top of page

Threat actors using QuaDream hacking tools target at least five members of civil society

A group of researchers from the Citizen Lab has found that at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East have been targeted by threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream. The spyware campaign, which was directed against journalists, political opposition figures, and an NGO worker in 2021, is suspected to have leveraged a quirk in iOS 14 that any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the users' calendar without any notification or prompt. The names of the victims have not been disclosed. The researchers believe that the attacks were carried out using a zero-click exploit dubbed ENDOFDAYS, which allows the spyware to be deployed as a zero-day in versions 14.4 and 14.4.2 of iOS. While there is no evidence that the exploit has been used after March 2021, the researchers say that the .ics files containing the invisible iCloud calendar invitations sent from the spyware's operator to victims are designed to not alert the users. The Microsoft Threat Intelligence team is tracking QuaDream as DEV-0196, describing it as a private sector offensive actor (PSOA) that is known to sell its "exploitation services and malware" to government customers. While the company is not directly involved in targeting, the tech giant assessed with high confidence that it is involved in the QuaDream spyware campaign.


bottom of page