Independently Confirming Amnesty Security Lab’s finding of Predator targeting of U.S. & other elected officials on Twitter/X

This Citizen Lab note documents the REPLYSPY campaign that delivered Cytrox/Predator spyware via reply links on Twitter/X targeting officials, journalists, and civil society; it attributes domains (e.g., southchinapost.net, caavn.org) to Cytrox/Predator, describes prior zero-day exploit use to gain initial access, and reverse-engineers an eight-step installation validation routine designed to evade researchers (locale, developer mode, jailbreak, proxy/MiTM, unsafe processes, etc.).