Pegasus
Pegasus is a sophisticated commercial mobile spyware platform developed by Israel-based NSO Group and sold to government customers. The content describes Pegasus as targeting smartphones, including iPhones and Android devices, through malicious links in SMS or messaging apps and, in some cases, zero-click exploitation requiring no user interaction. Reported capabilities include full access to phone data and communications, monitoring of calls, emails, text and encrypted messages, calendars, contacts, keystrokes, browser history, online banking details, geolocation, stored files, and exfiltration from apps such as WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao. Pegasus can also remotely activate or control the microphone and camera, capture screenshots, record background audio, and conduct covert surveillance of nearby conversations, effectively turning a phone into a listening device. The Android variant, referred to by Google as Chrysaor, was reported by Lookout and Google to support keylogging, screenshot capture, live audio capture, SMS-based remote control, Framaroot-based rooting, fallback permission abuse if rooting fails, and self-removal under certain conditions. The content also references NSO exploit infrastructure using spoofed domains impersonating legitimate entities and more than 600 malicious domains linked to Pegasus campaigns.
The malware is repeatedly associated with surveillance operations against journalists, human rights defenders, lawyers, activists, academics, politicians, business rivals, and government critics. High-confidence cases in the content include documented targeting in Mexico, Morocco, the United Arab Emirates, Saudi-linked operations, Panama, and El Salvador. In Mexico, Pegasus was found on or linked to targeting of journalists, civic activists, anti-corruption advocates, public health advocates, lawyers representing the families of the 43 disappeared Ayotzinapa students, opposition politicians, and international investigators appointed by the Inter-American Commission on Human Rights. Mexican government entities acknowledged purchasing Pegasus, and multiple reports cited in the content state that Mexican intelligence, law enforcement, and military forces used Pegasus against critics and journalists during previous administrations. In El Salvador, employees of El Faro were reportedly subjected to 226 Pegasus infections between June 2020 and November 2021. Amnesty International reported Pegasus targeting of an Amnesty staff member, Saudi activist Yahya Asiri, Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui, and previously Ahmed Mansoor in the UAE. The content also describes allegations that former Panamanian president Ricardo Martinelli used Pegasus in a covert surveillance operation against political opponents, business competitors, lawmakers, and union activists.
Infection vectors directly mentioned in the content include deceptive text messages with malicious links, WhatsApp-delivered lure links, phishing messages impersonating trusted entities or personal contacts, and zero-click iPhone exploitation. One Amnesty report also described suspected network-injection activity and cited leaked NSO documentation for a Tactical Network Element using rogue cellular infrastructure to inject Pegasus. Public detection and forensic work referenced in the content include Amnesty International’s Mobile Verification Toolkit (MVT), released in July 2021 in the context of the Pegasus Project, and forensic investigations by Amnesty International and Citizen Lab. Indicators and infrastructure explicitly mentioned include spoofed domains impersonating organizations such as the International Committee of the Red Cross, UK visa services, Facebook, Google, Federal Express, Turkish Airlines, CNN, BBC, Al Jazeera, and Univision, as well as domains such as stopsms[.]biz, infospress[.]com, hmizat[.]co, revolution-news[.]co, and free247downloads[.]com. The content consistently characterizes Pegasus as nation-state-grade spyware that has been repeatedly implicated in government surveillance abuses despite NSO Group’s stated position that it is intended only for use against terrorists and criminals.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones around the world with Pegasus... The 2019 WhatsApp Attack... relied on the (now patched) CVE-2019-3568 vulnerability. | The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware. At least 63 were targeted or infected with Pegasus, and four others with Candiru.
Citizen Lab managed to capture an NSO iMessage-based zero-click exploit... The vulnerability discussed in this blog post was fixed on September 13, 2021 in iOS 14.8 as CVE-2021-30860. | For years, groups like Citizen Lab and Amnesty International have been tracking the use of NSO's mobile spyware package "Pegasus".
Defendants’ products included “Pegasus,” a type of spyware known as a remote access trojan. According to Defendants, Pegasus and its variants (collectively, “Pegasus”) were designed to be remotely installed and enable the remote access and control of information—including calls, messages, and location—on mobile devices using the Android, iOS, and BlackBerry operating systems. | On information and belief, in order to enable Pegasus’ remote installation, Defendants exploited vulnerabilities in operating systems and applications (e.g., CVE-2016-4657) and used other malware delivery methods, like spearphishing messages containing links to malicious code.
Apple patched two zero-days tagged by Citizen Lab as being exploited in attacks as part of an exploit chain known as BLASTPASS to infect fully-patched iPhones with NSO Group's Pegasus mercenary spyware.
