FinSpy espionage tool has been discovered in Myanmar users


One of the most powerful, infamous, and advanced piece of government-grade commercial surveillance spyware dubbed FinSpy – also known as FinFisher – has been discovered in the wild targeting users in Myanmar.

Created by German company Gamma International, FinSpy is spying software that can target various mobile platforms including iOS and Android, we well as desktop operating systems.

Gamma Group reportedly sells its controversial FinSpy espionage tool exclusively to government agencies across the world, but also gained notoriety for targeting human rights activists in many countries.

The FinSpy implant is capable of stealing an extensive amount of personal information from targeted mobile devices, such as SMS/MMS messages, phone call recordings, emails, contacts, pictures, files, and GPS location data.

Malware features


FinSpy for iOS is able to monitor almost all device activities, including record VoIP calls via external apps such as Skype or WhatsApp.

The targeted applications include secure messengers such as Threema, Signal and Telegram.

However, functionality is achieved by leveraging Cydia Substrate’s hooking functionality, so this implant can only be installed on jailbroken devices (iPhone or iPad; iPod has not been confirmed) compatible with iOS 11 and below (newer versions are not confirmed as at the time of the research and implants for iOS 12 has not been observed yet).

After the deployment process, the implant provides the attacker with almost unlimited monitoring of the device’s activities.

The analyzed implant contained binary files for two different CPU architectures: ARMv7 and ARM64. T

aking into account that iOS 11 is the first iOS version that does not support ARMv7 any more, we presumed that the 64-bit version was made to support iOS 11+ targets.

It looks like FinSpy for iOS does not provide infection exploits for its customers, because it seems to be fine-tuned to clean traces of publicly available jailbreaking tools.

Therefore, an attacker using the main infection vector will need physical access in order to jailbreak it. For jailbroken devices, there are at least three possible infection vectors:

SMS message


WAP Push

Any of those can be sent from the FinSpy Agent operator’s terminal.

The installation process involves several steps. First, a shell script checks the OS version and executes the corresponding Mach-O binary: “install64” (64-bit version) is used for iOS 11+, otherwise “install7” (32-bit version) is used.

When started, the installer binary performs environmental checks, including a Cydia Subtrate availability check; and if it isn’t available, the installer downloads the required packages from the Cydia repository and installs them using the “dpkg” tool.

After that the installer does some path preparations and package unpacking, randomly selects names for the framework and the app from a hardcoded list, deploys components on the target system and sets the necessary permissions.

After the deployment process is done, the daemon is started and all temporary installation files are deleted.

The persistence of the implant is achieved by adding “plist” with starting instructions to the /Library/LaunchDaemons path.

All sensitive parameters of the configuration (such as C2 server address, C2 telephone numbers and so on) are stored in the file “84C.dat” or in “PkgConf”, located in a bundle path of the main module.

They can be rewritten using operator commands.

This filename was used in previous FinSpy versions for different platforms, including Android.

The following list describes all the modules of the analyzed FinSpy version:

netwdappFramework, launcher of the core module – 
FilePrepappCore module
Media- EnhancerdylibAudio recordings
.vpextdylibVoIP calls hooking
.hdutilsdylibHiding utilities
SBUtilsdylibSpringBoardHooker utilities
.chextdylibMessenger tracking
hdjmunknownNot observed in detected versions, possibly some type of module for hiding traces of a jailbreak

All the internal strings in the modules, including the installer, are encrypted with a simple xor-based algorithm using the following strings as keys: “NSString”, “NSArray”, “NSDictionary”, “ExtAudioFileRef”.

The core implant module (“FilePrep”) contains 7,828 functions. It controls all the others modules, takes care of HTTP and SMS heartbeats and other service functions. Communication between components is implemented in two ways.

The first uses the system’s CPDistributedMessagingCenter, the second is a local HTTP server that receives data requests.

The module “.hdutils” is designed to cover up the tracks of the implant activities on the device. First of all, it configures the processing of all incoming SMS messages.

It parses the text looking for specific content and will hide notifications for such messages.

Then it sends them to the core module via CPDistributedMessagingCenter (a wrapper over the existing messaging facilities in the operating system, which provides server-client communication between different processes using simple messages and dictionaries).

Another hiding feature is to hook the “CLCopyAppsUsingLocation” function in order to remove the core implant module from the displayed list of applications used in Settings geolocation services.

The module “.chext” targets messenger applications and hooks their functions to exfiltrate almost all accessible data: message content, photos, geolocation, contacts, group names and so on.

The following messenger applications are targeted:

Facebook Messenger (com.facebook.Messenger);

Wechat (;

Skype (;

Threema (ch.threema.iapp / ch.threema.iapp.ThreemaShareExtension);

InMessage (;

BlackBerry Messenger (com.blackberry.bbm1);

Signal (org.whispersystems.signal).

The collected data is submitted to the local server deployed by the main module.

The “keys” module focuses on a different kind of keylogging activity, with multiple hooks that intercept every typed symbol.

There are several hooks to intercept the typed unlock password as well as during the change password process.

The intercepted password is submitted to the “keys.html” page on the local server, similar to the “.chext” module.

The module “MediaEnhancer” is designed to hook system functions in the “mediaserverd” daemon related to call processing, in order to record calls.

The module starts a local HTTP server instance on port 8889 upon initialization, implementing VoIPHTTPConnection as a custom connection class.

This class contains a handler for requests to localhost/voip.html that could be made by other components.

