Anatomy of a Cyber Weapon

Author

nicholasc

Created

August 5, 2025August 16, 2025

Comments

Reading time

27 min

Views

A Technical Compendium of Disclosed NSO Group Pegasus Exploits

See if anyone has been able to disclose any of the zero day exploits that pegasus from the group NSO has used in the past

Section 1: The Pegasus Framework and the Zero-Day Arms Race

The proliferation of sophisticated commercial surveillance technology represents one of the most significant challenges to digital security, human rights, and the rule of law in the 21st century. At the epicenter of this challenge is the Israeli cyber-arms firm NSO Group and its flagship product, Pegasus. While marketed as a tool for legitimate law enforcement, its documented abuse has revealed a global enterprise built on the weaponization of software vulnerabilities. Understanding the threat posed by Pegasus requires a deep analysis of not only the spyware itself but also the ecosystem of zero-day exploits that enable its operations and the high-stakes technological arms race between NSO Group and the security researchers working to expose it.

1.1 NSO Group and the Pegasus Suite

Pegasus is not a singular piece of malware but a comprehensive and modular surveillance suite developed by NSO Group Technologies, a company founded in 2010 by Niv Karmi, Omri Lavie, and Shalev Hulio. The spyware is engineered to be covertly and remotely installed on mobile phones running Apple’s iOS and Google’s Android operating systems. NSO Group has consistently maintained that it licenses Pegasus exclusively to “authorized governments” for the sole purpose of helping them “combat terror and crime”. The company has published sections of contracts requiring customers to use its products only for criminal and national security investigations.

Once successfully installed on a target device, Pegasus grants its operator near-total control, effectively transforming the phone into a 24/7 surveillance device. Its capabilities are extensive and invasive, including:

Data Exfiltration: Harvesting the entire contents of the device, including text messages, emails, call logs, contacts, photos, videos, and web browsing history
Real-time Monitoring: Covertly activating the device’s microphone and camera to monitor conversations and surroundings in real-time.
Location Tracking: Continuously monitoring the device’s GPS location.
Password Collection: Collecting passwords stored on the device.
Encrypted Communication Interception: A crucial capability of Pegasus is its ability to access communications from end-to-end encrypted applications like WhatsApp, Signal, and Telegram. It achieves this not by breaking the encryption itself, but by “hooking” into the application process and capturing the data in cleartext before it is encrypted by the app or after it is decrypted for the user to view

This level of access is not merely “spyware” in the traditional sense of a keylogger or data thief. It is more accurately described as a remotely deployed, outsourced digital forensics tool that provides the operator with both retroactive and ongoing omnipotence over a target’s digital life. The purchase of Pegasus is akin to hiring a team that can be deployed instantly and invisibly to seize a target’s device, extract its entire history, and then leave a permanent bug for live monitoring. This capability renders conventional security measures like strong passwords and end-to-end encryption largely irrelevant on a compromised device.

The foundation of NSO’s business model is the promise of guaranteed access to target devices. This necessitates a continuous and proactive research and development effort to discover and weaponize a surplus of zero-day vulnerabilities. This ensures that even as older exploits are discovered and patched by vendors like Apple and Google, NSO has new ones ready to deploy, maintaining service continuity for its clients. The company’s research teams, largely staffed by veterans of elite Israeli military intelligence units such as Unit 8200, are in a perpetual hunt for these flaws, testing new exploits against racks of phones in their Herzliya headquarters.

1.2 The Strategic Value of Zero-Day Vulnerabilities

The entire operational capacity of Pegasus hinges on the exploitation of zero-day vulnerabilities. A zero-day vulnerability is a flaw or weakness in computer software or hardware that is unknown to the vendor or developers who are capable of fixing it. The term “zero-day” refers to the fact that once the vulnerability is discovered by a malicious actor, the developer has had zero days to create a patch, leaving users exposed. A zero-day exploit is the specific code or technique an attacker writes to take advantage of that vulnerability and compromise a system.

