 All right. So we're about to start with using geopolitical conflicts for, geopolitical conflicts, right? For TRED, I'm thinking how global awareness can enable new surveillance wear discoveries by Kristen Del Rosso. So she's a member of Lookout TRED Intelligence team in San Francisco, where she runs for nation-state malware and targeted surveillance wear. She recently spoke at Black Hat Europe on a state-sponsored malware campaign, and she continues to work with her team to map out attacker infrastructure and better understand the actors and motives behind these mobile threats. Kristen, you have the floor. Thank you. Okay, this is in my face. I'm Kristen Del Rosso. Like she said, I came in from San Francisco, and it's my first time in Canada, so really excited to be here. And today we're gonna be looking at several nation-state mobile surveillance campaigns that we've discovered over the years and that we've been monitoring, but specifically with the context on the geopolitical landscape that we found them in. And so my goal today is to give you guys a broader understanding of not only what the surveillance wear campaigns can do, but how actors go about targeting their victims, how they've developed their tools over times, and kind of put it in the real-world context that this software is being deployed in because it's made for humans. And it kind of gets you to ask new questions when you're trying to expand your overall understanding of these campaigns. And so this works. Okay, a little about me. At Lookout in San Francisco, I actually have a background in history and politics, but I somehow am now reverse engineering in the Android applications, so different career change. And in my day-to-day though, I get to see a really wide variety of malware from like banking Trojans to Adware to Spouseware, like Eva talked about yesterday, but I focus on surveillance wear and specifically kind of building out the larger picture behind who the actor is, who they're going after, how they might be targeting them, and how they're spreading. And one thing that I've noticed over going through all these samples is when you're threat hunting, there seems to be a correlation between areas that have a political or a physical conflict and the presence of surveillance wear. And I think as a researcher, that's a really important relationship to look at because especially when you're looking at surveillance wear, it's more than just source code and the technical components because by definition, surveillance wear, it has like an inherently human aspect to it, it's designed to target a specific group of individuals for a specific reason by an actor who is trying to essentially solve like a problem or a pain point by spying on them. And so the actor is gonna get something out of being successful, a political advantage or battlefield advantage, whatever it might be. And so today what we're gonna go into is just kind of not just what the malware can do, but how if you understand the context that it's deployed in, it will kind of trigger like new questions of like, oh, that's why it's packaged the way it is or that's who they're going after, that's why they would use this lure document. It makes more sense based on the context that you're finding it in. And so we're gonna give you guys a brief overview of the mobile landscape because it is kind of a niche thing. It's not just general surveillance wear, but mobile particularly, and then the technical components of some of these campaigns and where we found them. And so like I said, mobile surveillance wear, it might seem like a niche area to focus on, specifically Android mobile surveillance wear, but in terms of nation state attacks, it's a lot more prevalent than most people might think. In the mobile threat landscape, nation states were actually some of the first actors to fully adopt this platform as a threat vector. And if you combine that with the fact that 87.5% of the global smartphone market is Android, that's a really high number of potential targets that people could reach and go after. And if you consider also that Android's open source makes it a lot easier to install third-party applications than iPhone, for example, it's a really interesting attack vector to look at. And then also, you have a lot of open source, the Android code online. You can find surveillance wear on GitHub for Android phones and people tweak it all the time. So whether someone's copying source code, developing their own, or buying it off of someone, we're seeing nation states as a whole, not only use mobile, but also in conjunction with their traditional desktop campaigns. And why wouldn't they? Because if you have access to someone's phone, you have access to their entire lives. And if I look around here, how many of you don't have your cell phone on you? I'd say a lot of you actually have it on you. I don't even turn mine off when I'm charging, when I'm sleeping, it's always on me, it's always on me. And as an attacker, if I knew that someone was gonna be carrying around this tiny little box that has my pictures, my passwords, my login, my text messages, my phone calls, everything at all times, it's not leaving my side, it's right there, that's what I'm gonna target, because I'm not carrying around a computer with me or a PC. And so what we're gonna get into today, kind of like three different campaigns, four kind of. But so the first one is Silverhawk. This is a malware family that we found targeting anti-Assad dissidents in Syria. Secondly, in the Middle East, same region in Viperat, that was targeting members of the Israeli Defense Force, and on the opposite end, we have Frozen Cell and Desert Scorpion, two families that were targeting Palestinians. And then finally, we have Excessor Emrat, which is a Chinese mobile rat that was targeting democracy activists in China. And so hopefully by going through these, you'll see not just technically what they do, but also like how it ties into the landscape where we found them and just get it broader, because I know some people stop at just reversing