The module “.vpext” implements more than 50 hooks used for VoIP calls processed by external messaging apps including:



Skype (that includes independent Skype for iPad version);




BlackBerry Messenger;


These hooks modify functions that process VoIP calls in order to record them. To achieve this, they send a post request with the call’s meta information to the HTTP server previously deployed by the MediaEnhancer component that starts recording.


The Android implant has similar functionality to the iOS version, but it is also capable of gaining root privileges on an unrooted device by abusing the DirtyCow exploit, which is contained in the malware.

FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in June 2018.

The Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration parameters are the same in the old and new versions.

The variety of available settings makes it possible to tailor the behavior of the implant for every victim.

For example, operators can choose the preferred communication channels or automatically disable data transfers while the victim is in roaming mode.

All the configuration data for an infected Android device (including the location of the control server) is embedded in the implant and used afterwards, but some of the parameters can be changed remotely by the operator.

The configuration data is stored in compressed format, split into a set of files in the assets directory of the implant apk.

After extracting all pieces of data and building the configuration file, it’s possible to get all the configuration values.

Each value in the configuration file is stored after the little-endian value of its size, and the setting type is stored as a hash.

For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique identifier of the installed implant.

As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, and by remote infection vectors: SMS messages, emails and WAP Push.

After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules SuperSU and Magisk and running them.

If no utilities are present, the implant decrypts and executes the DirtyCow exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom SELinux policy to get full access to the device and maintain root access.

If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot.

It also deletes all possible logs including SuperSU logs.

The implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory and phone call recordings.

All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file).

Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers.

Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.

The full hardcoded list of supported messengers is shown below:

Package nameApplication name
com.bbmBBM (BlackBerry Messenger)
com.facebook.orcaFacebook Messenger
jp.naver.line.androidLine Messenger

At first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package name) and that root access is granted.

After that, the messenger database is prepared for data exfiltration.

If necessary, it can be decrypted with the private key stored in its private directory, and any required information can be simply queried:

All media files and information about the user are exfiltrated as well.


FinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to FinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by Gamma Group.

This is done to hide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a heartbeat to the FinSpy Proxy.

The FinSpy Proxy forwards connections between targets and a master server.

The FinSpy Master server manages all targets and agents and stores the data.

Based on decrypted configuration files, our experts were able to find the different relays used by the victims and their geographical location.

Most of the relays we found are concentrated in Europe, with some in South East Asia and the USA.

FinSpy Spyware Malware for iOS and Android

However, in the case of Android, researchers found that the implant has been using the DirtyCow exploit to automatically gain root privileges on an unrooted Android device, allowing attackers to successfully infect a device remotely.

According to the researchers, the new versions of FinSpy for both mobile operating systems are also capable of recording VoIP calls via external apps such as Skype, WeChat, Viber, LINE, as well as via secure messaging apps such as WhatsApp, Threema, Signal, and Telegram.

“The module .chext targets messenger applications and hooks their functions to exfiltrate almost all accessible data: message content, photos, geolocation, contacts, group names, and so on.

The collected data is submitted to the local server deployed by the main module,” the researchers say.

FinSpy also includes keylogging functionality and has also been designed to cover up the tracks of its activities on a targeted device.

“Since the leak in 2014, Gamma Group has recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market,” the researchers conclude.

While conducting their research, Kaspersky researchers detected the updated versions of the FinSpy implants used in the wild in almost 20 countries, but “assuming the size of Gamma’s customer base; it’s likely that the real number of victims is much higher.”

Gamma is continuously working on the updates for the FinSpy malware, as researchers have found another version of the threat at the time of publishing their report, and they are currently investigating the sample.

Executive Summary

FinFisher is a sophisticated computer spyware suite, written by Munich-based FinFisher GmbH, and sold exclusively to governments for intelligence and law enforcement purposes.  Although marketed as a tool for fighting crime,1 the spyware has been involved in a number of high-profile surveillance abuses.  Between 2010 and 2012, Bahrain’s government used FinFisher to monitor some of the country’s top law firms, journalists, activists, and opposition political leaders.2  Ethiopian dissidents in exile in the United Kingdom3 and the United States4 have also been infected with FinFisher spyware.

In 2012 and 2013, Citizen Lab researchers and collaborators,5 published several reports analyzing FinFisher spyware, and conducted scanning that identified FinFisher command and control (C&C) servers in a number of countries.  In our previous research, we were not yet able to differentiate between FinFisher anonymizing proxies and master servers, a distinction that we make in this work.

When a government entity purchases FinFisher spyware, they receive a FinSpy Master—a C&C server that is installed on the entity’s premises.6  The entity may then set up anonymizing proxies (also referred to as “proxies” or “FinSpy Relays” in the FinFisher documentation), to obscure the location of their master.  Infected computers communicate with the anonymizing proxy, which is “usually”7 set up on a Virtual Private Server (VPS) provider in a third country.  The proxy then forwards communications between a victim’s computer and the Master server.

We first describe how we scanned the Internet for FinFisher servers and distinguished masters from proxies (Part 1: Fishing for FinFisher).  We then outline our findings regarding 32 governments and 10 specific government entities that we believe are using FinFisher (Part 2: Country Findings).  Finally, we highlight several cases that illuminate connections between different threat actors (Part 3: A Deeper Analysis of Several Cases), before concluding (Conclusion).

