Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

OSINT - Cytrox Spyware Indicators of Compromise

0
Low
Malwaretype:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitemisp-galaxy:surveillance-vendor="cytrox"
Published: Sun Jan 30 2022 (01/30/2022, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

OSINT - Cytrox Spyware Indicators of Compromise

AI-Powered Analysis

AILast updated: 06/18/2025, 19:34:21 UTC

Technical Analysis

The provided information pertains to OSINT (Open Source Intelligence) indicators of compromise related to Cytrox spyware, a surveillance malware family. Cytrox spyware is known to be used for targeted surveillance operations, often by state-sponsored actors. This particular entry is an OSINT report from CIRCL, dated January 30, 2022, describing indicators of compromise (IOCs) associated with Cytrox spyware. The report does not specify affected software versions or detailed technical indicators, and no known exploits in the wild are reported. The threat level is marked as '3' with an analysis score of '2', indicating moderate concern but limited confirmed impact or exploitation. Cytrox spyware typically targets mobile devices and is capable of extensive data exfiltration, including access to communications, location data, and device sensors. The lack of detailed technical data or patches suggests this is an intelligence report rather than a vulnerability advisory. The certainty of the information is moderate (50%), and the threat is categorized as low severity by the source. The spyware is linked to surveillance vendors, indicating its use in espionage or intelligence gathering rather than widespread cybercrime. Overall, this OSINT report highlights the presence and potential indicators of Cytrox spyware infections but does not provide actionable technical details or evidence of active exploitation campaigns at the time of publication.

Potential Impact

For European organizations, the primary impact of Cytrox spyware would be on confidentiality and privacy, especially for entities involved in sensitive communications, such as government agencies, diplomatic missions, journalists, human rights organizations, and critical infrastructure operators. The spyware's ability to exfiltrate sensitive data could lead to espionage, loss of intellectual property, and compromise of personal data. Although no widespread exploitation is reported, targeted attacks could undermine trust in mobile communications and pose risks to national security and privacy compliance under GDPR. The low reported severity and absence of known exploits suggest limited immediate risk to the broader European enterprise environment. However, high-value targets within Europe could face significant consequences if infected, including reputational damage and operational disruption. The spyware's stealthy nature complicates detection and remediation, increasing the potential long-term impact if infections go unnoticed.

Mitigation Recommendations

Given the lack of specific technical indicators or patches, mitigation should focus on proactive detection and prevention strategies tailored to spyware threats like Cytrox. European organizations should: 1) Implement advanced mobile threat defense solutions capable of detecting spyware behaviors and anomalies on mobile devices. 2) Enforce strict mobile device management (MDM) policies, including restricting installation of untrusted applications and enforcing regular security updates. 3) Conduct threat hunting exercises using available OSINT indicators and behavioral analytics to identify potential infections. 4) Educate users on phishing and social engineering tactics commonly used to deliver spyware payloads. 5) Collaborate with national cybersecurity centers and intelligence agencies to share threat intelligence and receive updated IOCs. 6) Employ network monitoring to detect unusual outbound traffic patterns indicative of data exfiltration. 7) Regularly audit and harden mobile device configurations, including disabling unnecessary sensors or permissions that spyware could exploit. These measures go beyond generic advice by focusing on mobile-specific defenses and intelligence sharing, critical for combating sophisticated spyware threats like Cytrox.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
ItalyItaly
SpainSpain
BelgiumBelgium
NetherlandsNetherlands
PolandPoland
Need more detailed analysis?Upgrade to Pro Console

Technical Details

Threat Level
3
Analysis
2
Uuid
4b475a5f-ea47-4f2f-aea3-d8ba9bd1b6b6
Original Timestamp
1643539206

