QuaDream / Reign
QuaDream Ltd. (DEV-0196 / Carmine Tsunami) · Israel
Confidence 5/5
Technical capabilities
Reign was a zero-click iOS spyware suite. Citizen Lab identified the ENDOFDAYS exploit, used as a zero-day against iOS 14.4 and 14.4.2, leveraging invisible iCloud calendar invitations sent from operator to victim. The malicious .ics files contained invites to two backdated and overlapping events to avoid alerting users.
Microsoft Threat Intelligence analyzed the same spyware under the name KingsPawn. Capabilities documented included:
- Recording calls and ambient audio via the device microphone.
- Tracking precise location.
- Taking photos through both front and back cameras.
- Generating iCloud 2FA passwords.
- Self-destruct feature designed to clean traces.
- “Ectoplasm Factor” residual traces on infected devices, used by researchers to track the spyware.
Documented victims
Citizen Lab identified at least five civil society victims based on indicators developed from samples shared by Microsoft Threat Intelligence. Victims included journalists, political opposition figures, and an NGO worker, located across North America, Central Asia, Southeast Asia, Europe, and the Middle East. Names were not disclosed at the request of victims.
Meta took down 250 fake accounts on Facebook and Instagram associated with QuaDream in December 2022, used to test Reign capabilities on iOS and Android.
Customer states
Citizen Lab identified suspected QuaDream operator locations in 10 countries: Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan. Citizen Lab tracked over 600 servers and 200 domains linked to QuaDream operations between late 2021 and early 2023.
Legal and sanctions status
- Not on US Entity List at time of closure.
- QuaDream filed insolvency and laid off all employees in April 2023, days after the joint Citizen Lab and Microsoft disclosure.
- Per Calcalist reporting, QuaDream had been in financial difficulty for months before the disclosure, which sealed its fate.
- Legal dispute with InReach (Cyprus intermediary) exposed corporate structure publicly.
Technical countermeasures
- iOS updates beyond 14.4.2: the ENDOFDAYS exploit was patched in iOS 14.5 onwards.
- iOS Lockdown Mode (iOS 16+): blocks most attachment types and hardens iMessage and FaceTime.
- Forensic verification via Amnesty Mobile Verification Toolkit can detect known QuaDream indicators.
- Note: although QuaDream is defunct, its IP may have been transferred. Forensic indicators remain relevant for historical investigations.
Sources
Update log
March 11, 2026: Initial entry. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