Part 1: Fishing for FinFisher

In this section, we describe our scans for FinFisher servers, and how we unmasked the true location of the master servers to identify governments using FinFisher.

Each FinFisher sample includes the address of one or more C&C servers that the spyware reports back to.  These C&C servers are typically FinSpy Relays, which forward connections back and forth between a device infected with FinFisher, and a FinSpy Master.  The purpose of the FinSpy Relay is explicitly to make it practically impossible (their emphasis) for a researcher to discover “the location and country of the Headquarter [sic]”.8

Figure 1: How targets infected with FinFisher communicate with the FinSpy Master via one or more FinSpy Relays.9

We employed zmap10 to scan the entire IPv4 Internet (/0) several times since the end of December 2014 and throughout 2015, using a new FinFisher server fingerprint that we devised by analyzing FinFisher samples.  Our scans yielded 135 servers matching our fingerprint, which we believe are a mix of FinSpy Masters and FinSpy Relays.

When one queries a FinFisher server, or types the server’s address into a web browser, the server typically returns a decoy page. A decoy page is a page designed to disguise the fact that the server is a spyware server.  We found some variation in the decoy pages used by FinFisher servers that we detected, though the bulk used either or Peculiarly, FinSpy Relays appear to return decoy pages fetched by their FinSpy Master, rather than directly fetching the decoy pages themselves.  Thus, in many cases, the pages returned by the FinSpy Relays contain location data apparently about the FinSpy Master (e.g., certain Google and Yahoo pages embed the requester’s IP address or localized weather), which can reveal the location of FinSpy Masters.

Okay Google, What is my IP?

We noticed that when we issued a query like “What is my IP address?” to a Google-decoy FinFisher server, the server would respond with a different IP address.  In the case below, a FinFisher server (located in the United States) reported that its IP address was the Indonesian IP, which matches a FinFisher server first detected in August 2012 by Claudio Guarnieri.11  We hypothesize that is a FinFisher proxy, designed to obscure the location of the FinFisher master, which is at

Figure 2: A FinFisher server in the US seems to be a proxy for a master in Indonesia.

Specifically, we sent queries of the form:

Figure 3: Queries we sent to Google-decoy FinFisher servers to reveal the IP address of the master.12

The fact that FinFisher proxies can apparently reveal the IP of the master is quite peculiar.  We illustrate below how we believe a query like “What is my IP address?” is routed through FinSpy Relays to the FinSpy Master:

Figure 4: How we believe a “What is my IP address?” query is routed through FinSpy Relays to a FinSpy Master.

It appears that the “What is my IP Address?” query is delivered from our Measurement Machine by the FinSpy Relay to the FinSpy Master, and then submitted to Google by the FinSpy Master.  Therefore, Google returns the IP address of the FinSpy Master, which is then sent back to the Measurement Machine via the FinSpy Relay.

How’s the Weather in Caracas?

A significant number of FinFisher servers we detected used as their decoy page.  While we were unable to devise a method to find the exact IP address of Yahoo-decoy FinFisher endpoints, we were still able to retrieve location information from Yahoo, by examining the userLocation object in the decoy page’s source code.  Yahoo utilizes a user’s location to customize several elements of Yahoo’s homepage, including weather and news.

Figure 5: Weather conditions in Caracas returned by a FinFisher server in Lithuania.

The userLocation object returned by (located in Lithuania) is shown below:

Figure 6: A FinFisher server in Lithuania seems to be a proxy for a master in Venezuela.

The userLocation object allows us to obtain city and country information for FinFisher endpoints, though we cannot determine their precise IP address.  We issued a query similar to the following to each Yahoo-decoy FinFisher server to obtain a page with the userLocation object:

Figure 7: Queries we sent to Yahoo-decoy FinFisher servers to reveal the location of the master.13

Since Yahoo, like Google, implements SSL redirection by default, we had to devise a method to talk to Yahoo in plain HTTP.  While Google provides the “nord=1” URL parameter to avoid SSL redirection, Yahoo apparently does not have an analogous publicized solution.  However, we found that by sending plain HTTP GET requests to the resource “” we could communicate with in plain HTTP without triggering SSL redirection.

Other Decoys

While the majority of FinFisher servers we detected used either Google or Yahoo as a decoy page, we identified a number of other servers whose operators had apparently customized the decoy page to a different URL.

One server used the Italian news source as a decoy.  We noted that sets the “Libero” cookie, which contains the IP address of the computer that visited the website.  When accessing, the Libero-decoy FinFisher server, the cookie was set to include the Italian IP  Servers that we traced to Macedonia used Macedonian newsmagazine as a decoy.  Servers we traced to Taiwan used Taiwanese web portal as a decoy.  We were unable to trace other servers which used file download site as a decoy.  A handful of other untraceable servers returned custom HTML code as a decoy (e.g., a webpage with a META redirect to

General Comments

This design peculiarity is only the latest instance of fingerprintable anomalies in spyware decoy pages.  FinFisher competitor Hacking Team formerly used decoy pages on its C&C server for Remote Control System (RCS), but apparently removed them15 after our research revealed that anomalies in the decoy pages could be used to fingerprint RCS servers.16  We have also previously used decoy pages to fingerprint FinFisher servers.17  We believe that FinFisher or its clients may also be realizing that decoy pages are problematic, as we have observed fewer FinFisher servers returning decoy pages over time.

