What tooling do commercial surveillance vendors use to deliver spyware?

CSVs typically deliver spyware through multi-stage exploit chains. These chains begin with an initial access vector — one-click or zero-click — exploiting vulnerabilities in browsers or messaging apps. Subsequent stages handle sandbox escape, privilege escalation, and persistence. The full suite also includes C2 infrastructure, data exfiltration modules, and in some cases device fingerprinting frameworks used to qualify targets before delivering the payload.

How do you detect commercial spyware on a mobile device?

Amnesty International's Mobile Verification Toolkit (MVT) is the primary open-source forensic tool for detecting spyware on iOS and Android devices. MVT scans device backups or full filesystem dumps against published indicators of compromise (IOCs). iVerify Basic is a consumer-accessible option. Both tools require some technical knowledge; civil society members at risk should seek support from Amnesty's Security Lab or Access Now's Digital Security Helpline.

Did commercial surveillance vendors surpass nation-states in zero-day use in 2025?

Yes. Google's Threat Intelligence Group (GTIG) confirmed in March 2026 that CSVs were attributed with more zero-day exploitation in 2025 than traditional state-sponsored espionage groups — 18 zero-days attributed to CSVs versus 15 attributed to state actors, out of 42 zero-days with confirmed attribution. This was the first time CSVs had led that count since GTIG began tracking zero-day attribution.

What happened when the Coruna iOS exploit kit leaked from a surveillance vendor?

Coruna, a sophisticated iOS exploit framework containing five full exploit chains and 23 individual exploits, was first observed in February 2025 in a targeted surveillance operation by an unnamed CSV customer. Within months it had been repurposed by Russian espionage group UNC6353 in watering-hole attacks against Ukrainian websites, and then adopted by Chinese financially motivated actors to steal cryptocurrency credentials at scale — infecting at least 42,000 iPhones.

CSV Tooling: How Commercial Surveillance Vendors Build and Weaponize Exploit Chains

In 2025, commercial surveillance vendors surpassed nation-state actors as the leading source of attributed zero-day exploitation — the first time that milestone had been reached since Google began tracking the category. Understanding how these vendors assemble, deliver, and conceal their tools is no longer optional background knowledge for defenders. It is a prerequisite.

If you need a primer on what commercial surveillance vendors are and how the industry is structured, the kandibrian.com guide to commercial surveillance vendors covers the regulatory landscape, major players, and business model in detail. This article focuses specifically on the technical tooling side — the exploit frameworks, delivery mechanisms, evasion techniques, and detection tools that define the CSV threat in 2025 and 2026.

What CSV Tooling Actually Means

The term "CSV tooling" refers to the full technical stack that a commercial surveillance vendor provides to a paying customer. In the early years of the industry, some vendors sold isolated capabilities — a single exploit for a specific platform, or a basic implant with limited functionality. That model no longer reflects how sophisticated CSVs operate.

Google's Threat Analysis Group described the modern CSV offering as turn-key solutions covering the entire attack lifecycle: not just exploit chains, but the subsequent tools needed to identify targets, establish persistence, exfiltrate data, and maintain operational security. The capabilities that once required years of investment, deep technical expertise, and sustained intelligence resources are now sold as a service, often with operator dashboards, customer support, and update subscriptions.

The tooling stack a mature CSV deploys for a government customer typically includes several integrated components. Reconnaissance and target qualification frameworks profile the target device, operating system version, and network environment before committing a high-value exploit. Delivery infrastructure — whether one-time links, malicious advertising networks, watering holes, or zero-click network injection — gets the initial access vector to the target. The implant itself handles persistent access, communication with command-and-control servers, and data collection. Operational security layers — URL randomization, geofencing, multi-tier anonymous C2 relays — protect both the vendor's infrastructure and the customer's identity.

CSV Full-Stack Attack Lifecycle

CSV full-stack tooling covers the complete attack lifecycle — from target qualification through persistent C2 with layered operational security.

How Exploit Chains Are Built and Sold

The exploit acquisition model varies by vendor, but the most capable CSVs maintain internal research teams whose sole function is discovering and weaponizing vulnerabilities before they are patched or disclosed. Intellexa, for example, has demonstrated a consistent ability to rapidly develop new zero-day exploits using techniques including remote code execution, sandbox escape, and local privilege escalation — often adapting within weeks when platform vendors deploy mitigations. This kind of velocity requires sustained engineering investment and access to a pipeline of undisclosed vulnerabilities.

Some vendors supplement internal research by purchasing vulnerabilities from brokers or independent researchers. The pricing reflects that market. Activation costs in the industry have climbed substantially over the years, from a few thousand euros per device in the early 2010s to multi-million euro deployments for platforms like Intellexa's Predator by 2022 — a direct reflection of both the difficulty of acquiring reliable zero-days and the value clients place on reliable access.

