KingsPawn from QuaDream Spyware Threat
KingsPawn, a spyware developed and sold by QuaDream based on digital offensive technology to governments. Its spyware, named Reign, uses zero-click exploits to infiltrate the mobile devices of civil society victims. In this article you will learn how QuaDream works, who its Cyber victims and customers have been, and how to protect yourself from this type of dangerous spyware
To learn more about the potential dangers of KingsPawn spyware, read “QuaDream: Spyware That Targets Civil Society.” Stay informed by browsing our constantly updated topics
QuaDream: KingsPawn spyware vendor shutting down in may 2023
QuaDream was a company that sold digital offensive technologies to governments. Its main product, Reign, was a spyware that used zero-click exploits to hack mobile devices. A few months after Pegasus, a similar spyware by NSO Group, Microsoft and Citizen Lab found QuaDream’s Reign / KingsPawn spyware and its victims worldwide.
However, in May 2023, QuaDream stopped its activitiesMay 2023, QuaDream stopped its activities, due to the Israeli government’s restrictions on its spyware export. QuaDream had developed other espionage technologies, such as ENDOFDAYS, that it sold to foreign governments, like Morocco, Saudi Arabia, Mexico, Ghana, Indonesia and Singapor.
QuaDream tried to sell its assets to other players, but the Israeli government blocked them It is unknown if the spyware KingsPawn is still active and used, or who controls it. Therefore, it is advised to be vigilant and protect your data with reliable security solutions.
How QuaDream’s Exploits KingsPawn her Spyware Work
According to Microsoft, QuaDream has an arsenal of exploits and malware that it calls KingsPawn. It includes a suspected exploit for iOS 14, named ENDOFDAYS, that seems to use invisible iCloud calendar invitations sent by the spyware operator to the victims. This exploit was deployed as a zero-day against iOS 14.4 and 14.4.2 versions, and maybe others.
The KingsPawn spyware is designed to exfiltrate data from the infected devices, such as contacts, messages, photos, videos, audio recordings, location data, browser information and app data. The malware communicates with command and control (C2) servers via encrypted protocols and uses evasion techniques to avoid detection.
How the KingsPawn spyware infects phones
The main infection vector of KingsPawn is the ENDOFDAYS exploit, which does not require any user interaction to execute. The spyware operator sends an invisible iCloud calendar invitation to the target’s phone number or email address. The invitation contains a malicious link that triggers the exploit when the phone processes the notification. The exploit then downloads and installs the KingsPawn malware on the device, without the user’s knowledge or consent.
The spyware operator can also use other methods to deliver the malicious link, such as phishing emails, SMS, social media messages, or fake websites. However, these methods require the user to click on the link, which reduces the chances of success.
The following table summarizes the main features and characteristics of the KingsPawn malware:
|Full access to device data and functions
|Data exfiltration, audio recording, camera capture, location tracking, file search, keychain access, iCloud password generation, self-deletion
|Encrypted TCP and UDP protocols
|Multiple domains and IP addresses, some located in Israel, Bulgaria, Czech Republic, Hungary, Ghana, Mexico, Romania, Singapore, UAE, and Uzbekistan
|At least five civil society actors, including journalists, political opponents, and an NGO worker, in North America, Central Asia, Southeast Asia, Europe, and the Middle East
|Several governments, some with poor human rights records, such as Singapore, Saudi Arabia, Mexico, Ghana, Indonesia, and Morocco
How to Detect KingsPawn
KingsPawn is a stealthy and sophisticated malware that can evade most antivirus and security software. However, there are some signs and symptoms that can indicate a possible infection, such as:
- Unusual battery drain or overheating of the device
- Increased data usage or network activity
- Unexpected pop-ups or notifications
- Changes in device settings or behavior
- Presence of unknown apps or files
If you notice any of these signs, you should scan your device with a reliable antivirus or security app, such as Malwarebytes or Norton. These apps can detect and remove KingsPawn and other malicious software from your device.
How to Protect Against KingsPawn
If you suspect that your device is infected by KingsPawn, you should take the following steps to remove it and protect your data:
- Disconnect your device from the internet and any other networks
- Backup your important data to a secure external storage
- Perform a factory reset of your device to erase all data and settings
- Restore your device from a clean backup or set it up as a new device
- Update your device to the latest version of iOS and install security patches
- Change your passwords and enable two-factor authentication for your online accounts
- Avoid clicking on suspicious links or opening attachments from unknown sources
- Use a reputable antivirus or security app to scan your device regularly
These steps will help you to get rid of KingsPawn and prevent it from infecting your device again. However, you should also be aware of the risks of using unsecured email services, such as iCloud web mail, which can be compromised by hackers or spyware. To protect your emails and other sensitive data, you should use a technology that encrypts your data with a hardware security module (HSM), such as EviCypher NFC HSM or DataShielder HSM PGP.
Who Are the Victims and Customers of QuaDream?
Citizen Lab, a research lab at the University of Toronto, identified at least five civil society victims of the spyware and exploits of QuaDream in North America, Central Asia, Southeast Asia, Europe and the Middle East. The victims include journalists, political opponents and a worker of a non-governmental organization (NGO). Citizen Lab did not reveal the names of the victims for security reasons, but one of them agreed to share his testimony anonymously:
I was shocked when I learned that my phone was infected by QuaDream. I had no idea tat they were targeting me. I work for a human rights NGO and I have been involved in several campaigns to denounce the abuses of authoritarian regimes. I fear that they have accessed my personal and professional data, and that they have compromised my contacts and sources.
Citizen Lab also detected QuaDream servers operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE) and Uzbekistan. These countries could be potential or current customers of QuaDream, which sells its Reign platform to governments for law enforcement purposes. Media reports indicate that QuaDream sold its products to Singapore, Saudi Arabia, Mexico and Ghana, and offered its services to Indonesia and Morocco.
What Is the Link Between QuaDream and InReach?
QuaDream had a partnership with a Cypriot company called InReach, with which it is currently in legal dispute. The two companies accused each other of fraud, theft of intellectual property and breach of contract. Several key people associated with both companies have previous links with another surveillance provider, Verint, as well as with Israeli intelligence agencies.
Microsoft and Citizen Lab shared information about QuaDream with their customers, industry partners and the public, to improve the collective knowledge of how PSOAs (private sector offensive actors) operate and how they facilitate the targeting and exploitation of civil society. Microsoft calls for stricter regulation of PSOAs and increased protection of human rights in cyberspace.
QuaDream is a new spyware vendor that poses a serious threat to civil society. Its spyware, named Reign, uses zero-click exploits to infiltrate the mobile devices of civil society victims. QuaDream has sold its products to several governments, some of which have a poor record of human rights. QuaDream is also involved in a legal dispute with another company, InReach, over the ownership of the spyware technology. The international community should be aware of the dangers of QuaDream and other PSOAs, and take action to prevent their abuse.