Indicators of Compromise

Domain

ValueDescriptionCopy
domainkoenigseggg.com
domainbitlly.live
domainnewslive2.xyz
domainuberegypt.cn.com
domainyuom7.net
domainconnectivitycheck.online
domainwebaffise.com
domainffoxnewz.com
domainminiiosapps.xyz
domainaudit-pvv.com
domainorangegypt.co
domainyouarefired.xyz
domainaramexegypt.com
domainmozillaupdate.xyz
domainsafelyredirecting.digital
domainmycoffeeshop.shop
domainbookjob.club
domainyoutubewatch.co
domaindownload4you.xyz
domaincyber.country
domainitcgr.live
domaingetsignalapps.live
domainclockupdate.com
domainupdateservice.center
domaincrashonline.site
domainspeedymax.shop
domainsafelyredirecting.com
domainlylink.online
domainferrari.gr.com
domaintelecomegy-ads.com
domaintw.itter.me
domaininstagam.click
domaindistedc.com
domainalraeesnews.net
domainbitlinkin.xyz
domainewish.cards
domainsniper.pet
domainwtc1111.com
domainnewsbeast.gr.com
domainin-politics.com
domainwtc2222.com
domainicloudflair.com
domainomanreal.net
domainlexpress.me
domainchatwithme.store
domainlink-m.xyz
domainefsyn.online
domainmitube1.link
domainupdete.xyz
domainweathersite.online
domainllinkedin.net
domainapi-telecommunication.com
domain2y4nothing.xyz
domainupdates4you.xyz
domainfastuploads.xyz
domainkormoran.bid
domainjquery-updater.xyz
domainsynctimestamp.com
domainbmw.gr.com
domaininsider.gr.com
domainsmsuns.com
domainuservicescheck.com
domainconnectivitycheck.live
domainnewzeto.xyz
domainhellasjournal.website
domaindanas.bid
domainenikos.news
domainnabd.site
domainquickupdates.xyz
domaintrecv.xyz
domainwe-site.net
domaingetsignalapps.com
domainbi.tly.gr.com
domainkinder.engine.ninja
domainnemshi-news.live
domainyo.utube.to
domaininstagam.in
domainsvetovid.bid
domainvodafoneegypt.tech
domaincellconn.net
domainsolargroup.xyz
domainyoutubesyncapi.com
domainancienthistory.xyz
domaingoldenscint.com
domainspeedygonzales.xyz
domainliponals.store
domainaltsantiri.news
domainviva.gr.com
domainsinai-new.com
domaineagerfox.xyz
domainweathear.live
domainadibjan.net
domainalpineai.uk
domainlivingwithbadkidny.xyz
domainespressonews.gr.com
domainolexegy.com
domainblacktrail.xyz
domainyout.ube.gr.com
domainleanwithme.xyz
domainapps-ios.net
domainbi.tly.link
domainfbc8213450838f7ae251d4519c195138.xyz
domainfisherman.engine.ninja
domainpolitique-koaci.info
domainadultpcz.xyz
domainyoutube.gr.live
domainyallakora-egy.com
domainandroid-apps.tech
domaininstagam.photos
domainflexipagez.com
domainereportaz.news
domainkohaicorp.com
domainmd-news-direct.com
domainworldnws.xyz
domainlandingpge.xyz
domainetisalatgreen.com
domainlamborghini-s.shop
domainnemshi-news.xyz
domainteslal.shop
domainhellasjournal.company
domainbbcsworld.com
domainfireup.xyz
domaingoldenscent.net
domainyoutu-be.net
domaintrkc.online
domainniceonesa.net
domainapi-apple-buy.com
domainmifcbook.link
domainsymoty.com
domaincut.red
domaindragonair.xyz
domainupdatetime.zone
domainshortenurls.me
domainqwxzyl.com
domaininvoker.icu
domainnassosblog.gr.com
domainyoutube.voto
domainhopnope.xyz
domainmyutbe.net
domainshortmee.one
domainalmasryelyuom.com
domainyoutub.app
domainelpais.me
domainactumali.org
domainbit-li.ws
domainfimes.gr.com
domainps2link.xyz
domaintribune-mg.xyz
domainbumabara.bid
domainsimetricode.uk
domainps1link.xyz
domainhellottec.art
domainstonisi.news
domainxf.actor
domainikea-egypt.net
domainbit-ly.link
domaintly.link
domainnikjol.xyz
domainegyqaz.com
domainios-apps.store
domainserviceupdaterequest.com
domaintovima.live
domainwha.tsapp.me
domainbusinesnews.net
domaintiol.xyz
domainmobnetlink1.com
domainshortxyz.com
domainube.gr.com
domainteslali.com
domainiibt.xyz
domainkranos.gr.com
domainsolargoup.xyz
domaincarrefourmisr.com
domain5m5.io
domainpronews.gr.com
domainshortwidgets.com
domainpocopoc.xyz
domaincharmander.xyz
domainenigmase.xyz
domainxnxx-hub.com
domainproupload.xyz
domaincloudstatistics.net
domainburgerprince.us
domaininfosms-a.site
domainheiiasjournai.com
domaincitroen.gr.com
domainebill.cosmote.center
domainckforward.one
domainsyncupdate.site
domainshortely.xyz
domaincanyouc.xyz
domainsuzuki.gr.com
domainmakeitshort.xyz
domainamazing.lab
domainprotothema.live
domaintinyurl.cloud
domainconlnk.one
domaintimeupdate.xyz
domainlocalegem.net
domaintesla-s.shop
domainbityl.me
domainxyvok.xyz
domainwtc3333.com
domainitly.link
domainheaven.army
domainpdfviewer.app
domainteslal.xyz
domainnemshi.net
domainbank-alahly.com
domainsyncservices.one
domainsportsnewz.site
domainbit-ly.org
domainnewzgroup.xyz
domainguardian-tt.me
domainzougla.news
domainwavekli.xyz
domainfastdownload.me
domainiosmnbg.com
domainoilgy.xyz
domainlinkit.cloud
domainurl-tiny.app
domainvodafonegypt.com
domaincbbc01.xyz
domaingoldescent.com
domainbitlyrs.com
domainniceonase.com
domainlink-protection.com
domainconnectivitychecker.com
domainurl-promo.club
domainforwardeshoptt.com
domainuservicesforyou.com
domainplayestore.net
domainadvertsservices.com
domainservers-mobile.info
domainmobnetlink2.com
domainguardnew.live
domainsepenet.gr.com
domainz2adigital.cloud
domaininstegram.co
domainbrowsercheck.services
domainstatic-graph.com
domaincnn.gr.com
domainshorten.fi
domaincelebrnewz.xyz
domainlifestyleshops.net
domainpastepast.net
domainsnapfire.xyz
domainomeega.xyz
domainkoora-egypt.com
domainetisalategypt.tech
domainyo.utube.digital
domainsextape225.me
domainsupportset.net
domaingetupdatesnow.xyz
domainprmopromo.com
domainilnk.xyz
domaintsrt.xyz
domainaffise.app
domaintelenorconn.com
domainmobnetlink3.com
domainzougla.gr.com
domainmyfcbk.net
domainz2a.digital
domainengine.ninja
domaingosokm.com
domainz2digital.cloud
domainutube.digital
domainmlinks.ws
domainredeitt.com
domainupdatingnews.xyz
domainlimk.one
domainnissan.gr.com
domainsports-mdg.xyz
domainpolitika.bid
domainsephoragroup.com
domainmsas.ws
domainorchomenos.news
domainmywebsitevpstest.xyz
domainnovosti.bid
domaintwtter.net
domainnabde.app
domainaddons.news
domainlexpress-mg.xyz
domainredirecting.live
domainmytrips.quest
domainbitt.fi
domainlandingpg.xyz
domainlnkedin.org
domainlinktothisa.xyz
domainadservices.gr.com
domaintimestampsync.com
domainolxeg.com
domainbit-li.com
domainweathernewz.xyz
domainlinkit.digital
domainonlineservices.gr.com
domainguardnews.live
domaintrecvf.xyz
domainspeedy.sbs
domainadvfb.xyz
domainqwert.xyz
domainalraeeenews.com
domainsitepref.xyz
domaincovid19masks.shop
domaintly.gr.com
domaincloudtimesync.com
domaintinylinks.live
domainitter.me
domainbity.ws
domaintgrthgsrgwrthwrtgwr.xyz
domainicloudeu.com
domainotaupdatesios.com
domainapplepps.com
domainpaok-24.com
domaininservices.digital
domaintinyulrs.com
domaintiny.gr.com
domainnetworkenterprise.net
domaintimeupdateservice.com
domainkathimerini.news
domainatheere.com
domainhempower.shop
domaineg-gov.org