and figuring out what the code does, but my job is to build out the larger picture, and this is kind of how we do it. So Silverhawk, this is an ongoing campaign, we're still getting new samples for it, but we initially discovered it in October of 2017. After a little bit of digging, it became clear that it was targeted surveillance wear, custom tooling, and I'll get into what those indicators were in a little bit, but first, just to kind of set the stage, I wanna go into its technical capabilities of what it can do as surveillance wear, because all the families we're looking at today have basically the same capabilities, because it spies on you, that's what it does, but just how sophisticated it's built out is a little different. And so in terms of Silverhawk, I'm not gonna read them all off for you guys, but some of the key ones that stand out is the ability to remotely record audio. So if I'm an attacker and I have compromised your device, and I can just decide to turn the microphone on and off whenever I want, especially in these tent situations or war zone situations, they're gonna be talking likely about something that's more interesting than the weather or what's happening for dinner, so if a target has their device on them, you can eavesdrop when you don't even have to be there. Same thing with the ability to take photos, remotely activate the camera, take pictures, take videos, not only that, but access all the files and photos that are already on the device and send it back to the command and control servers, as well as exfiltrate your call logs, your contacts, your text messages. Silverhawk was actually kind of interesting because it also had a survival counter built in where every time it would check to see if it could access the C2 server, it had up to two, so it would try twice, and if it failed, it would reset just because it would drain battery life and it didn't wanna give away the fact that it was on the phone. And so that was a way to make sure it wouldn't keep draining the user's battery life. But, so it has access to all this wonderful information, but it has to send it back somehow to the servers, and so this is a packet capture of one of the devices that had Silverhawk on it. And you can see it's going back to an IP address with a set port, which was in plain text in the source code because Silverhawk didn't really have any obfuscation efforts, but interestingly about it, it had a command, so here it's command 17, and we see this a lot in different types of surveillance families, they have different command lists that they can do, but 17 here, for example, has device information, so the IMEI, the SIM, the mobile carrier, will send all that information back, and the other commands it might have all line up with the capabilities of the malware, but it's kind of good when you're analyzing the malware family and tracking its evolution over time because you can see if it had 10 capabilities when you first started, and then all of a sudden next year it has 15, it's easy jumping off point, you can see what's changed, and so with Silverhawk, we kind of are just mapping out its commands as well. But so now we know what it does and kind of how it sends all that information back, but if we go back to when we were talking about, we knew from some investigation like that it was kind of a targeted surveillance where what could the location we founded and tell us about who it might be targeting or how it might go infect those people, and so I'm sure many of you guys are aware, Syria is in the middle of the Civil War, it's been in a civil war since 2011, and there's decades of political stress before that, so there's a struggle between the current dictator Bashar al-Assad and those who are against him, and so off the bat, along with the huge amount of international interest in the area as well, it seems like there would be surveillance campaigns going on there, and if we look at the past, there were a lot of digital suppression efforts there, heavy digital censorship, the regime was known for shutting off the internet, censoring social media, blocking social media sites, and in 2014, they were even listed as an enemy of the internet by reporters without borders, and it's 177th out of 180 on the World Press Freedom Index, and so that's between China at 176 and North Korea at 180, just to give you some reference there, and so this is something I think you need to look at because it creates this environment where people are already aware that they are potentially being monitored or can't fully express themselves usually how they might like to, and it's no surprise that they might be looking for an alternate or a secure means of communication, and so with Silverhawk, it made sense then, it had a variety of packgings and different applications that it masqueraded as, but a lot of them were for applications for secure communication, and so it would have titles like chat privacy, chat secure ultimate, WhatsApp upgrade, or WhatsApp Crip, Telegram, like these known secure messaging applications, and that makes sense because it's kind of like the perfect way to entice someone who's worried, they're rebelling, you know, this is something I can use to be safe, and so we know how the actor was then packaging it and going about targeting them, but the next step is how do you actually get them to download this malware onto their phones? And so what we've seen is the MO for a lot of people who create targeted surveillance work like this, or tools like this, if they're not using exploits, which in this case Silverhawk wasn't, they'll fall back to setting up watering hole sites, so basically these fake sites where you can convince people to download malware off of there, because this is what they're offering, and what we saw that they did is they actually made a really convincing version of the Guardian Project's chat secure webpage with download instructions and everything, they had it for download there installed on there, but we also found out that they were posting links to malicious downloads in Facebook