Part 2: Country Findings

In this section, we provide a list of likely FinFisher government users identified by our scans, and also map out which FinSpy relays serve which FinSpy Masters.

Below, we identify 33 likely government users of FinFisher in 32 countries, based on the presence of a FinFisher master at an IP address in a country18 or belonging to a specific government department.

Figure 8: Suspected FinFisher government users that were active at some point in 2015.

In presenting our scan results, we do not wish to disrupt or interfere with legitimately sanctioned investigations or other activities. Instead, we hope to ensure that citizens have the opportunity to hold their governments transparent and accountable.  To this end, we identify government users, but redact certain details we have discovered about their infrastructure whose disclosure might interfere with legitimately sanctioned activities.  Redacted details include the last octet of live IP addresses, and part of live domain names.  Appendix A contains a full list of countries and servers.

CountrySpecific entity if known
BangladeshDirectorate General of Forces Intelligence (DGFI)
BelgiumFederal Police
Bosnia and Herzegovina
Czech Republic
EgyptTechnology Research Department (TRD)
IndonesiaNational Encryption Body (Lembaga Sandi Negara)Unknown other entities
ItalyUnknown multiple entities
KenyaNational Intelligence Service (NIS)
LebanonGeneral Directorate of General SecurityInternal Security Forces (ISF)
MongoliaSpecial State Security Department (SSSD)
MoroccoConseil Superieur De La Defense Nationale (CSDN)Unknown other entities
NigeriaUnknown multiple entities
Saudi Arabia
SerbiaSecurity Information Agency (BIA)
South Africa

The following is a list of countries where neither our previous research nor documents disclosed by Wikileaks19 had previously found evidence of a FinFisher deployment: Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela.  

In the diagram below, we map out FinFisher proxy networks: the FinSpy Relay servers we found, and the FinSpy Masters to which we linked them:

Figure 9: Links we established between FinSpy Relays and FinSpy Masters.

Given previous reports that observed weaknesses in certain cryptography that FinFisher uses to transmit information from an infected device to the FinSpy master,20 locating FinFisher collection infrastructure in another country could potentially invoke concerns about “fourth party” collection, where a government collects data collected by another government’s surveillance operation.  We have also previously identified potential legal concerns regarding locating relays in other countries.21

Attribution to Specific Entities

We attributed some FinFisher Master servers to specific government entities by correlating our scan results with publicly available data, including emails from FinFisher’s competitor Hacking Team.  This section briefly describes how we identified these entities, and summarizes what is publicly known about their functions.  While we do not provide a vignette for each country where we have identified FinFisher, we note that a number of countries have dubious or problematic histories of oversight of the security services.


Directorate General of Forces Intelligence (DGFI)

Our investigation uncovered a FinFisher server at an IP address in the same /30 as the mail server for Bangladesh’s DGFI, [redacted]  Additionally, leaked Hacking Team emails claim that Bangladesh’s DGFI is a FinFisher customer.22

Established in 1976, the Directorate General of Forces Intelligence (DGFI) is Bangladesh’s military intelligence agency. The director of the agency holds the rank of Lieutenant General or Major General and directly reports to the Prime Minister.23 In a report published in 2008, Human Rights Watch associated the DGFI with long-standing human rights violations (e.g., torture and extrajudicial killings) and the stifling of political opposition in the country.24

The US State Department has reported that the DGFI has previously conducted surveillance on citizens for their criticism of the government.25 Leaked emails show that DGFI officials were engaged in discussions with FinFisher’s competitor Hacking Team in June 2014.26


Federal Police Service

Our investigation found a FinFisher server in a /28 assigned to Belgacom, denoted “SKY-5904592 / SOCC-2131136.”  This range of IP addresses also contained several servers returning SSL certificates issued by and to “Federal Police.”  Two IP addresses in this range were also pointed to by two subdomains of, a domain name registered to “Massimo Moschettini / ISRD NTSU / Police Fédérale.”

Belgium’s Federal Police Service was established in January 2001. The agency is headed by a General Commissioner who coordinates the work of five general directorates, including administrative police, judicial police, operational support, logistics, and human resources, as well as several departments that report directly to him/her.27 Leaked Hacking Team emails have revealed the company’s participation in a tender for “tactical interception of communications via computer systems” by the Belgian Federal Police.28


Security Information Agency (BIA)

Our investigation found a FinFisher server in the same /26 as, the website of Serbia’s Security Information Agency (BIA).  The server was also in the same /28 as a computer that identified itself to Shodan as “DPRODAN-PC”.29  According to the leaked Hacking Team emails, a person with the email [email protected] contacted Hacking Team in reference to a February 8, 2012 demo in Belgrade.30 From February 7-9, 2012, Hacking Team was in Belgrade to give a demo to a potential client, Vladimir Djokic, who worked for the BIA according to his email address [email protected].31  Thus, we believe “dprodan” is also a BIA employee, and the FinFisher server we found belongs to the BIA.