1.3 The Investigators: A Civil Society Counter-Intelligence Alliance

The public’s knowledge of Pegasus and its underlying exploits is not the result of leaks from NSO Group or its government clients. Instead, it is the product of meticulous and painstaking reverse engineering and “exploit archaeology” conducted by a small, highly specialized, and collaborative community of security researchers. This alliance functions as a de facto counter-intelligence force, providing the transparency and accountability that the commercial spyware industry and its state patrons actively avoid. The primary entities in this alliance are:

The Citizen Lab: An interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy at the University of Toronto. Citizen Lab was the first organization to publicly identify and analyze Pegasus in August 2016, following a failed attack on Emirati activist Ahmed Mansoor. They have since been at the forefront of nearly every major investigation into Pegasus, documenting its use against civil society in dozens of countries.
Amnesty International’s Security Lab: The technical arm of the global human rights organization, Amnesty International. The Security Lab has developed critical forensic methodologies for detecting Pegasus infections and created the open-source Mobile Verification Toolkit (MVT), a tool that has empowered researchers and journalists worldwide to investigate potential compromises. They served as the core technical partner for the Pegasus Project investigation.
Google Project Zero: An elite team of security analysts employed by Google with a mandate to find zero-day vulnerabilities in any software used by large numbers of people, not just Google’s own products. Their deep technical analysis of the FORCEDENTRY exploit provided an unprecedented public look into the technical sophistication of NSO’s capabilities, describing it as “one of the most technically sophisticated exploits we had ever seen”.

These groups frequently work in collaboration, sharing forensic data, indicators of compromise, and methodologies to validate each other’s findings and build a more complete picture of NSO’s global operations. This civil society-led effort is the primary force driving the public disclosure of these cyber weapons and holding their creators and users to account.

Section 2: The Evolution of Pegasus Infection Vectors

The history of Pegasus is marked by a clear and strategic evolution in its infection methodology. NSO Group has progressively moved away from attacks that rely on user interaction towards more sophisticated and reliable “zero-click” exploits. This shift represents a fundamental change in the nature of the threat, effectively eliminating the human element from the attack chain and placing the entire burden of defense on the technical security of the device itself.

2.1 The Trident Era (2016): The 1-Click Spear-Phishing Attack

The first public exposure of Pegasus in August 2016 was the result of a classic spear-phishing attack. The target, prominent Emirati human rights defender Ahmed Mansoor, received an SMS text message containing a link that promised “new secrets” about the torture of detainees in UAE prisons. Being a frequent target of government hacking attempts, Mansoor did not click the link. Instead, he forwarded the message to researchers at the Citizen Lab.

The technical breakdown of the Trident chain, which targeted iOS 9.3.3, demonstrates a multi-stage process to achieve a remote jailbreak:

CVE-2016-4657: Memory Corruption in WebKit. This was the initial entry point. The vulnerability resided in Safari’s WebKit browser engine. When a user clicked the malicious link and the webpage loaded, a memory corruption flaw was exploited to gain arbitrary code execution within the sandboxed context of the Safari process. A detailed analysis by Lookout revealed this to be a use-after-free vulnerability in the
CVE-2016-4655: Information Leak in Kernel. To escape the Safari sandbox and gain control over the entire device, the attackers needed to compromise the operating system’s kernel. However, modern operating systems use Kernel Address Space Layout Randomization (KASLR) to place the kernel at a random location in memory, making it difficult to target. This second vulnerability in the Trident chain was an information leak that defeated KASLR by revealing the kernel’s base address in memory to the attacker.
CVE-2016-4656: Kernel Memory Corruption Leads to Jailbreak. With the kernel’s location known, this third vulnerability was used to corrupt the kernel’s memory, escalate privileges to the highest level, and effectively jailbreak the device. This gave the attackers persistent, administrator-level access to install the full Pegasus surveillance suite.

The discovery of Trident was a landmark event, but it also highlighted the inherent weakness of 1-click exploits from the attacker’s perspective: they depend entirely on the target making a security error. Mansoor’s caution demonstrated that a vigilant user could thwart a multi-million-dollar surveillance operation, a liability NSO Group would seek to eliminate.