pages that would have been of interest to Syrian rebels. And so what we did is, for example here, you have a page for the Syrian National Democratic Alliance, anti-Assad, what they would do is they would fish the admins of these Facebook pages and then post as the admin or as the page, this is like a secure means of communication or like this is something you should download, and we found that they were posting links on like media fire to these malicious downloads, and they also had other phishing campaigns as well. And so it's kind of, wartime creates this unique opportunity to fish people or to infect people because they're parts of groups or they have communications with areas or they'll click on things that they might not usually because it's of interest to them or it's maybe a matter of life and death. And so that's what we saw Silver Rock doing. But on that page, we also found out that they had a desktop component as well as mobile, so along with that line of slowly enhancing this. And their desktop component was an open-source rat and JRAT, and what they did is they had malicious CXEs as PDFs, but the titles that they had them as were again these very click-baity titles that people would be interested in perhaps, so exchange of prisoners or like geolocation coordinates or information about a bombing, things that would be of interest to rebels or people fighting this war. And so from the outset though, we kind of had a theory of, okay, it's probably one side or the other, but we got really lucky kind of coming full circle with a campaign investigation here. They didn't properly secure all of their C2 servers, and so we were able to uncover some information, like databases of lists of who they were targeting, why they were going after them, how they planned to infect them, I just want their email in or they're gonna download this app or how long it took us to infect them. And these are just descriptions translated of who they were going after. And you can see it's a political and human rights activist or we saw doctors or a secretary of arms for the depot of this free army. And so coming full circle, it was just kind of a good way to confirm our theories, but also get a better understanding of the area of this is what's going on and this is how they're gonna go about targeting those people. And so in the same region of the world, we also had Viper Rat, and so this was deployed against members of the Israeli Defense Force or the IDF. And in this area, it's kind of one of the longest running conflicts regions in the world, but Israel's interesting because it's also proven to be a leader in the cybersecurity space. They have wonderful technology. But so this is an interesting thing to look at because how do you successfully target a group like the IDF who they have Unit 8200, which is one of the most sophisticated cyber units in the world. I've spoken with friends in the IDF, they have monthly, if not weekly trainings on cyber awareness, they're aware they're a target, they could be hacked, they're given basic security training, like don't talk to strangers online, don't download things like this. So compared to perhaps like a doctor or like a citizen in Syria who might not even be aware that they're being targeted, you know, you would think that it might be a little harder to compromise them. And so that off the bat gets me to ask some different questions of does the malware need to be more sophisticated perhaps? Or are they gonna have different lure documents or how are they gonna go about compromising these people? And so for Viper Rat, these are the packaging dates of the samples that we had. It first came out in 2015, but it wasn't really used and targeted attacks until 2016, early 2017. It was more sophisticated than Silverhawk and it was interesting because we actually got her to watch it evolve over time to like its most sophisticated stage at 2018. And I think its sophistication might have helped play a part in its success because I'll get into this, you don't need to have the most complex malware to be successful, but depending on the target you're going after, it can definitely help because of just how you get them to entice it or to download it. And so Viper Rat was interesting because it was a two-stage application or a two-stage malware family where the first stage you download an app that looks totally benign, does basic device profiling, and on certain conditions it'll attempt to download a more robust surveillance work component. And this second component was packaged as things like system update, Viper update, WhatsApp updates to try and blend in on your phone, but where they took it a step further was instead of a generic system update which they had, they would query if Viper installed on this phone. If it's installed on this phone, install the package title to Viper update, same with WhatsApp. And if it wasn't on there, then they would go to generic system update, but I think it's also interesting to look at kind of thinking a step ahead, trying to blend in the best you can. And again, similar capabilities to Silverhawk, but what they also did was, you get your browser search history, your browser bookmarks, they were phone calls, metadata, everything you have there, but also in terms of how they were posting information out to the command and control servers, it was a little more complex because they were compressing the data before they sent it out. And that kind of Silverhawk didn't do. And the first thing I think of when I hear compressed data is like, okay, it must be like large files, like what are you going after to potentially have something really large that you need to send out? And jumping into how they then actually infected them, it shows that no matter how much training you give someone, if pretty girls go on the internet and tell you to talk to them, that's like you're going to get compromised, I guess they get them to download stupid things. And so what they were doing in the earlier samples is fake profiles, men and women would be targeting members of the