Serbia’s Security Information Agency (BIA) was created in 2002 by the Law on the Security Information Agency. BIA is a civil national security service and a part of the security-intelligence system of the Republic of Serbia.32

While the BIA is generally regarded as operating with appropriate oversight and as being free from major abuses, some elements of its electronic surveillance practices have been challenged. Prior to 2014, the Law on the Security Information Agency was considered to be not in compliance with the constitution. In 2012, a constitutional court struck down several provisions of the Law on the Security Information Agency, ruling that Articles 13, 14 and 15 of the Law, which govern the wiretapping of private communications, were unconstitutional.33 The court ruled that these Articles were “not formulated clearly and precisely enough” and that citizens are “thus prevented from ascertaining which legal rule will be applied in the given circumstances and are thus deprived of the possibility to protect themselves from inadmissible restrictions of their right or arbitrary interference in their right to respect of their private life and correspondence”.34 Further, measures related to the ability of the BIA’s Director to authorize wiretapping in some circumstances without a court order were also challenged.35 The court delayed its decision in order to give legislators the opportunity to revise the offending Articles in the Law.36 The amendments to the Law were adopted in June 2014.37 While acknowledged as a positive step, these amendments have been criticized as remaining “insufficient to fully democratize surveillance that is carried out by the BIA”.38

Leaked emails indicate that members of the Security Information Agency and the Ministry of Defense engaged in purchase negotiations with FinFisher’s competitor Hacking Team.39


Technology Research Department

We found a FinFisher server at IP address  We also found an email in the leaked Hacking Team emails that, according to the headers, was sent from the same IP address.40  The email was sent by Hacking Team employee Davide Romualdi on June 25, 2015, when he was scheduled to be performing delivery41 in Egypt for Hacking Team customer TREVOR, identified as the TRD42 (Technology Research Department).43 Thus, we believe the email was sent from the premises of the TRD, and the IP address belongs to the TRD.

Egypt’s troubling human rights situation has continued to deteriorate under President Abdel Fattah al-Sisi. In recent years, cases of mass arrests, significant violence against protesters and due process violations have increased.44 Numerous Egyptian security agencies are permitted to conduct electronic surveillance, frequently with limited court oversight.  In somes, personal data improperly collected from civil society actors has led to their arrest and imprisonment.45 While there is limited open source information available about the activities of the Technology Research Department, we closely examine a malware campaign linked to TRD infrastructure in Part 3 of this report.


National Encryption Body (Lembaga Sandi Negara)

Two of the FinFisher servers we found in Indonesia were in the same /28.  We found an IP address in this same /28 included in the headers of an email sent by a Hacking Team employee46 while he was in Indonesia47performing a demo for the National Encryption Body.  The email was sent at 12:39 PM Jakarta time on February 6, 2013, and a meeting at the agency was set for 10:00 AM on the same day.48  Thus, it seems probable that the email was sent from the premises of the National Encryption Body, and that the two FinFisher servers belong to the same organization.

The National Encryption Body is an agency headed by a director, who has the same stature as a minister and reports directly to the President. In a recent interview, the Body’s current director, Major General Djoko Setyadi, describes the agency’s responsibilities as, among others, securing state secrets and decrypting/decoding communication from would-be terrorists.49

The threat of terrorism is a concern for Indonesia. Several bombing incidents have occurred in the country, including two Western hotels in the capital city of Jakarta in 2009. As the world’s largest Muslim-majority country, the emergence of the Islamic State of Iraq and the Levant (ISIL or ISIS) has also resulted in concerns that their militant ideology will gain ground. It is believed that as many as 200 Indonesian citizens have headed to Syria to fight with ISIS.50 Challenges from restive regions like Papua and Central Sulawesi are also ongoing. There are fears that the fight against these threats may be used as justification to perpetrate human rights abuses, such as to target others for their religious or political beliefs and to kill suspected militants unlawfully.

In 2013 Citizen Lab report, we identified at least twelve laws, two government regulations, and two ministerial regulations that govern wiretapping and interception in Indonesia. Although wiretapping and interception are helpful, and sometimes even necessary to expose crimes such as terrorism, drug trafficking and corruption, the lack of comprehensive legislation regulating their use in Indonesia means that there is an increased risk for misuse and privacy violations.51


National Intelligence Service

We found a FinFisher server in a range of IP addresses registered to a Kenyan user named “National Security Intelligence.”  Kenya’s National Intelligence Service (NIS) was formerly known as the National Security Intelligence Service (NSIS).

Kenya’s NSIS replaced the former Directorate of Security Intelligence (DSI), commonly known as the “Special Branch”.52 The NIS is known as one of Kenya’s security institutions with the biggest budgetary allocation—along with the Kenya National Defence Forces and the National Police Service—and considered to be among the country’s critical security organs in the new constitution.53 In 2014, Human Rights Watch named the NIS, as well as the Anti-Terrorism Police Unit and other Kenyan intelligence agencies, as being implicated in abuses including torture, disappearances, and extrajudicial killings.54

The powers of the NIS were expanded significantly in December 2014 when the Parliament of Kenya rushed to pass the controversial Security Laws (Amendment) Bill.55 The amendments came following a series of deadly terrorist attacks by the militant group al-Shabab, including the 2013 killing of 67 people at the Westgate shopping mall in Nairobi.56This bill expanded the powers of the NIS to monitor communications without a warrant, as well as expanding their powers to search and seize private property.57 Article 62 of the amended bill authorized NIS agents to “do anything necessary to preserve national security” and to detain individuals on simply the suspicion of engaging in acts which pose a threat to national security.58 Section 66 of the bill amended the National Intelligence Services Act, permitting the Director General of the NIS to monitor communications or “obtain any information, material, record, document or thing” in order to protect national security, without court oversight, leading rights organization Article 19 to argue that the amendment “effectively [gives] carte blanche to the Director-General to order mass surveillance of online communications”.59 While a court ruling in February 2015 struck down some provisions of the amendment, the provisions enhancing the powers of the NIS remained.60


General Directorate of General Security

We found a FinFisher server in a range of IP addresses registered to a Lebanese user named “General_Security.”  We assume that “General_Security” is a reference to the General Directorate of General Security.