2.2 The Pivot to Zero-Click: Eliminating the Human Variable

To create a more reliable and valuable product for its government clients, NSO Group invested heavily in developing “zero-click” exploits. These are the holy grail of offensive hacking, as they can compromise a device remotely and silently, without requiring the target to click a link, open a file, answer a call, or perform any other action. This shift fundamentally alters the security landscape, moving the point of defense entirely from user behavior to the underlying code of the device’s operating system and applications.

A pivotal moment in this evolution came in May 2019, when WhatsApp disclosed that attackers had used a zero-day vulnerability in its app to deploy Pegasus. This exploit, identified as CVE-2019-3568, targeted a buffer overflow flaw in WhatsApp’s Voice over IP (VoIP) calling function. An attacker could install Pegasus onto a target’s phone by simply placing a WhatsApp call. The infection would succeed even if the target did not answer the call, and the attacker could then remotely delete the call record from the device’s logs, erasing any obvious trace of the intrusion. This was a mass-scale deployment, with NSO targeting more than 1,400 phones across 20 countries in just a two-week period.

Concurrently, researchers at Amnesty International identified another stealthy infection vector known as network injection. This technique does not require sending a malicious link directly to the target. Instead, attackers intercept the target’s unencrypted web browsing traffic, for example at the mobile carrier level, and inject a script that silently redirects the browser to a Pegasus exploit server. This method was observed being used against activists in Morocco as early as 2019.

This strategic pivot from 1-click to zero-click attacks represents a profound change in the security paradigm. It renders user security training and awareness campaigns—long the cornerstone of organizational cybersecurity—effectively obsolete against this class of threat. A user can follow every security best practice, exhibit perfect digital hygiene, and still be compromised because their behavior is no longer a factor in the infection chain. The responsibility for defense shifts entirely and exclusively to the device manufacturers to find and patch these deep, complex, and often obscure vulnerabilities in their code. For a high-risk individual, the battle for control of their own device becomes a silent war fought between the engineers at NSO Group and the engineers at Apple and Google, with the user as a passive bystander. This reality is what led Google’s Project Zero researchers to describe a zero-click exploit as “a weapon against which there is no defense”.

Section 3: Deconstruction of Disclosed iOS Zero-Click Exploit Chains

NSO Group has demonstrated a persistent and sophisticated focus on compromising Apple’s iOS platform, likely due to its popularity among high-value targets such as journalists, executives, and government officials. The public disclosures by security researchers provide a detailed chronicle of NSO’s evolving capabilities, revealing a series of increasingly complex zero-click exploit chains designed to bypass Apple’s ever-strengthening security mitigations.

Table 1: Disclosed Pegasus iOS Zero-Day Exploit Chains

Trident

KISMET

FORCEDENTRY

PWNYOURHOME

BLASTPASS

3.1 KISMET (2020): The Pre-BlastDoor iMessage Exploit

Discovered by Citizen Lab in late 2020, the exploit chain dubbed KISMET was used in a large-scale campaign between July and August 2020 to hack the personal phones of 36 journalists, producers, and executives at Al Jazeera, as well as a journalist at Al Araby TV. KISMET was a zero-day, zero-click exploit that targeted Apple’s iMessage service and was effective against devices running at least iOS 13.5.1 and iOS 13.7.

While the specific vulnerability exploited by KISMET was never publicly identified and patched by name, forensic analysis by Citizen Lab and Amnesty International provides strong clues about its mechanism. The attack likely involved sending malicious attachments via iMessage that were automatically processed by a background service called

IMTranscoderAgent. This service, responsible for generating media previews, was apparently tricked into launching a hidden WebKit instance, which would then navigate to a Pegasus infection server to download and execute the main payload. The exploit was also used to target Catalan politicians and activists.

