The discovery of new infrastructure linked to Predator spyware suggests the surveillance technology is still finding new customers despite its backers facing rounds of U.S. sanctions since July 2023.

In a report released Thursday, researchers at Insikt Group say they now can link the powerful spyware to operators in Mozambique for the first time. Insikt Group and The Record are both part of Recorded Future.

Mozambique is one of several African countries where the spyware has appeared, according to Insikt, which says that the continent hosts more than half of known Predator customers. 

A separate finding in the report establishes “the first technical connection made between Predator infrastructure and corporate entities associated with the Intellexa Consortium,” Insikt says, referring to the organization believed to be backing Predator. Intellexa was among the entities sanctioned by the U.S.

The discovery stems from an Insikt probe of entities linked to Dvir Horef Hazan, a Czech bistro owner, entrepreneur and programmer whom a Czech news outlet alleges worked for Intellexa. 

A Greek law enforcement investigative report into the potential Predator targeting of journalist Thanasis Koukakis also alleged that Intellexa transferred nearly €3 million (about $3.5 million) to Hazan and his companies. 

Details of Hazan’s alleged work for Intellexa are murky, but Insikt said it found the link between Predator’s multi-tiered infrastructure and a Czech entity indirectly tied to Hazan.

The researchers said Predator’s general infrastructure has not changed much, but there is evidence that operators have evolved the spyware to make it harder to find on a device.

Insikt’s latest findings follow previous reports noting that Predator activity continued after the July 2023 actions by the U.S. government.

Initially the Commerce Department placed Intellexa and a related unit, Cytrox, on the Entity List, which restricts how companies do business with the U.S. and causes reputational damage. Then in 2024 federal agencies acted twice to restrict Predator-related entities.

Read more: Paragon spyware activity found on more journalists’ devices