Lebanon’s General Directorate of General Security was established in 1921 under Decree No. 1061.61 The functions of the General Security include collecting and gathering intelligence, monitoring the media, and issuing passports and travel documents to Lebanese citizens.62The organization is categorized as a general directorate under the supervision of the Ministry of Internal Affairs.63

Although Lebanon has legislation (Law No. 140) which establishes safeguards and oversight protecting electronic communications from unlawful surveillance, there is a systemic practice of this law being ignored.64 Privacy International has criticized the surveillance practices of Lebanon’s intelligence agencies, suggesting that the agencies, including the General Directorate of General Security, operate without sufficient independent oversight, and that a lack of trust between different agencies leads the groups to operate their own operations out of view of the Ministry of the Interior.65 Controversies surrounding government surveillance practices have become particularly salient in the wake of several recent high-profile assassinations, including the 2005 killing of Prime Minister Rafik Hariri. Organizations investigating the assassinations have had “unregulated access to the data of private citizens”, including mobile phone records, which raises privacy concerns.66

Internal Security Forces

We found a FinFisher server at a Lebanese IP address that was formerly pointed to by what was apparently a mail server with domain “[redacted]” in 2012.  We assume that the IP still belongs to the Internal Security Forces (ISF).

The Internal Security Forces (ISF) are the national police and security force of Lebanon.  The ISF’s creation was mandated by Decree 138 in 1959.67 Throughout its history, the ISF has had a troubled record of human rights abuses, in spite of recent efforts to promote proper conduct within the organization. In consultation with the UN Human Rights Office, the ISF adopted a January 2012 code of conduct designed to ensure the forces’ operations guaranteed respect for human rights and public freedoms, including “refraining from resorting to torture, cruel, inhumane and degrading treatment”.68 However, a number of incidents in recent years have called into questions the effectiveness of this code of conduct.

An extensive Human Rights Watch report in 2013 detailed dozens of instances of vulnerable individuals subject to physical abuse, torture and sexual assault at the hands of ISF officials.69 In June 2015, five ISF officers were arrested after videos released on social media showed the officers beating prisoners.70 The ISF and other state agencies have summoned and questioned bloggers, journalists, and activists over social media and blog posts critical of politicians.71

The organization also has a history of overreach in the collection of Lebanese citizens’ private user data. In 2012, it was reported that the ISF had requested that the Ministry of Telecommunications turn over the content of all SMS text messages sent over a two month span for all users in Lebanon, followed later by a request for Lebanese users’ login credentials for BlackBerry Messenger and Facebook.72 The request was made following the assassination of the ISF’s Information Branch head Wissam al-Hassan, and was rejected by the Ministry.73


Conseil Superieur De La Defense Nationale (CSDN) / Supreme Council of National Defense

We found a FinFisher server in a range of IP addresses registered to a Moroccan user named “Conseil Superieur De La Defense Nationale.”  We assume that this is a reference to the eponymous agency.

There is limited open source information available about the activities of the CSDN.  Leaked Hacking Team emails indicate that the CSDN — among other Moroccan Government agencies — was a customer of FinFisher’s competitor Hacking Team.

In 2012, spyware from Hacking Team was used against Mamfakinch, an award-winning group of Moroccan citizen journalists.74 Privacy International released a report detailing the impact of surveillance on the group, as well as other political activists and journalists.75


State Special Security Department (SSSD)

We found a FinFisher server at a Mongolian IP address in the same /28 as an IP address pointed to by the domain “”  We believe that “SSSD” is a reference to the Mongolian agency of the same name.  We also found what appears to be a test or demonstration FinFisher sample, whose bait content includes emails apparently between Gamma Group and Mongolia’s SSSD, discussing a visit by Gamma personnel to Mongolia.

There is limited open source information available about the SSSD; however, leaked emails from the spyware firm Hacking Team indicate that in 2012 the company was in contact with members of the SSSD.76 Additional leaked emails from 2013 indicate that Hacking Team scheduled a product demonstration with the SSSD in April 2013.77

Part 3: A Deeper Analysis of Several Cases

The following section provides additional details for several countries

Egypt: Use of FinFisher illuminates connections between different groups

We noted an interesting connection between Egypt’s Technology Research Department (TRD) and two other malware groups in the region: MOLERATS, and an as-yet uncharacterized group.  We have previously observed both groups targeting UAE-based activists.

MOLERATS Attacks with FinFisher

We found an Egypt FinFisher sample, Egyptian_army.rar, hosted on

SHA256:   1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48
Filename: Egyptian_army.rar

Extracting the .rar file yields an .exe file.

SHA256:   94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389
Filename: صور ذبح الكساسبة على يد داعش بعد انقضاء المهلة.exe

The name of the .exe file promises pictures of Jordanian Air Force pilot burned alive by ISIS, a popular news story at the time.

We suspect that the domain name is linked to MOLERATS, a threat actor active in the Middle East region that appears to engage in politically motivated targeting.  We describe the link below:

  • had IP address at the same time as, which also had IP address, shared with, which also had IP address  This IP address is linked to several known MOLERATS domains, like natco{1,2,3,4,5},78 and
  • also hosted two DarkComet samples, which communicated with, which shared IP address with, which shared IP address with MOLERATS domain
  • also hosted a GMail phishing page, 64c1ef8e0923bf44aaa96caeb28a6c11, also hosted by, which shared IP address with, which shared IP address with  several known MOLERATS domains, like natco{1,2,3,4},81 and
  • served a Hotmail phishing page, 57ab5f60198d311226cdc246598729ea, also served; is a known MOLERATS domain.83

A significant portion of MOLERATS bait content we have observed indicates targeting of Israel and “political Islam” groups like Hamas.  This MOLERATS activity could be accounted for by any number of intelligence agencies active in the region, or a Palestinian faction, but it is also possible that MOLERATS is a multi-faceted group with several interests and/or clients.

That MOLERATS apparently used spyware linked to the TRD suggests a possible connection between the TRD and MOLERATS.

The Curious Case of the Shared Exploit

We identified the following Word document uploaded to VirusTotal:

SHA256:   22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114
Filename: تقرير سري للغاية.doc

The document, whose name translates to “A Highly Classifed Report” downloads a FinFisher sample from

SHA256:   e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119
Filename: DFServ.exe

The sample communicates with and, which are proxies for, the FinFisher Master we associated with Egypt’s TRD.  The domain appears to be connected to the TRD, because it is linked to a cluster of other domains, several of which were used to distribute TRD FinFisher samples.

We developed a fingerprint for the exploit, based on the presence of a 1.1MB binary embedded in the Word Document.  A week later, we identified another instance of this same exploit (the binary was the same).

SHA256:   d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8
Filename: المستجدات.doc

This instance downloaded spyware from, which appeared to be a hacked WordPress site.

SHA256:   08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655
Filename: Next.scr

Next.scr is a bespoke malware that exfiltrates system information and files via email.  The malware logs into an email account on the C&C server via SMTP, and sends mail to another account on the same server.  We have seen C&Cs including:,,  All of the domains have similar registrant information, indicating the work of a single group.

The group appears to be based in Palestine.  The use of a shared exploit suggests some link between the TRD and this group.

FinFly Web in the Wild

We traced, to a number of other domain names, including (see Figure 10 below).

Figure 10: Domain names and IP addresses that we believe are associated with Egypt’s TRD.  We redact only live domains and IP addresses, and show full details for inactive ones.

We found a FinFly Web sample at  FinFly Web is a FinFisher product that allows customers to create a website to infect targets with spyware.  We identified the sample as FinFly Web given substantial similarity with leaked FinFly Web code.84

Figure 11: The FinFly Web page, asking users to install Adobe Reader XI.  The download link points to a FinFisher spyware sample.

The FinFly Web page appears to have a number of deficiencies.  The attacker appears to have copied a page from the website of Egyptian newspaper Youm7, which appears in the background of the Adobe Reader popup.  The attacker apparently did not notice that the paths to the CSS resources are relative.  Thus, the attack page tries to fetch CSS stylesheets and images from the attack site, rather than the legitimate page.  Since the attacker neither copied these resources to the attack site, nor changed the relative paths to point to the legitimate site, the attack page looks malformatted.  The attacker made the same mistake with the news ticker IFRAME, resulting in the “Not Found” message in the background.  Also, the attacker entitled the page “Video: Islamic State Enters Egypt,” but created a popup to install Adobe Reader, which is Adobe’s product for viewing PDF files.  It is likely that the attacker instead wanted to create a popup to install Adobe Flash, a plugin for viewing web videos. Additionally, the download link points to a .rar file,85 which is suspicious as Adobe does not distribute its products in .rar files.  Finally, the .exe inside the .rar file is not melded with the Adobe Reader setup program, so a victim who executes the file may become suspicious when no Adobe setup program runs.

Italy: Shift from Hacking Team to FinFisher?

We identified one IP address in Italy ( which served as a FinFisher server from 2014 to present.  Earlier in 2014, and before our publication of our report on Hacking Team, the same IP address instead matched our fingerprint for Hacking Team spyware servers.  This might indicate an Italian government agency switching from Hacking Team to FinFisher.

Oman: Eagle Eye Digital Solutions LLC

We found a FinFisher server running on IP address, which is pointed to by two subdomains of, a domain name associated with an Omani company called “Eagle Eye Digital Solutions LLC” through historical WHOIS.  The domain is currently registered to “Omantel,” the largest telecom in Oman.  Eagle Eye Digital Solutions LLC was founded by, and is run by, Warith Al-Maawali.86  Leaked emails describe Warith as part of Oman’s Ministry of Interior, as well as a reseller of FinFisher products.87  Other sites apparently run by Eagle Eye include a major Omani online forum, “”  Eagle Eye founder Warith Al Maawali says the forum is “one of the most active sites with the largest user-base in Oman.”

An archived version of Eagle Eye’s website on the Wayback Machine showed Elaman GmbH as one of their partners, and “Security Organizations” as their clients.  Elaman is known to be a reseller of FinFisher products.88

Figure 12: Old version of Eagle Eye’s website showing FinFisher reseller Elaman as a partner, and “Security Organizations” as among the firm’s clients.


In this report we provided the first update on Citizen Lab’s previous FinFisher scanning worksince a widely discussed 2014 hack of FinFisher.  Despite the disclosure of sensitive customer data in that hack,89 and the potential customer concerns this might cause, our latest scans have detected FinFisher servers in more countries than any previous round of scanning.  

