← Back to database

Predaxia Research

Hermit

RCS Lab / Cy4Gate · Italy

ActiveCy4Gate 2022
4

Confidence 4/5

VendorRCS Lab S.p.A. (Tykelab Srl front company)
Country of originItaly
Founded1992
Parent companyCy4Gate (acquired Aurora Group March 2022)
Joint discoveryLookout Threat Lab and Google Threat Analysis Group (June 2022)
Spyware productHermit (modular Android and iOS surveillanceware)

Technical capabilities

Hermit is enterprise-grade modular spyware targeting both Android and iOS. Per Lookout Threat Lab and Google TAG analyses (June 2022), it uses atypical drive-by downloads as initial infection vectors and SMS messages impersonating legitimate sources.

Modular architecture: Lookout researchers analyzed 16 of 25 known modules. Capabilities documented:

  • Reading SMS, instant messages, and chat content.
  • Viewing stored passwords.
  • Intercepting calls and recording them.
  • Recording ambient audio via the device microphone.
  • Redirecting calls.
  • Pinpointing precise location of victims.
  • Rooting infected Android devices for deeper system access.

Per Lookout and Malwarebytes reporting, deployment in Italy and Kazakhstan involved cooperation from victims’ internet service providers. The malware impersonated applications of legitimate telecommunications companies and smartphone manufacturers.

Documented victims and deployments

  • Italy: deployed against persons of interest in an anti-corruption case (Lookout, June 2022). In April 2026, WhatsApp notified approximately 200 users in Italy targeted by Spyrtacus.
  • Kazakhstan: deployed by the Kazakh government against individuals during nationwide protests in April 2022.
  • Syria: deployed in northeastern Kurdish region.

Past customer relationships per Lookout research include Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan. RCS Lab has historical ties to Italian spyware vendor Hacking Team.

Customer states

Confirmed deployments: Italy, Kazakhstan, Syria. Italian Public Prosecutor of Naples ordered in May 2021 the suspension of new RCS Lab assignments for telematic interception services in connection with the Palamara case. RCS Lab serves three categories of clients per Cy4Gate filings: judicial authorities and law enforcement (across 167 Italian public prosecutor offices), special forces, and intelligence agencies.

Legal and sanctions status

  • Not on US Entity List.
  • Not subject to OFAC sanctions.
  • March 2022: Cy4Gate completed acquisition of Aurora Group, owner of the RCS Lab brand.
  • May 2021: Italian prosecutor Giovanni Melillo suspended new RCS assignments.
  • Italian regulatory framework: lawful interception is permitted under “captatore informatico” provisions, which has made Italy a notable hub for surveillance vendors targeting EU markets.

Technical countermeasures

  • Be skeptical of SMS links impersonating telecoms: Hermit’s primary vector is SMS impersonating legitimate operators.
  • For Android: avoid sideloading apps from unknown sources.
  • GrapheneOS: hardened Android distribution recommended for high-risk profiles.
  • For iOS: keep iOS current.
  • Network-level anomaly detection: if your data connection is suddenly disabled by your ISP and SMS arrives shortly after, this matches the documented Hermit infection pattern.

Update log

February 21, 2026: Page added. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.


There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.