The delivery mechanism has diversified considerably. The classic model involved one-time links sent over encrypted messaging apps — a user clicks, the exploit fires, the implant is installed. More recently, researchers observed Intellexa deploying malicious advertisements on third-party platforms to deliver exploit chains, demonstrating that CSVs are able to rapidly adapt delivery when one vector becomes monitored or blocked. Physical access vectors persist as a fallback: USB injection tools and forensic devices are used to install implants at borders or checkpoints when network delivery is unavailable.

Once installed, spyware implants communicate with C2 infrastructure that is deliberately designed to resist attribution. Intellexa's Predator was observed using a multi-tier C2 network that added layers of anonymizing servers owned by third-party companies, making it harder for network defenders to trace activity back to the vendor or customer. Implant traffic typically moves over HTTPS and SSH to blend with normal encrypted web traffic, while geofencing logic causes the implant to go dormant or self-destruct when it detects it is running in an analysis environment outside the target region.

2025 Zero-Day Attribution: CSVs Take the Lead

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild across 2025. Of the 42 for which attribution was confirmed, 18 were tied to commercial surveillance vendors — compared to 15 linked to state-sponsored espionage groups. This was the first time CSVs had led that count. CSVs predominantly targeted mobile devices and browsers; nation-state actors focused more heavily on edge devices and security appliances.

Tooling in the Wild: Coruna and the Proliferation Problem

One of the clearest recent examples of what CSV tooling looks like in practice — and what happens when it escapes controlled use — is the Coruna iOS exploit kit. Google's Threat Intelligence Group first captured elements of Coruna in February 2025, when researchers observed fragments of an iOS exploit chain being used by a customer of an unnamed commercial surveillance company. The framework fingerprinted target devices, identified iPhone model and iOS version, and silently delivered the appropriate WebKit remote code execution exploit.

The technical scope of Coruna illustrates the engineering investment CSVs make. The kit contained five full iOS exploit chains and a total of 23 individual exploits, targeting iOS versions 13 through 17.2.1. The exploit list included both CVE-tracked vulnerabilities and flaws that had never been assigned CVE identifiers, suggesting internal research that preceded or operated outside the public vulnerability disclosure pipeline. Two of the exploits — CVE-2023-32434 and CVE-2023-38606 — were the same zero-days used in Operation Triangulation in 2023, which Kaspersky described as giving an attacker full control over the iOS kernel.

What happened next is the more instructive part of the story. The same toolkit was repurposed by UNC6353, a suspected Russian espionage group, and embedded as hidden iframes on compromised Ukrainian websites spanning industrial, retail, and e-commerce sectors. By the end of 2025, the kit appeared across a large network of fake Chinese financial websites operated by UNC6691, a financially motivated group using it to harvest cryptocurrency wallet credentials. iVerify confirmed at least 42,000 compromised iPhones and assessed the exploit chain had similarities to frameworks developed by actors affiliated with the U.S. government. CISA added three of the Coruna-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog in March 2026.

Coruna is not an isolated case — it is an illustration of a structural problem the security ecosystem has long warned about. The commercial surveillance industry involves exploit acquisition programs, vulnerability brokers, and secondary markets that facilitate the movement of offensive capabilities between actors. Once a nation-state-grade exploit framework exits the tightly controlled environment of a surveillance vendor's customer deployment, the barriers to its adoption by espionage groups and financially motivated criminals are far lower than anyone in the industry is comfortable acknowledging.

Detection and Response Tools

The tooling built to detect commercial spyware is considerably less well-resourced than the tooling built to deploy it, but several effective instruments exist for defenders and forensic researchers.

Mobile Verification Toolkit (MVT)

Amnesty International's Security Lab released MVT in 2021 as part of the forensic methodology developed during the Pegasus Project investigation. It remains the primary open-source forensic tool for detecting spyware on both iOS and Android devices. MVT scans device backups or full filesystem dumps against published indicators of compromise (IOCs) — including domain names used in CSV C2 infrastructure, process artifacts, and network traffic anomalies associated with known implants. For iOS devices, MVT can work with an encrypted iTunes backup or a full filesystem dump; for Android, it pairs with the AndroidQF acquisition tool. Both are maintained by Amnesty International and available via GitHub and PyPI.

One important caveat: MVT is a tool for forensic researchers and technically trained investigators, not a consumer self-assessment product. The Amnesty Security Lab notes explicitly that negative MVT results do not confirm a device is clean — sophisticated implants may evade detection if their IOCs have not been published, and the most advanced CSV deployments have been engineered specifically to avoid leaving the kinds of artifacts that MVT scans for.

iVerify

iVerify offers both an enterprise mobile threat detection platform and a consumer-accessible basic app. Following the Coruna exposure, iVerify published IOCs and a dedicated STIX2 file for MVT compatibility, and made its Basic app free to allow any user to check for Coruna-related indicators. For organizations managing fleets of mobile devices, iVerify Enterprise provides real-time behavioral detection of sophisticated mobile threats including those in the CSV category.