FinFisher is still being used by a number of previously identified government clients, including Ethiopia, which is the defendant in an ongoing lawsuit over previous FinFisher use.90  We have also identified newly identified suspected customers, including: Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela.

While we may not be detecting all FinFisher installations, this report’s methods improved on both our ability to detect installations, and to attribute FinFisher servers to specific governmental customers, whom we named. A key goal of this research is to provide a resource to those working on policy and research in this space.  We also believe this kind of reporting is essential to help ensure that citizens have the opportunity to hold their governments accountable. To this end, we identify government users, but redact certain details about live infrastructure (like removing the last octet of IP addresses), whose disclosure might interfere with legitimately sanctioned activities.

The Global Intrusion Software Market: Difficult to Study, Tricky to Regulate

The market for intrusion software like FinFisher is challenging to track because the key players, from government customers to software developers, have a strong interest in keeping transactions private. However, several years of research, reporting, and revelations have made it clear that a growing list of countries have acquired, or are seeking these tools.

As customer lists grow, so should concern over the documented abuse potential of intrusion software. Some governments clearly believe that it can be used, with proper oversight, in the service of legitimate criminal investigations and intelligence gathering. However, there are also well documented cases in which government customers have abused intrusion software to compromise political opponents within their borders, and overseas.

The current market seems to bypass some historic limits on the spread of advanced technical intrusion capabilities.  Lack of a strong Science, Technology, Engineering and Mathematics (STEM) education, or absence of long term investment in research and development pipelines, are no longer impediments to obtaining computer exploitation and intrusion capabilities. These tools are now available for purchase by any government. Certainly, lack of development in STEM should not preclude a country from having access to sophisticated investigative tools.  Indeed, an under-resourced state is likely to face security challenges that are just as serious as a more developed one.

However, it can be difficult even for democratic governments with a strong rule of law to oversee secret investigative capabilities like intrusion software.  These tools are likely to be acquired and used by divisions that are professionally discreet in their budgeting and information sharing. The information they generate may also have its origins deliberately disguised before being shared with other departments or agencies.  Intrusion software presents a challenge for accountability in any country, and the oversight authorities in under-resourced countries facing domestic or international security threats may be particularly ill-equipped in expertise and political clout, to identify or act on signs of misuse.

Previous research has shown that FinFisher has been used to target regime opponents in several cases.  Notably, FinFisher has been used to hack Ethiopian and Bahraini democracy activists and opposition political figures.  Meanwhile, research and revelations about Hacking Team’s Remote Control System (RCS), a competitor product, have also made it clear that some government customers used these tools to target their political opponents, rather than security threats to their citizens.

Despite the well documented potential for abuse, the companies who develop and market these capabilities are reluctant and ill-equipped to conduct rigorous due diligence about potential customers, as recent revelations about Hacking Team have made clear.

The Wassenaar Arrangement, which regulates the export of weapons, as well as “dual use” technologies, was amended in 2013 to include items related to intrusion software, like FinFisher and Hacking Team’s RCS.  Now, as participants like the European Union have undertaken their own implementations (or are still developing theirs as in the case of the United States), it remains to be seen whether or not this will lead to greater transparency and control, and what impact, if any, it will have on abusive surveillance.

We hope that continued evidence-based research of this sort will contribute to greater overall transparency about this market, and provide much-needed points of reference for policy making and tracking the impact of regulatory efforts.


Special thanks to Citizen Lab colleagues Morgan Marquis-Boire and Claudio Guarnieri, as well as Ron Deibert and Masashi Crete-Nishihata. Special thanks to the Open Technology Fund. Thanks to Vern Paxson and Jason Passwaters.


5 See,
7 Id.
8 Id.
12 Google does not return the user’s IP address unless a certain type of “User-Agent” header is included. In this example, we include a user agent used by the Tor Browser Bundle. The “nord=1” parameter turns off Google’s SSL redirection.
13 Yahoo does not return the userLocation object unless a certain type of “User-Agent” header is included. In some cases, we needed to substitute a country-specific version of Yahoo in the GET request (either or
14 We verified that the IP of our measurement machine was included in the Libero cookie when visiting the site directly.
17 See our previous fingerprints:
18 We assume that if a FinFisher master is located in a country, then an entity of that country’s government is using the spyware. It is of course possible that government entities may be operating some surveillance from overseas sites. Though, we view this possibility as quite remote, given concerns about relying on foreign (and potentially untrusted) telecom infrastructure to operate surveillance infrastructure.
20 See for example: and

Appendix A: List of FinFisher Servers

ServerFinSpy Master IPMaster CountryDate
78.46.172.xxx80.65.75.xxxBosnia and Herzegovina12/2014
180.235.133.xxx80.95.253.xxxCzech Republic12/2014
62.149.86.xxxSaudi Arabia12/2014
77.31.27.xxxSaudi Arabia1/2015
37.107.117.xxxSaudi Arabia2/2015
2.90.15.xxxSaudi Arabia5/2015
2.89.48.xxxSaudi Arabia5/2015
95.218.27.xxxSaudi Arabia5/2015
105.224.57.xxxSouth Africa2/2015
105.228.145.xxxSouth Africa5/2015
185.8.106.xxxVenezuela12/2014 Server)12/2014 Server)12/2014 Server)12/2014 Server)12/2014 Server)12/2014 Server)5/2015


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.