The attack begins with a malicious one‑time link, often sent over encrypted messaging apps. When a target opens the link in Safari, the browser loads an exploit that triggers a remote code execution bug later fixed as CVE‑2023‑41993.
This first stage uses a shared exploitation framework called JSKit to gain arbitrary read and write in the Safari renderer, then pivots to native code execution on modern iOS builds.
The same framework has been reused by other surveillance vendors and state‑backed actors since 2021, showing an active market for reusable exploit components.
Example of testing and validating shellcode execution (Source – Google Cloud)
Google Cloud security researchers identified the full chain in the wild on devices in Egypt, confirming that the exploit was internally codenamed “smack” by Intellexa and used to stage the Predator spyware family.
Once the browser is compromised, the chain moves to a powerful second stage that breaks out of the Safari sandbox and escalates privileges using kernel flaws CVE‑2023‑41991 and CVE‑2023‑41992.
This stage exposes kernel memory read and write to a third‑stage payload tracked as PREYHUNTER.
PREYHUNTER consists of “helper” and “watcher” modules that verify the victim device, avoid analysis, and perform early surveillance such as VoIP recording, keylogging, and camera capture while hiding notifications from the user.
Infection and PREYHUNTER Behavior
The PREYHUNTER helper module communicates with other components via a Unix socket at /tmp/helper.sock, then installs hooks through internal frameworks named DMHooker and UMHooker.
These hooks attach to sensitive paths and services, enabling audio capture, input logging, and covert checks before a full Predator implant is dropped.
A simplified view of its socket setup looks like:-
int fd = socket(AF_UNIX, SOCK_STREAM, 0);
struct sockaddr_un addr = {0};
addr.sun_family = AF_UNIX;
strcpy(addr.sun_path, “/tmp/helper.sock”);
bind(fd, (struct sockaddr *)&addr, sizeof(addr));
listen(fd, 5);
The watcher module continuously scans for signs of research or debugging, including developer mode, jailbreak tools such as frida or checkra1n, security apps like McAfee or AvastMobileSecurity, custom root CAs, and HTTP proxies.
CVETypeComponent / VendorRole in ChainOutcomeCVE-2023-41993Remote Code Execution (RCE)Safari / Apple iOSInitial browser compromise via JSKitCode execution in Safari processCVE-2023-41992Sandbox Escape + LPEKernel / Apple iOSBreakout from Safari sandboxSystem-level code executionCVE-2023-41991Local Privilege EscalationKernel / Apple iOSKernel privilege elevation and persistenceKernel read/write for spyware
If any of these are present, the chain halts to reduce forensic traces. This careful staging, combined with kernel‑level access, shows a mature ecosystem where exploit developers, brokers, and spyware operators collaborate to keep iOS surveillance campaigns stealthy and persistent.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post iOS Zero-Day Exploit Chain Leveraged by Mercenary Spyware for Device Surveillance appeared first on Cyber Security News.