KISMET is believed to have been rendered obsolete by a major security architecture change Apple introduced in iOS 14 called BlastDoor. BlastDoor is a new, tightly sandboxed service designed to act as a quarantine zone for all untrusted data received via iMessage. It unpacks and processes message content in an isolated environment, preventing any malicious code from interacting with the underlying operating system or user data, effectively neutralizing the attack vector used by KISMET

3.2 FORCEDENTRY (2021): The “Impossible” Exploit that Broke BlastDoor

Just as BlastDoor seemed to have secured iMessage, NSO Group returned with what is widely considered one of the most technically sophisticated exploits ever publicly documented. Named FORCEDENTRY by Citizen Lab, it was captured “in the wild” in March 2021 during the analysis of a Saudi activist’s infected iPhone and had been actively used since at least February 2021. FORCEDENTRY was a zero-click exploit that successfully bypassed the new BlastDoor protections.

The exploit chain, which leveraged a vulnerability tracked as CVE-2021-30860, was deconstructed in remarkable detail by researchers at Google Project Zero and Citizen Lab:

Vector and Disguise: The attack began with the target receiving multiple files via iMessage that appeared to have a .gif extension. In reality, these were not animated images but maliciously crafted Adobe PDF documents.
The Vulnerability: The exploit targeted a flaw in a legacy part of Apple’s CoreGraphics framework responsible for rendering images. Specifically, it was an integer overflow vulnerability in the open-source Xpdf code used to parse JBIG2-encoded streams. JBIG2 is an archaic, lossless compression format for black-and-white images, often found in documents scanned on older office equipment. This obscure component was the key. The parsing of this data happened automatically within the BlastDoor sandbox when iMessage attempted to generate a preview.
The Sandbox Escape: This stage is what makes FORCEDENTRY legendary. The exploit did not simply crash the sandboxed process. Instead, as detailed by Google Project Zero, it used the logical operators (like AND, OR, XOR) within the JBIG2 specification as a primitive instruction set to build a small, fully functional virtual computer inside the image rendering library. This rudimentary virtual CPU, running within the confines of the BlastDoor sandbox, was powerful enough to execute its own logic. It was used to probe the device’s memory, find a way to disable security checks, and ultimately escape the sandbox to gain full control over the device and deploy the Pegasus payload.

Attribution to NSO Group was confirmed through multiple forensic artifacts, most notably a unique bug in the Pegasus cleanup routine. This bug, which Citizen Lab dubbed CASCADEFAIL, caused an incomplete deletion of data from the DataUsage.sqlite database, leaving a distinctive forensic signature that was observed only on Pegasus-infected devices. Following a responsible disclosure from Citizen Lab, Apple issued a patch for CVE-2021-30860 in iOS 14.8 in September 2021.

3.3 The 2022 Trio: FINDMYPWN, LATENTIMAGE, and PWNYOURHOME

The patching of FORCEDENTRY was not the end of the story. In 2022, NSO Group quickly deployed a new trio of zero-click exploit chains targeting iOS 15 and later iOS 16. Citizen Lab discovered this new wave of attacks while investigating infections among human rights defenders at Centro PRODH in Mexico, an organization representing victims of military abuses. The three exploit chains were named

LATENTIMAGE, FINDMYPWN, and PWNYOURHOME.

While fewer technical details are public about the first two, PWNYOURHOME, which became active in October 2022, represented another significant evolution in NSO’s tactics. It was a novel two-phase zero-click exploit that chained vulnerabilities across two entirely separate system services :

Phase One: HomeKit. The initial stage of the attack targeted the homed process, the system daemon for Apple’s HomeKit smart home framework. Forensic logs from infected devices showed this process repeatedly crashing immediately before the main infection. This attack worked even if the target had never configured a “Home” in the HomeKit app, indicating it was exploiting a core, always-on component of the OS, likely to gain an initial foothold or probe the device for exploitability.
Phase Two: iMessage. Following the homed crashes, the second stage of the exploit targeted the MessagesBlastDoorService via iMessage, similar to previous attacks. This phase likely leveraged the access or information gained from the initial HomeKit compromise. The vulnerability reportedly involved the insecure deserialization of objects using NSKeyedUnArchiver, a recurring weak point in iOS security that has been exploited in the past.