SpyGuard and Network Traffic Analysis

Network-layer detection using tools like SpyGuard can identify anomalies in encrypted traffic that may suggest an implant beaconing to C2 infrastructure, though sophisticated CSV implants employ protocol rotation and traffic blending techniques that make network-based detection increasingly difficult. Apple's Sysdiagnose collection capability can assist in capturing diagnostics for analysis by researchers with sufficient forensic context.

If You Are a Journalist, Activist, or Civil Society Member at Risk

Do not attempt self-assessment using MVT without technical guidance. Contact Amnesty International's Security Lab or Access Now's Digital Security Helpline for professional forensic support. These organizations provide confidential device analysis to civil society members who may be targets of commercial spyware.

How to Check a Device for Commercial Spyware

For technically capable researchers working with the open-source toolchain, the workflow proceeds as follows. Install MVT from PyPI, following the documented dependencies for your operating system. For iOS, create an encrypted iTunes backup or a full filesystem dump from a jailbroken device; for Android, use AndroidQF to capture a forensic snapshot. Obtain the latest published IOCs from Amnesty International's Security Lab, iVerify, or Citizen Lab in STIX2 or MVT-compatible format. Run mvt-ios check-backup or mvt-android check-backup against the device data, pointing to the IOC file. Review the output carefully — detections should be treated as evidence requiring further investigation, while a clean result should be interpreted with appropriate uncertainty given the limitations of IOC-based detection.

The Browser Attack Surface CSVs Rely On

CSVs have consistently prioritized mobile devices and browser exploit chains as their primary attack surface, in contrast to nation-state actors who have shifted heavily toward edge devices and security appliances. That preference reflects where high-value surveillance targets — journalists, activists, politicians, dissidents — are most reachable and most vulnerable.

Browser exploitation rates did decline in 2025 compared to the peak years of 2021 and 2022, which GTIG partially attributed to browser hardening efforts. However, the attack surface keeps expanding as browsers integrate more complex low-level APIs. The recent Chrome zero-day CVE-2026-5281 — a use-after-free in Chrome's WebGPU implementation (Dawn) — is a representative example of where that surface is growing. WebGPU introduces complex memory interactions across renderer and GPU process boundaries; the same low-level, C++-implemented code paths that enable high-performance GPU access from web content create the kind of object lifetime management complexity where use-after-free conditions emerge. The NVD description for CVE-2026-5281 specifies that exploitation requires a prior renderer compromise, meaning it functions as the second link in a chain — exactly the kind of compound exploitation model CSVs build their delivery frameworks around. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026, with a federal remediation deadline of April 15, 2026.

The pattern of multiple Dawn use-after-free vulnerabilities fixed in a single Chrome release — CVE-2026-5281, CVE-2026-5284, and CVE-2026-5286 were all patched together on March 31, 2026 — reflects how subsystems with complex memory semantics generate clusters of related bugs. For defenders, it reinforces that browser patch velocity matters independently of whether a specific exploit is attributed to a CSV. The same browser flaws that nation-state actors and financially motivated groups exploit today begin their lifecycle in many cases as commercial surveillance capabilities.

Key Takeaways

CSVs now lead zero-day exploitation by volume: For the first time since tracking began, commercial surveillance vendors in 2025 were attributed with more zero-day exploitation than state-sponsored espionage groups. The market is expanding, not contracting, despite sanctions, legal actions, and public exposure.
CSV tooling is a complete operational stack: The exploit is only one component. Reconnaissance frameworks, delivery infrastructure, implant capabilities, C2 relays, and evasion logic are all bundled into vendor offerings. Defenders need visibility across all of these layers, not just exploit signatures.
Exploit proliferation is a structural risk: The Coruna case demonstrated that nation-state-grade mobile exploit frameworks can migrate from targeted surveillance operations to mass criminal deployment within a year. The commercial surveillance industry's secondary markets create proliferation pathways that extend well beyond the vendor's original customer base.
Detection tooling exists but has meaningful limits: MVT and iVerify provide real forensic capability for detecting known CSV implants. Both are limited by IOC coverage — implants engineered to evade current indicators, or novel deployments without published IOCs, may not be detected. Negative results should be treated with caution, particularly for high-risk individuals.
Browser and mobile surfaces remain the primary CSV target: Keep mobile operating systems and browsers updated as a non-negotiable baseline. The browser exploit chains CSVs build depend on unpatched renderer and GPU-layer vulnerabilities. Patch velocity directly reduces the window of exposure for these specific attack classes.

The commercial surveillance industry operates in a space where legitimate government capability requirements, international export control gaps, and the absence of meaningful accountability for misuse all create conditions that sustain demand. The Pall Mall Code of Practice, agreed to in April 2025, represents an attempt to establish responsible use standards — but implementation is voluntary and enforcement mechanisms remain limited. Until that changes, the technical tooling continues to advance, the secondary markets continue to proliferate, and defenders continue to work with instruments calibrated to yesterday's known threats.