File

ValueDescriptionCopy
file/data/local/tmp/wd/
file/data/local/tmp/wd/fs.db
file/private/var/tmp/hooker
file/private/var/tmp/takePhoto
file/private/var/tmp/UserEventAgent
file/private/var/tmp/com.apple.WebKit.Networking
filecytrox.stix2

Text

ValueDescriptionCopy
textSTIX 2.1
textSTIX 2.0
textThis repository contains network and device indicators of compromised (IoCs) related to the IOS and Android spyware tools developed by the cyber-surveillance company Cytrox. These indicators were first published in December 2021 by Meta in their Threat Report on the Surveillance-for-Hire Industry and by Citizen Lab in their report Pegasus vs. Predator - Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware. Additional indicators of compromise were identified by the Amnesty Tech Security Lab as part of an independent investigation.
textReport

Stix2 pattern

ValueDescriptionCopy
stix2-pattern[configuration-profile:id='76DAB334-7E17-475D-A5D6-0794EB5818A5']

Link

ValueDescriptionCopy
linkhttps://github.com/AmnestyTech/investigations/tree/master/2021-12-16_cytrox

Threat ID: 682b81048ee1a77b717bca41

Added to database: 5/19/2025, 7:05:40 PM

Last enriched: 6/18/2025, 7:34:21 PM

Last updated: 2/7/2026, 10:14:35 PM

Views: 63

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2026-02-06

Medium
MalwareSat Feb 07 2026

ThreatFox IOCs for 2026-02-05

Medium
MalwareFri Feb 06 2026

ThreatFox IOCs for 2026-02-04

Medium
MalwareThu Feb 05 2026

ThreatFox IOCs for 2026-02-03

Medium
MalwareWed Feb 04 2026

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

Low
MalwareTue Feb 03 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats