On December 4 2025 AlienVault released a new threat report titled Prolific Zero-Day Exploits Continue. The report details the ongoing activities of the cyber‑espionage group Intellexa, which has continued to develop sell and deploy zero‑day vulnerabilities despite international sanctions. The analysis covers more than 210 connected elements and cites 15 unique zero‑day exploits discovered since 2021. The report emphasizes the group’s focus on mobile browsers and operating systems, with a particular emphasis on iOS and Android platforms.

Intellexa’s exploit chain, known as smack, leverages a proprietary framework called JSKit to achieve remote code execution on iOS devices. The chain begins with a malicious advertisement that delivers a JavaScript payload to the victim’s browser. Once executed, the payload exploits a series of zero‑day vulnerabilities in the browser’s rendering engine and the underlying operating system, ultimately granting the attacker full control over the device. The use of advertising networks allows Intellexa to reach a wide audience and high impact.

The report documents that Intellexa’s operations have impacted several hundred accounts across multiple countries, including the United States, United Kingdom, Canada, and Australia. Victims have ranged from individual users to large enterprises, with the attackers targeting sensitive data such as login credentials, financial information, and intellectual property. In addition to data exfiltration, the group has demonstrated the ability to install persistent backdoors, enabling long‑term surveillance and further exploitation of compromised devices within corporate networks, enabling persistent command and control sessions.

Google’s response to the threat has been swift and comprehensive. The search engine giant has issued warnings to targeted users through its Safe Browsing service, flagging malicious domains associated with Intellexa’s campaigns. Additionally, Google has added these domains to its blacklist, preventing users from accessing potentially dangerous sites. The company has also collaborated with other industry partners to share threat intelligence, ensuring that the broader security community can take proactive measures against similar attacks by integrating monitoring tools and alerts.

Intellexa’s use of zero‑day vulnerabilities underscores the importance of a robust patch management strategy. The group’s exploits target unpatched software, highlighting the risk of delayed updates in both consumer and enterprise environments. Security analysts recommend that organizations adopt a continuous vulnerability assessment program, prioritizing critical patches for mobile operating systems and browsers. Regularly scanning for known zero‑days and applying vendor‑issued fixes can significantly reduce the attack surface and mitigate the risk of exploitation by leveraging patch deployment and monitoring dashboards.

Another critical recommendation is to implement a layered defense strategy that includes endpoint detection and response (EDR) solutions capable of detecting malicious JavaScript execution within browsers. EDR tools can identify anomalous network connections, suspicious process creation, and unauthorized changes to system files, providing early warning before the attacker gains full control. Combining EDR with a web‑filtering solution that blocks known malicious ad networks further reduces the likelihood of initial compromise by integrating real‑time threat intelligence feeds and automated blocking rules.

From a technical standpoint, the adoption of a zero‑trust architecture can help mitigate the impact of zero‑day exploits. By enforcing strict identity verification, least‑privilege access, and continuous monitoring, organizations can isolate compromised devices before they spread malware. Additionally, segmenting mobile device management (MDM) policies to separate corporate data from personal usage reduces the potential damage from an exploited device. Implementing application whitelisting further ensures that only approved software can run on endpoints by leveraging sandboxing techniques and real‑time threat detection.

User education remains a cornerstone of cyber resilience. Organizations should conduct regular training sessions that emphasize the dangers of clicking on suspicious links, especially those delivered through advertisements. Employees should be instructed to verify the legitimacy of URLs, use browser extensions that block malicious scripts, and report any unusual activity immediately. By fostering a culture of vigilance, companies can significantly lower the success rate of social engineering tactics employed by groups like Intellexa and reinforcing authentication practices across all platforms.

International cooperation is essential to curb the proliferation of surveillance tools. The report highlights ongoing efforts to establish norms that limit the misuse of zero‑day exploits for espionage. By sharing threat intelligence across borders, governments can coordinate sanctions, enforce export controls, and support victims of cyber‑espionage. Public‑private partnerships should also be strengthened to facilitate rapid incident response, ensuring that affected organizations receive timely support and resources to remediate breaches while maintaining transparency and accountability in the implementation of security measures.

In conclusion, Intellexa’s continued exploitation of zero‑day vulnerabilities poses a significant threat to both individuals and organizations worldwide. By combining timely patching, layered defenses, user education, and international collaboration, security analysts can reduce the risk of compromise. The AlienVault report serves as a stark reminder that cyber adversaries are constantly evolving, and proactive measures are the only effective defense against sophisticated zero‑day attacks. Staying vigilant and investing in security technologies will help safeguard assets and preserve trust in digital ecosystems.