IDF, chatting them up. And then after like talking for a bit, being like, hey, you know, we should go move our conversation to this like chat room app or this like dating app chat thing or whatever. Things called wink chat or chat talk, stuff like that. And they did have male and female profiles. And I just think it's funny because the women were more likely to realize it was a catfishing attempt or something than the men were, but that's neither here nor there. But it kind of also makes sense, because the IDF does have mandatory military service for young adults, 18 to like 25 roughly. And so you have people who might not wanna be in the army, they're away from home, you're either being talked to by an attractive woman or the other versions that we saw this application packaged in were like a billiards game for your phone or like a song player app. So things that would kind of appeal to a younger target. But on the other side of things, the more sophisticated way that they were able to infect people was they actually around 2018 upgraded their tooling and got into the Google Play Store. And this kind of shows me that they might have been changing who they were going after target wise, because some of the commands or capabilities of this malware as well was the ability to look for PDF documents or Word documents on someone's phone. And I don't think you're gonna have sensitive military documents really like super high level ones on an 18 year old's phone who just joined the army. So here you have someone who might be security aware, it's on the Google Play Store, and it's kind of maybe a different level of ranking military person that you're going after. And that along with the fact that even if you've gone through security training, no one expects malware to be in the Play Store, it does happen, but you think, oh, it's safe, it's been vetted, I can download this safely, it has that aura of trust and you don't need to install a third party application installs, you can just one click install it. And kind of one thing I wanted to point out is, so we did watch them evolve over time from when we first saw it, to when it made it into Google Play. These are screenshots of Silverhawk and just kind of for comparison. We've been tracking this for a while and to the point of sophistication doesn't need to be super high in order to be successful. We've only seen the most minor changes in Silverhawk over the years and they're still seeing success. What they did, they went from hard coding and IP address and important number in it to doing like a simple replacement thing where they took out one number and replaced it with a pound sign and you replace it. So like most recently just writing their strings backwards and same thing. So it doesn't need to be complex to work but kind of I think just might depend on who you're going after. And so we mentioned previously that they've been compressing data before they ex-filtered out. So I'm thinking, okay, what are they potentially going after? Is it generic surveillance like general phone calls like Silverhawk might have been going after? In this case, the IDF, the people that were being targeted, this attacker, the overwhelming majority of information that we saw on improperly secured servers was ex-fil on one server, almost 9,000 files, 97% of that was photos from the camera. And this just gave us, it gives such more insight into the act as a whole because we found visas, passports, military equipment, heads of state meeting with each other, just things that if you teach anyone and your employees or your friends whatever, don't take pictures of your visa and keep it on your phone or sensitive docs like that. But it kind of gave us insight into what they were going after and also just as a whole put it into context of how valuable a successful surveillance campaign can be for an actor. Because you spend so much money or the army or spies will spend on aerial surveillance or trying to get insights into who their target is and here you have just everything that's on someone's phone. Same with geolocation data. They are straight up telling them where the soldiers are because and you don't need to spend money on spying or satellites to get this. You have people who don't take their phone out of their pocket and they're just wandering around and we saw them along the border and then also when they were going through Belgium. And so just gives you a lot of information what they're going after. And so for this next kind of counter family in this region we saw that this was going against IDF forces. If there's multiple sizes conflict in this region and so if something's working for one side you could potentially assume that there are other campaigns for other actors going on in the same region. And so that's what we saw with Frozen Cell and Desert Scorpion. Frozen Cell we found around the same time mid 2017 and it was kind of more on the simpler side and we were actually able to connect it to the same actor as Desert Scorpion. So kind of two different campaigns by the same actor and I'll get into that connection in a bit. But it was fairly simple. No major text obfuscation. It didn't make it into Google Play like Desert Scorpion did. But again basic surveillance tools, geolocation, call records could look for certain documents on there. And just kind of in terms of how they packaged it the overwhelming majority of the apps that we have that were packaged as Facebook updater or Android setting or WhatsApp update. So again kind of trying to blend in this is just we're going after here. But compared to the previous two examples we didn't really get Exfil to the extent. But the first thing that we did get was we saw the tracking location from one set one set of tracking data and it gave the information of first of all who they're targeting. And so from Gaza, Palestine, okay good first step to see who potentially might be targeting that person. But as we dug further we actually saw that the frozen cell infrastructure was tied to a desktop campaign. It's malware's families known as Micropsia