QuaDream was an Israeli mercenary spyware vendor founded in 2016 by former NSO Group employees including Ilan Dabelstein. The company’s flagship product was Reign, an iOS spyware platform competing directly with Pegasus. QuaDream was identified publicly in April 2023 by Citizen Lab and Microsoft Threat Intelligence following infections in Mexico, Singapore, Hungary, Czech Republic, Saudi Arabia, Ghana, and Uzbekistan. The company has reportedly ceased operations during the second half of 2023.
What it means in practice
Reign was a zero-click iOS spyware suite using an exploit chain that Citizen Lab named ENDOFDAYS. The chain abused iCloud Calendar invitations on iOS 14.4 through 14.4.2, achieving silent installation without any victim interaction. Apple patched the underlying vulnerabilities in March 2021, but devices kept on older iOS versions remained exposed until patches were applied. The deployment model was the same as NSO’s: one operator per customer, individual targets selected per operation.
Specific things to know
QuaDream operated under multiple corporate names including DiSiN Investments, used as an arms-length entity for sales, and InReach for some external interactions. The company’s product set, marketing language, and customer base were extremely similar to NSO Group’s, which led some analysts to characterise QuaDream as a parallel franchise rather than a competitor. The April 2023 disclosure was followed within months by reports that QuaDream had wound down operations, sold off IP, and dispersed staff. Multiple former QuaDream engineers have since surfaced at other Israeli surveillance vendors.
Change today
The QuaDream case demonstrates that mercenary spyware vendors can disappear through corporate dissolution, leaving behind no public accountability for the targets they affected. For targets, the operational lesson is that infection traces survive long after the vendor is gone, and any forensic question about devices used in 2020 through 2023 may still require analysis years later. Keep older devices that may have been targeted offline rather than discarded if they may become forensic evidence.
Related articles
See our coverage of the ENDOFDAYS exploit chain, the QuaDream-NSO comparison, and Citizen Lab forensic methodology for older iOS infections.
