The Armenian government is "likely" among the customers of the Predator spyware from North Macedonian developer Cytrox, Citizen Lab said in a fresh report on Thursday, December 16.

Researchers found that Predator was used to attack two people in June 2021. The spyware "was able to infect the then-latest version (14.6) of Apple's iOS operating system using single-click links sent via WhatsApp," according to Citizen Lab.

Given the abuse of WhatsApp for Predator targeting, the Citizen Lab shared forensic artifacts with Meta’s security team.

Meta has now taken an enforcement action against Cytrox, which includes removing approximately 300 Facebook and Instagram accounts linked to Cytrox. In total, Meta has removed more than 1,500 Facebook and Instagram accounts associated with seven outfits, including Cytrox, which the company said were used for reconnaissance, social engineering and sending malicious links to thousands of victims in over 100 countries.

The Meta report too states that they believe Cytrox customers include entities in Armenia, as well as in Egypt, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany.

Meta found a “vast domain infrastructure” associated with Cytrox, which it said was likely used in hacking campaigns that targeted politicians and journalists, including in Egypt and Armenia.