and Kaspers agent. And that's Apollo Alto and Checkpoint did some good research into that. But the desktop portion was hosting and acting as a C2 for the Android samples as well. But back to kind of how they were going about luring people in. It's the same thing kind of how we saw with Silverhawk is they had very click baby or things that people might want to click on. And it appeared to be targeting employees of different Palestinian government agencies, security services and people associated with the Fatah party. Because what the attackers would do is they would send out malicious executables through phishing campaigns and pretend to be individuals associated with like the Palestine security services or the seventh Fatah conference of the Palestinian National Liberation Front. And so you had files called minutes on today's meeting or details on the assassination of President Arifat. And again, just shows how areas with this going on you have more click baby titles that work. But connecting the two families in early 2018, we came across a more sophisticated two stage surveillance for a family, same region. And we were able to tie the two together because this Facebook profile, it's a long running Facebook profile and it was promoting Desert Scorpion on there by posting a link to Google Play for it. But previously, the profile had posted Google Drive links to frozen cell malware. And so that, along with the fact that the C2s were in similar IP blocks, kind of gave an indicator that the actors might be the same if not developing it together as well. But how Desert Scorpion worked is it had two stages. They got it into Google Play, it's called Dardesh, chat application. But what was interesting about this is how it probably bypassed a lot of dynamic malware analysis tools is because the victim had to first download this app and really interact with it in order to trigger the install of the spooky surveillanceware second stage one. And the second stage one was also called Settings. And again, this trend going on of how to actually blend in once you get someone to install your first stage. But interestingly, the second stage also had a non-malicious APK inside of it called Fatta Media APK. And as we saw also with frozen cell, they were referencing the Fatta political party. And so this is kind of a good understanding of where political context really helps your research and why I think people need to not just look at the source code but read foreignaffairs.com, check your news every morning. The Fatta party, it's formerly the Palestinian National Liberation Movement and it was the largest faction of the Palestinian Liberation Organization and the second largest in the Palestinian Legislative Council. But in 2006, they lost the majority to Hamas and since then there's been this conflict and they still haven't really reconciled. And also, they used to be considered a terrorist group by Israel and the US but not anymore because they renounced terrorism in 1988. But that history and that background, that context, I think is really necessary because off the bat, that gives me three people who might be interested in targeting people associated with the Fatta party. And that's important for two reasons because one, the contextualized lure documents and the interest in the Fatta party tells you who they might be going after. But it also brings up a problem that security researchers have a really hard time with, which is accurate attribution because in the cybersecurity space, there's a lot of false flags. Sometimes you don't really ever have someone coming forward and be like, that was me. And so you need to understand how to go about properly attributing it. And this campaign, the actor behind these in general and the other malware, they're known as APTC 23. And several other research organizations have claimed that this APT is tied to Hamas as a part of Hamas's cyber arm. And while that may or may not be the case, it does fit an MO theoretically if Hamas has been warring with the Fatta group since 2006. And so while we can say that we've seen this malware appear to be tied to APTC 23, like I'm not making any attributions because it's hard, but the context around that does help you as a researcher get better ideas of who might click on these lures and who would benefit from someone clicking on those lures and just kind of building out a list of potential suspects of who might be behind it. And then so finally, assessor, Emrat. We focused previously on surveillance wear that we found in kind of like war-torn regions, but that's not the only area that you're gonna find surveillance wear in. There's New York Times phrased it really nicely, this idea of tech-driven authoritarianism, and we're seeing a lot of surveillance wear campaigns in countries that have authoritarian rules or dictator regimes, because as they become more technologically advanced, they're starting to leverage more and more useful surveillance wear, specifically mobile, in addition to desktop, and they can use that to keep implementing impressive measures on their people. And so we've seen a massive growth in surveillance in China, not just on the desktop front or mobile that we're going into, just in aspects of their social life. They have a social credit system, they're monitoring ethnic minorities there, they have a history of conformity and making sure you don't rebel or speak out against the government. The Tiananmen Square anniversary, third-year anniversary's coming up next month, so in like two weeks. And they've made it clear that they don't really like protest like this. So that in mind, it doesn't really come as a surprise that you have China targeting private citizens who are kind of straying the pot. And so to set the stage for Excessor Emrat, in 2014, a lacoon who was later acquired by Checkpoint, they reported that they noticed dissidents, democracy activists were being targeted by a malware family. And kind of the situation behind it, Hong Kong was demanding fully democratic elections instead of just getting to choose from a