Apple ... released emergency security updates ... to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware... Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
Apple ... released emergency security updates ... to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware... Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
"This level of sophistication resembles other exploits developed by the commercial surveillance industry. These are private companies that also developed prominent spyware tools like Pegasus and Predator."
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The spyware equipment Mr. Martinelli is accused of using, Pegasus, uses malicious links in misleading text messages to infiltrate cellphones to monitor emails, contacts and text messages.
Amnesty International has uncovered targeted digital attacks against two prominent Moroccan Human Rights Defenders (HRDs) using NSO Group’s Pegasus spyware.
Griselda Triana, a journalist and the wife of slain journalist Javier Valdez, was targeted with NSO Group’s Pegasus spyware following his assassination.
New York Times journalist Ben Hubbard was targeted with NSO Group’s Pegasus spyware via a June 2018 SMS message promising details about “Ben Hubbard and the story of the Saudi Royal Family.”
If the targets had clicked the links, their phones would likely have been infected with NSO Group’s Pegasus spyware.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueIn February 2024, R3D reported that the Cyberspace Operations Center under the Secretariat of National Defense had used HIWIRE monitoring software from Israeli firm WebintPro to identify links between social media users critical of the Mexican Armed Forces or the government as recently as May 2022.
Resource Development
1 techniqueFurther investigations by Amnesty International revealed that the domain link in the message belongs to a large infrastructure of more than 600 malicious domains, some of which had been previously connected to NSO Group.
Initial Access
2 techniques...text messages... luring them to click on links that secretly unlock a target’s smartphone and turn it into a powerful surveillance device.
The messages that were sent to Ms. Aristegui — which included a link to click on that would then install the spyware — especially interested me. As I reviewed them, I began to panic. I’d received identical messages, I recalled, and I remembered clicking on one of them.
Execution
3 techniquesFrom a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.
One message, sent to one of the investigators in March, was from someone posing as a close friend whose father had died. A link was attached with the details of the funeral. When the link was opened, the website of a well-known funeral home in Mexico popped up.
Privilege Escalation
2 techniquesThe Citizen Lab reported “a growing ecosystem of spyware capability” among Ontario police services, after identifying server infrastructure that indicated potential use of Paragon Solutions’ Graphite spyware by the Ontario Provincial Police.
The biggest distinction between the iOS and Android versions of Pegasus is the Android version does not use zero-day vulnerabilities to root the device... Instead, the threat uses an otherwise well-known rooting technique called Framaroot. | The Android version of one of the most sophisticated and targeted mobile attacks we’ve seen in the wild: Pegasus... developed the Pegasus malware, which jailbreaks or roots target devices to surveil specific targets.
Stealth
3 techniquesAdditionally, we identified a new previously unknown domain: hmizat[.]co, which seems to impersonate Hmizate, an e-commerce company from Morocco.
Credential Access
4 techniquesФСБ России объявила об обнаружении масштабной операции иностранных спецслужб, которые использовали вредоносное ПО для слежки за российскими высокопоставленными служащими через мобильные устройства.
Once deployed, the spyware can access encrypted messaging apps, capture keystrokes, activate microphones and cameras, and exfiltrate stored files.
We believe this is a symptom of a network injection attack generally called “man-in-the-middle” attack. Through this, an attacker with privileged access to a target’s network connection can monitor and opportunistically hijack traffic, such as web requests.
From a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.
Collection
8 techniquesФСБ России объявила об обнаружении масштабной операции иностранных спецслужб, которые использовали вредоносное ПО для слежки за российскими высокопоставленными служащими через мобильные устройства.
Once deployed, the spyware can access encrypted messaging apps, capture keystrokes, activate microphones and cameras, and exfiltrate stored files.
Pegasus, uses malicious links in misleading text messages to infiltrate cellphones to monitor emails, contacts and text messages.
вести скрытое аудио- и видеонаблюдение рядом с устройствами
The operation involved the implantation and activation of malicious software capable of extracting sensitive data, intercepting communications, and conducting unauthorized audio and video recordings.
Exfiltration
1 techniqueThe agency stated that the campaign was orchestrated by unidentified foreign intelligence services and aimed at covert surveillance and data exfiltration.
IOCs tracked for this family
169 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial spyware used by Mexican government entities in prior administrations, including against government critics and journalists.
Commercial spyware used by Mexican state entities in prior administrations to surveil targets including government critics and journalists.
Commercial mobile spyware capable of zero-click compromise of smartphones and access to messages, calls, geolocation, microphone, and camera.
Nation-state-grade mobile spyware associated with targeted surveillance operations, capable of covert data extraction, intercepting communications, and enabling audio/video monitoring through stealthy, modular capabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.