The PWNYOURHOME exploit demonstrates that NSO’s strategy is not limited to finding a single way in. They are actively mapping the entire attack surface of the operating system and are capable of chaining vulnerabilities across disparate, seemingly unrelated services to orchestrate a successful compromise. This makes a purely defensive strategy, focused on hardening one service like iMessage, significantly more difficult.

3.4 BLASTPASS (2023): Exploiting the Software Supply Chain

The most recently disclosed major exploit chain, discovered by Citizen Lab in September 2023, was named BLASTPASS. It was found on the iPhone of an individual working for a Washington D.C.-based civil society organization. The exploit was particularly alarming because it was capable of compromising a fully patched iPhone running iOS 16.6, the latest version at the time.

The BLASTPASS exploit chain, which utilized two zero-day vulnerabilities (CVE-2023-41064 and CVE-2023-41061), revealed another new attack vector:

Vector: The exploit was delivered via iMessage, but instead of a PDF or custom file, it used PassKit attachments. PassKit is the framework behind Apple Wallet, used for items like boarding passes and loyalty cards.
The Vulnerability: The malicious PassKit attachment contained a specially crafted image. The core vulnerability, CVE-2023-41064, was not in Apple’s proprietary code but in libwebp, a widely used open-source library created by Google for rendering WebP images, which Apple integrates into its ImageIO framework. The flaw was a buffer overflow that could be triggered when the system attempted to process the malicious image. A second vulnerability in the Wallet framework, CVE-2023-41061, was also leveraged as part of the chain.

Apple released emergency patches for these vulnerabilities in iOS 16.6.1 and corresponding updates for its other operating systems. Significantly, Citizen Lab noted that Apple’s

Lockdown Mode, an opt-in high-security setting, was confirmed to block this particular attack chain.

The progression of these iOS exploits reveals a clear and deliberate research and development strategy by NSO Group. They do not merely search for isolated bugs; they systematically deconstruct and bypass entire security architectures. When Apple built the BlastDoor wall to defend iMessage, NSO’s FORCEDENTRY exploit found a single, obscure brick (the JBIG2 parser) and used its logical properties to construct a virtual computer to climb over the wall. When Apple patched that, NSO’s PWNYOURHOME exploit attacked a different part of the system (HomeKit) to get inside the perimeter before assaulting the main iMessage wall. When those avenues were hardened, NSO’s BLASTPASS exploit found a weakness not in Apple’s own architecture, but in a third-party component that Apple had integrated into its system. This demonstrates a multi-pronged, highly adaptive R&D capability that views the entire operating system and its supply chain as a target surface, capable of developing novel, architectural-level bypasses far beyond simple bug exploitation.

Section 4: Analysis of Pegasus on the Android Platform

While the public record on Pegasus’s iOS exploits is rich with technical detail, the state of knowledge regarding its operations on Google’s Android platform is significantly more opaque. This “visibility gap” is a critical finding in itself, suggesting a different operational strategy by NSO Group for the Android ecosystem and highlighting unique challenges for security researchers.

4.1 Known Exploitation Techniques (“Chrysaor”)

Google’s Threat Analysis Group (TAG) and Android security teams have tracked NSO’s activities for years, issuing their first public warning about a Pegasus-related spyware family on Android in 2017. A collaborative investigation between Google and Lookout Security identified this Android variant, which they named “Chrysaor”.

The analysis of Chrysaor samples revealed a key difference from its iOS counterpart. While the iOS version has consistently relied on sophisticated and expensive zero-day exploits, the analyzed samples of Chrysaor were found to use a well-known, publicly documented rooting technique called Framaroot to gain the necessary administrator-level privileges on the device. Framaroot itself uses a collection of known exploits, named after characters from The Lord of the Rings, to achieve privilege escalation.