list of Beijing pre-approved candidates. People were protesting, students were protesting, played a really large role in it, and that obviously drew the attention of the government. So what happened was they would get messages from an unknown WhatsApp number and say, hey, check out this ad and write app designed by Code for Hong Kong for the coordination of Occupy Central, which is the movement to do these protests. Code for Hong Kong is an actual group of activist coders, but they had to come out and say, we did not develop an app for this, this isn't us. But when you actually took a deeper look, it was surveillanceware, not a protesting app. And in comparison to other families, it was on the more sophisticated side and after the user was tricked into downloading it through targeted social engineering, there was a second malicious APK hidden again with the handy Android logo called System Thread, trying to help it blend into the phone. But if you take a step back and look at why it was presented that way, if again, you look at the context of China and where you found it in and the history there, for years, dissidents have kind of been concerned that their messages could have been intercepted or read by the Chinese government. And just last year, Chinese authorities admitted that they could and they were doing that for some time. You know, they admitted they could retrieve deleted WeChat messages and they did that when they were investigating a suspect. In 2018, they passed a Chinese cybersecurity law and that required network operators to store, select data on servers regarding messages and logs for not less than six months and then it was up to their discretion afterwards. And even before that, in 2016, they had the regulation on collecting and using electronic data as evidence, where they said they could use private messages and public comments on social media as criminal evidence against defendants and courts. So needless to say, if you disagree with the Chinese government, there was a good reason for you to kind of be scared that this was going on and there were other indicators that they had been messaging or monitoring messages for well before this as well. So it makes sense that it would be packaged as this organization protest tool instead of, you know, Chinese programmed messages like WeChat where people would organize on. And again, so you can see the number of samples that we found, it really spiked in fall of 2014, which is when these protests were happening. And this malware had tons of commands, lots and lots of commands of what it could do. So not only does it send back packages with like your phone information, your contacts, your call logs, but it can run SuperUser, delay phone recording at a later time, delete specific files off the device, just kind of lots of things that I can do. But unlike the other campaigns I were looking at, this one actually had an iPhone component as well. So we previously saw Android with desktop, but this was Android with iPhone. And so around the time in 2011, Umang did a report that roughly one in three phones in China were jailbroken. And assuming it's roughly that same statistic in 2014, you at least have a decent chance of getting someone with a jailbroken iPhone. But in order for Accessor and Rats to work, the iOS device had to be jailbroken, Cydia had to be installed, and then it could add a repository and install the malicious application. And the iOS and Android attacks both had the same C2 server, which is how it was discovered. But because China is a sophisticated actor with lots of resources, it doesn't really surprise me that they were able to develop both. It was just kind of a good find. And so we continued to research and to monitor the family. And we were actually able to watch it evolve into another family that we call XRAT. And that's actually, my coworkers are presenting after me on that and doing a full technical deep dive into it if you want to watch how a family's evolved over five years and its technical capabilities. So that's what's coming next. But I think what I've seen from all of this is spying happens in a variety of conflict zones. And so be it a place with physical warfare or authoritarian governments, you can really find it everywhere. And what we looked at with China, for example, is interesting because technically the surveillance they were doing was legal because they have anti-subversion laws that can be used to prosecute individuals who are wanting to protest or exercise free speech. And so that kind of brings you into the greater issue or a greater topic of lawful intercept software and the market for it and kind of the role that it plays in global surveillance wear. And if you think about it, nation states are kind of like any other business, they have their pain points and they're gonna face a builder by decision. They're either gonna create their own surveillance wear, copy it or buy it off someone. And there are plenty of businesses who are willing to take in the good money to do that. And these are several, FinFish or Dark Matter NSO group. I think a lot of people here are probably aware of the WhatsApp exploit that was found earlier this week and attributed to NSO group. They have a history of going after people who shouldn't be targeted in my opinion, Mexican journalists or Saudi dissidents are most recently a human rights lawyer in the UK. And so I think whether an actor decides to build a by their own, they're still gonna use it. And that's where I think, just because not to say no one's really safe, but the two political contexts around things, if you understand where people are kind of going against the grain or create, perhaps making enemies or if you see what's going on, it gives you a better idea of where to look at because even if it's not this huge nation state campaign towards it, they still have the capabilities and the ability to buy technology that will do the job for them and get it done. And so that's a little bit early of a wrap up, but that was kind of mostly all on my talk for today. So. So.