An Israel-based company's spyware has been used against journalists, opposition figures and advocacy organizations across at least 10 countries, including people in North America and Europe, according to two separate reports from digital forensics outfit Citizen Lab and Microsoft’s Threat Intelligence team.

Citizen Lab has been able to identify at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East whose iPhones had been compromised in 2021 using surveillance software developed by the Israeli vendor QuaDream Ltd.

The researchers said that the hacks were likely carried out with the help of an iOS zero-click exploit they dubbed “ENDOFDAYS” used to deploy the spyware. The suspected exploit appears to abuse invisible iCloud calendar invitations sent from the spyware’s operator to victims.

“The exploit was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions,” Citizen Lab researchers noted, adding that they discovered operator locations for QuaDream systems, including servers for receiving data and deploying exploits, operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates and Uzbekistan.

Microsoft is tracking this threat actor as DEV-0196, describing it as a private sector offensive actor (PSOA). QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices. The team believes that the ENDOFDAYS exploit (which they call KingsPawn) is part of the REIGN platform.

KingsPawn contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively.

The monitor agent is responsible for reducing the forensic footprint of the malware to evade detection and hinder investigation.

The main agent includes a range of capabilities to gather device information, cellular and Wi-Fi data, search and retrieve files, access camera in the background, access location, monitor call logs, access iOS Keychain, and generate an iCloud time-based one-time password (TOTP).

“The captured samples targeted iOS devices, specifically iOS 14, but there were indications that some of the code could also be used on Android devices. Since the malware sample targets iOS 14, some of the techniques used in this sample may no longer work or be relevant on newer iOS versions. However, we assess it’s highly likely that DEV-0196 will have updated their malware, targeting newer versions to account for this,” the analysts say.

In February 2022, Reuters reported that QuaDream simultaneously abused the iPhone FORCEDENTRY exploit used by another Israeli surveillance firm, NSO Group, to deploy its REIGN spyware tool.