APT29, Intellexa, NSO Share Identical Exploit Chains
Google TAG finds APT29 using exploit chains identical to those deployed by Intellexa and NSO Group, suggesting shared access to zero-day suppliers or exploit resale.
Executive Summary
Google's Threat Analysis Group (TAG) has identified that suspected Russian state-backed threat actor APT29 has deployed exploit chains that are identical to those previously used by commercial surveillance vendors Intellexa and NSO Group. The finding, published April 30, 2026, suggests a convergence between state-sponsored offensive cyber operations and the commercial spyware industry, potentially through shared access to the same zero-day exploit developers or a secondary market for exploit resale. Google TAG explicitly states that the exploit chains are "identical" across the three entities, though it does not specify the exact CVEs or platforms targeted in the current report.
Technical Analysis
According to Google TAG's analysis, the exploit chains observed in APT29 operations match those deployed by Intellexa (the maker of the Predator spyware framework) and NSO Group (the developer of Pegasus). The report does not disclose the specific vulnerabilities or delivery mechanisms, but the implication is that the technical artifacts — such as exploit code structure, trigger conditions, and post-exploitation payloads — are shared across these otherwise distinct threat actors.
APT29, also tracked as Cozy Bear, is a unit within Russia's Foreign Intelligence Service (SVR) and is historically associated with high-value espionage targets including government ministries, think tanks, and technology firms. Intellexa and NSO Group are Israeli commercial surveillance vendors whose products have been linked to human rights abuses and targeted surveillance of journalists, activists, and opposition figures.
The reuse of identical exploit chains raises two non-mutually-exclusive possibilities: either these actors are purchasing exploits from the same third-party exploit broker or developer, or one actor is obtaining exploits from another through theft or intelligence-sharing arrangements. Google TAG notes that the commercial surveillance industry has increasingly become a vector for state actors to acquire capabilities without developing them in-house.
This finding aligns with a broader trend documented by Google TAG and other researchers: the commercialization of zero-day exploits has blurred the line between state-sponsored and private-sector offensive operations. In previous reports, Google TAG has detailed how exploit brokers like Candiru and Cytrox sold capabilities that were later used by governments against civil society.
Mitigations & Recommendations
Google TAG recommends that defenders prioritize patching known exploited vulnerabilities in mobile operating systems (iOS and Android) and web browsers, as these are the most common entry points for exploit chains used by both state-backed actors and commercial spyware vendors. Organizations should enable automatic updates where possible and deploy mobile device management (MDM) policies that restrict sideloading of applications.
For high-risk targets — including government officials, journalists, and human rights defenders — Google recommends enabling Lockdown Mode on iOS devices and using Chrome with Enhanced Safe Browsing enabled. Network defenders should monitor for anomalous outbound connections from mobile devices and investigate alerts related to privilege escalation or kernel exploitation.
No specific patches or CVEs are named in the current advisory, so defenders should treat any exploit chain targeting mobile or browser platforms as potentially shared across multiple threat actors. Google TAG states it will continue to share technical indicators as they become available.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