This does not mean NSO Group lacks zero-day capabilities for Android. Indeed, marketing materials have suggested they possess them, and Google has acted on information to patch Android zero-days believed to be in use by NSO. However, the use of older, known exploits like Framaroot in some cases suggests a tiered approach. For less-protected targets or in environments where it is cost-effective, NSO may deploy cheaper n-day or 1-click exploits rather than burning a valuable zero-day.

Once root access is achieved, Chrysaor’s capabilities mirror those of the iOS version, including the ability to exfiltrate data from popular applications like WhatsApp, log calls and messages, and conduct remote surveillance through the device’s microphone and camera. If the initial attempt to gain root access fails, the spyware is designed to fall back on a social engineering approach, repeatedly asking the user for extensive permissions that would allow it to harvest a more limited, but still significant, amount of data.

4.2 Platform-Level Security and Mitigation

Google employs a multi-layered strategy to defend the Android ecosystem against threats like Pegasus. This includes both proactive hardening of the platform and reactive threat detection mechanisms.

Google Play Protect: This is Android’s built-in malware protection service, which is active on billions of devices. It continuously scans devices for potentially harmful applications (PHAs) and can warn users or remove known spyware variants like Chrysaor.
Platform Hardening and Security Reviews: Google conducts vigorous security reviews of Android’s core components and open-source libraries during the development process to identify and eliminate vulnerabilities before they can be exploited.
Android 14 Cellular Security Enhancements: Recognizing the threat posed by network-based attacks and IMSI-catchers (often called “stingrays”), Google introduced significant cellular security enhancements in Android 14. This includes a user-facing option to disable 2G connectivity on their device. This is a critical mitigation, as attackers often use stingrays to force a device to downgrade its connection to the easily-interceptable and unencrypted 2G standard, which can then be used to inject malware or intercept communications. Android 14 also introduced an option to disable support for null-ciphered connections, further protecting voice and SMS traffic from interception.
Regular Security Bulletins: Google publishes monthly Android Security Bulletins that detail and provide patches for vulnerabilities discovered in the Android platform, the Linux kernel, and closed-source components from chip manufacturers. This regular patching cadence is crucial for closing the window of opportunity for attackers.

The significant disparity in the volume and depth of public information about Pegasus on iOS versus Android is likely the result of a confluence of factors. First, NSO may operate with a tiered exploit strategy, reserving its most valuable and sophisticated zero-click, zero-day exploits for the latest iPhones, which are often used by the highest-value targets and are perceived as more difficult to compromise. For the vast and fragmented Android market, a portfolio of 1-click exploits and exploits for unpatched n-day vulnerabilities may provide a better return on investment. Second, the primary victim constituency for organizations like Citizen Lab and Amnesty International—journalists, activists, and lawyers—has historically shown a high prevalence of iPhone usage. This naturally leads to more compromised iPhones being available for forensic analysis, creating a research feedback loop that is heavily focused on iOS. Finally, the technical fragmentation of the Android ecosystem presents a major hurdle for researchers. An exploit that works on a Google Pixel device may fail on a Samsung device running the same version of Android due to vendor-specific modifications to the operating system. This makes capturing and analyzing a universal Android zero-click exploit significantly more challenging than on the relatively homogenous iOS platform. Consequently, the public’s understanding of NSO Group’s full capabilities remains incomplete, with the Android dimension of its operations largely in the shadows.

Section 5: Forensic Traces and Detection Methodologies

Despite NSO Group’s claim that Pegasus “leaves no traces whatsoever,” this is demonstrably false. The spyware and the exploits used to deliver it consistently leave behind a trail of digital breadcrumbs on infected devices. The meticulous work of security researchers in identifying and cataloging these forensic artifacts has been the key to uncovering the global scale of Pegasus abuse. The sophistication of NSO’s zero-day exploits is often contrasted by a surprising lack of operational security in their payload design and infrastructure management, which allows for their detection and attribution.

