A phone belonging to a prominent Angolan journalist and press freedom advocate was infected with Predator spyware in May 2024, marking the first documented instance of the tool’s use in the country, according to a report released Wednesday by Amnesty International.
The finding is the latest evidence that despite being placed on the U.S. government’s Entity List in July 2023, Predator manufacturer the Intellexa Consortium has continued to operate in the shadows. Being placed on the Entity List imposes strict licensing and other requirements on companies attempting to do business in the U.S. and can be crippling to companies’ overall operations.
Intellexa executives and consultants also were sanctioned by the Biden administration in September 2024, but the Trump administration delisted three of them in December.
Predator is a powerful spyware that has been abused by governments worldwide to target civil society leaders. In October 2023, Amnesty International and partner organizations published the Predator Files, an investigation which showed that Predator had been used to target the president of the European Parliament, the president of Taiwan and U.S. officials, among many others.
The Angolan journalist whose phone was infected, Teixeira Cândido, told Amnesty he feels “naked knowing that I was the target of this invasion of my privacy. I don’t know what they have in their possession about my life.” It is unclear who is behind the attack, Amnesty said in a press release.
Cândido received several WhatsApp messages on his iPhone from an unknown Angolan number from April to June 2024, Amnesty said. He clicked on a malicious link on May 4 and Predator was installed. The spyware was removed later that evening when the phone was restarted.
The attacker sent 11 more infection links in the following weeks, Amnesty said, but they all failed because they weren’t opened.
Forensic traces of the installation along with known Predator infection domains used in the infection links led Amnesty researchers to attribute the attack to Predator.
The attacker used social engineering techniques to get Cândido to click on the link by pretending to be a student interested in Angolan social and economic affairs, according to Amnesty.
After initially “building rapport,” the press release said, the attacker sent a series of links which pretended to “direct to news and seemingly genuine websites.”
In December 2025, Amnesty researchers found a device belonging to a human rights lawyer in Pakistan’s Balochistan province had been targeted with Predator via links sent through WhatsApp during the summer of 2025.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering digital privacy, surveillance technologies and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.
