This repository contains network and device indicators of compromised (IoCs) related to the IOS and Android spyware tools developed by the cyber-surveillance company Cytrox. These indicators were first published in December 2021 by Meta in their Threat Report on the Surveillance-for-Hire Industry and by Citizen Lab in their report Pegasus vs. Predator - Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware. Additional indicators of compromise were identified by the Amnesty Tech Security Lab as part of an independent investigation.
The STIX2 file can be used with the Mobile Verification Toolkit to look for potential signs of compromise on Android phones and iPhones.
It includes the following files:
config_profiles.txt: UUID of suspicious configuration profiles dropped by the Cytrox spywarecytrox.stix2: STIX2 file containing all indicatorsdomains.txt: list of Cytrox domainsfile_paths.txt: file paths for Cytrox payloads on disk in Android and iOS.