{"id":127142,"date":"2023-04-11T09:00:00","date_gmt":"2023-04-11T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=127142"},"modified":"2025-06-18T07:33:59","modified_gmt":"2025-06-18T14:33:59","slug":"dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/11\/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia\/","title":{"rendered":"DEV-0196: QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia"},"content":{"rendered":"\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0196<\/strong> is now tracked as Carmine Tsunami<\/strong>.<\/p>\n\n\n\n

To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/a><\/strong>.<\/p>\n\n\n\n

\n\n\n\n

Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.  <\/p>\n\n\n\n

In this blog, Microsoft analyzes DEV-0196, discusses technical details of the actor\u2019s iOS malware, which we call KingsPawn, and shares both host and network indicators of compromise that can be used to aid in detection.<\/p>\n\n\n\n

Over the course of our investigation into DEV-0196, Microsoft collaborated with multiple partners. One of those partners, Citizen Lab of the University of Toronto\u2019s Munk School, identified at least five civil society victims of the DEV-0196 malware that included journalists, political opposition figures, and a non-government organisation (NGO) worker, in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Furthermore, Citizen Lab was able to identify operator locations for QuaDream systems in the following countries: Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Read the Citizen Lab report here<\/a>.<\/p>\n\n\n\n

Microsoft is sharing information about DEV-0196 with our customers, industry partners, and the public to improve collective knowledge of how PSOAs operate and raise awareness about how PSOAs facilitate the targeting and exploitation of civil society. For more info, read Standing up for democratic values and protecting stability of cyberspace<\/a>.<\/p>\n\n\n\n

DEV-0196: A private-sector offensive actor based in Israel<\/h2>\n\n\n\n

PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models, including access as a service. In access as a service, the actor sells full end-to-end hacking tools that can be used by the purchaser in cyber operations. The PSOA itself is not involved in any targeting or running of the operations.<\/p>\n\n\n\n

Microsoft Threat Intelligence analysts assess with high confidence that DEV-0196 uses this model, selling exploitation services and malware to governments. It\u2019s not directly involved in targeting. Microsoft also assesses with high confidence that DEV-0196 is linked to an Israel-based private company called QuaDream. According to the Israeli Corporations Authority<\/a>, QuaDream, under the Israeli name \u05e7\u05d5\u05d5\u05d3\u05e8\u05d9\u05dd \u05d1\u05e2”\u05de, was incorporated in August 2016. The company has no website, and there is little public reporting about the company, with a few notable exceptions.<\/p>\n\n\n\n

QuaDream came to international attention in a 2022 Reuters report<\/a>, which cited a company brochure that described the REIGN platform and a list of capabilities, the report also notably suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group\u2019s ForcedEntry exploit. An earlier report by Israeli news outlet Haaretz,<\/a> also citing a QuaDream brochure, revealed that QuaDream did not sell REIGN directly to customers but instead did so through a Cypriot company. Haaretz also reported that Saudi Arabia\u2019s government was among QuaDream\u2019s clients, as was the government of Ghana. However, Haaretz could not confirm allegations made in the Ghanian press<\/a> and repeated<\/a> in the Israeli press<\/a> that QuaDream employees were among 14 Israeli tech workers from different companies who travelled to Accra, Ghana in 2020 to meet with the incumbent administration three months prior to the presidential election for the purposes of a special project relating to it.<\/p>\n\n\n\n

QuaDream was mentioned in a December 2022 report from Meta<\/a>, which reportedly took down 250 accounts associated with the company. According to the report, Meta observed QuaDream testing its ability to exploit iOS and Android mobile devices with the intent \u201cto exfiltrate various types of data including messages, images, video and audio files, and geolocation.\u201d<\/p>\n\n\n\n

Technical investigation: DEV-0196 malware<\/h2>\n\n\n\n

Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream. We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the system publicly discussed as REIGN.<\/p>\n\n\n\n

The captured samples targeted iOS devices, specifically iOS 14, but there were indications that some of the code could also be used on Android devices. Since the malware sample targets iOS 14, some of the techniques used in this sample may no longer work or be relevant on newer iOS versions. However, we assess it\u2019s highly likely that DEV-0196 will have updated their malware, targeting newer versions to account for this. Analysis of the malware revealed that it is split into multiple components. The sections below focus on two of those components: a monitor agent and the main malware agent.<\/p>\n\n\n\n

Monitor agent<\/h3>\n\n\n\n

The monitor agent is a native Mach-O file written in Objective-C. It is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations. It has multiple techniques to do this, one of which is monitoring various directories, such as \/private\/var\/db\/analyticsd\/<\/em> and \/private\/var\/mobile\/Library\/Logs\/CrashReporter,<\/em> for any malware execution artifacts or crash-related files. Once these artifacts or files are identified, the monitor agent deletes them.<\/p>\n\n\n\n

The monitor agent is also in charge of managing the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes. The agent uses the waitpid<\/em><\/a> function to monitor all child processes that are spawned, and the child process IDs are added to a tracking list. The monitor agent attempts to safely shut down tracked child processes by calling sigaction<\/em><\/a> <\/em>with the SIGTSTP parameter, if sigaction<\/em> returns successfully this means the child process is reachable and a SIGKILL<\/em> command is sent to kill it. This avoids sending a kill<\/em> command to a non-existent PID, which can leave error messages and artifacts behind.<\/p>\n\n\n\n

Main agent<\/h3>\n\n\n\n

The main agent is also a native Mach-O file. However, it is written in Go, a highly portable language, which was likely chosen because it allows compilation across multiple platforms, reducing development effort.<\/p>\n\n\n\n

This agent includes capabilities to:<\/p>\n\n\n\n