On May 3, 2024 — World Press Freedom Day, because irony is never subtle — Angolan journalist Teixeira Cândido received a WhatsApp message. Someone claiming to represent Angolan students wanted to discuss “socioeconomic development.”

He clicked the link. Within 24 hours, his iPhone was running Predator.

Cândido isn’t some random blogger. He’s a lawyer, former Secretary General of the Syndicate of Angolan Journalists (SJA), and works at Radio Essencial in Luanda. Exactly the kind of target a government would want eyes on.

His words: “I literally felt naked! It’s as if someone I don’t know had stripped me naked in public.”

More malicious links followed in the weeks after. He didn’t click those.

Amnesty International’s Security Lab — working alongside Friends of Angola and Front Line Defenders — performed forensic analysis on Cândido’s device.

What they found:

• Predator impersonated legitimate iOS system processes to stay hidden
• Infection servers matched previously known Intellexa infrastructure
• Multiple Angola-specific domains were linked to the spyware operation
• The infection lasted less than 24 hours before a device restart cleared it (Predator doesn’t survive reboots on iOS by default)

But here’s the thing nobody mentions: Amnesty found multiple domains targeting Angola, suggesting Cândido is likely one of many victims. He’s just the one they can prove.

The WhatsApp link that got Cândido is old-school one-click. Predator’s newer trick is far worse.

Aladdin, first deployed in 2024 and still operational, embeds exploits inside normal mobile advertisements. The attack chain:

1. Intellexa’s customer identifies a target’s device profile
2. Malicious ad is injected into the programmatic ad ecosystem
3. Ad gets served on any website or app the target visits — news sites, weather apps, anything with ads
4. Target sees the ad (doesn’t need to click)
5. Browser exploit fires — Chrome on Android, Safari on iOS
6. Predator payload downloads silently

They also have Mars and Jupiter — network injection systems requiring ISP cooperation. Three separate infection vectors for three different operational scenarios.

December 2025 leaks (“Intellexa Leaks”) revealed something even more disturbing: Intellexa staff could remotely access client systems and the data those clients collected. The spyware vendor was spying on its own customers.

The Angolan government’s reaction was predictably hollow:

• General Prosecutor’s Office: “No knowledge of such situations”
• Presidential Spokesperson: No knowledge of spyware use
• Interior Ministry: Declined comment

Meanwhile, under President João Lourenço’s second term (since 2022), Angola has passed:

• A National Security Law enabling telecom/internet disruption (2024)
• A vandalism law criminalizing documentation of law enforcement activities (2024, partially struck down)
• A proposed false information law and expanded cybersecurity surveillance with limited court oversight (2026)

National elections are scheduled for August 2027. Draw your own conclusions about the timing.

The U.S. added Intellexa to its Entity List in 2023. Sanctioned Tal Dilian and associates in 2024. Google documented Intellexa exploiting CVE-2025-6554 in Saudi Arabia in June 2025 — after sanctions.

And in December 2025, the U.S. quietly removed three individuals from the sanctions list. Congressional members raised concerns. The spyware kept running.

Intellexa’s corporate structure spans multiple jurisdictions — Ireland, North Macedonia, Hungary, Greece. Cut one head, another appears. The consortium model is specifically designed to survive regulatory pressure.

Recent accountability cases show the legal landscape is shifting, slowly:

• January 2026: UK court ordered Saudi Arabia to pay £3M+ to a dissident targeted with NSO’s Pegasus
• 2025: California judge ordered NSO to stop targeting WhatsApp users
• Ongoing: Greek trial over Predator targeting of journalist Thanasis Koukakis

The market for affordable mobile forensic analysis is almost empty. Amnesty’s MVT (Mobile Verification Toolkit) is open-source but requires technical skill to run. There’s a real gap between “free but complicated” and “$50K/year enterprise MDM.”

Build lightweight apps or services that check for known spyware indicators — Predator’s iOS process impersonation patterns, suspicious network connections to known C2 infrastructure, anomalous battery/data usage.

Example: Solo dev in Prague, Czech Republic forked MVT into a simplified GUI tool for journalists, partnered with 3 press freedom NGOs, now runs a $4K/month SaaS for newsrooms across 12 countries.

Timeline: 2-3 months to MVP if you understand mobile forensics. Faster if you wrap existing tools in better UX.

Every journalist, activist, and NGO worker in authoritarian-leaning countries needs operational security guidance. Most don’t have it. The demand is massive and the supply is thin — especially outside English-speaking markets.

Package Lockdown Mode setup, hardened device configurations, secure communication protocols, and incident response plans. Price it on a sliding scale — funded NGOs pay full rate, independent journalists get subsidized.

Example: Infosec consultant in Nairobi, Kenya built a 2-day OPSEC workshop for East African journalists, delivered virtually. Charges $2,500 per workshop for funded organizations, runs monthly. Revenue: ~$7.5K/month with 3 sessions.

Timeline: Immediate if you already have the knowledge. 1 month to build curriculum and find first clients through press freedom networks.

Amnesty found Predator infrastructure by mapping domains and C2 servers. This kind of threat intelligence work can be productized. Governments and telecom providers in target countries would pay for continuous monitoring of known spyware infrastructure touching their networks.

Track Intellexa (and NSO, Candiru, QuaDream) domain registrations, SSL certificates, IP ranges. Sell alerts when new infrastructure appears in a client’s region.

Example: Two-person threat intel team in Tallinn, Estonia built automated scanners tracking Predator and Pegasus infrastructure patterns. Sells monthly reports to 8 telecom companies and 3 government CERTs. Revenue: ~€15K/month combined.

Timeline: 1-2 months to build initial scanning infrastructure. 3-4 months to land first paying clients through CERT networks.

Aladdin turns mobile ads into attack vectors. Standard ad blockers help but aren’t designed to detect exploit-laden ads specifically. There’s room for a specialized tool that analyzes ad content for suspicious redirects, fingerprinting scripts, and known exploit delivery patterns.

This could be a browser extension, a DNS-level filter, or a VPN-layer inspection tool. The angle isn’t “block ads for convenience” — it’s “block ads that might be weaponized.”

Example: Privacy startup in Bucharest, Romania built a Pi-hole fork with curated blocklists specifically targeting known spyware ad-delivery domains. Open-sourced the core, sells managed enterprise version. 400+ installs at NGOs, €3K/month in managed service revenue.

Timeline: 2-4 weeks for a DNS blocklist approach. 2-3 months for a full browser-level solution.