5.1 Indicators of Compromise (IoCs): The Digital Fingerprints

Indicators of Compromise (IoCs) are the pieces of forensic data that indicate a potential intrusion on a system. For Pegasus, researchers have identified several classes of IoCs.

Table 2: Key Forensic Process Names Associated with Pegasus Infections

Process Name

smmsgingd

otpgrefd

ctrlfs

bundpwrd

setframed

gatekeeperd

roleaccountd

homed

MessagesBlastDoorService

Malicious Process Names: As shown in the table above, Pegasus often uses distinctive process names that do not correspond to any legitimate iOS functions. Observing these names in device logs is a strong indicator of compromise. Researchers at Citizen Lab and Amnesty International have compiled extensive lists of these names, such as smmsgingd, otpgrefd, ctrlfs, and setframed, by correlating their appearance with other signs of infection.

File System and Log Artifacts: The spyware leaves traces in various system files and logs, which can be extracted for analysis:

Shutdown.log: Researchers at Kaspersky discovered that Pegasus infections can be detected by analyzing the Shutdown.log file, which is stored in a sysdiagnose archive. “Sticky” processes associated with Pegasus that interfere with the normal reboot process can leave anomalous entries in this log.
SQLite Databases: Databases like DataUsage.sqlite and netusage.sqlite record network activity by different processes. These can be examined to see if a known Pegasus process has been making connections to the internet.
Property List (.plist) Files: Various .plist files can contain evidence. For example, the com.apple.identityservices.idstatuscache.plist file can log lookups of attacker-controlled iCloud accounts that were used to deliver exploits via iMessage, Photo Stream, or Wi-Fi Calling. The presence of the file:
- /private/var/root/Library/Preferences/roleaccountd.plist was a key indicator for an iOS 12 exploit.
The “CASCADEFAIL” Bug: A particularly damning piece of evidence is a unique bug in Pegasus’s data cleanup routine, discovered by Citizen Lab. The spyware attempts to delete its network usage records from the DataUsage.sqlite file to cover its tracks. However, the deletion was incomplete, leaving behind a specific artifact that researchers named CASCADEFAIL. This bug is so distinctive that it serves as a reliable fingerprint for attributing an infection to NSO Group.

5.2 Network-Based Detection: Tracking the C&C Infrastructure

In addition to on-device forensics, researchers have had significant success tracking Pegasus by monitoring its network infrastructure. Early versions of the spyware connected to a relatively straightforward network of exploit servers and Command-and-Control (C&C) servers.

Over several years, repeated operational security (OPSEC) failures by NSO Group and its clients allowed researchers at Citizen Lab to develop fingerprints for these servers. They actively scanned the internet, identified Pegasus servers, tracked the registration of new domains, and grouped them into distinct systems likely corresponding to different government operators.

As researchers exposed this infrastructure, NSO adapted its tactics. In 2021, it began to make extensive use of legitimate cloud services, particularly Amazon CloudFront, as a proxy layer. This technique, known as “domain fronting,” is used to hide the true IP address of the C&C servers behind the vast infrastructure of a major cloud provider, making them harder to block and track. However, even this activity was detected and correlated with infections by Citizen Lab and Amnesty International, demonstrating the continuous cat-and-mouse game between the spyware operators and the researchers.

5.3 The Mobile Verification Toolkit (MVT): Empowering Investigation

To aid in the global effort to uncover Pegasus abuse, Amnesty International’s Security Lab developed and released the Mobile Verification Toolkit (MVT). MVT is a powerful, open-source, command-line tool designed to help forensic investigators and technically proficient individuals analyze mobile devices for signs of compromise.

MVT automates the complex process of acquiring and parsing forensic artifacts from both iOS and Android devices. It can extract data from an iTunes backup or a full filesystem dump and check it against a community-maintained list of known Pegasus IoCs, including malicious domains, email addresses, file paths, and process names. The release of MVT has been a critical force multiplier, enabling a wider range of civil society organizations and journalists to investigate potential infections and contribute to the global understanding of the spyware’s reach.

Section 6: The Mitigation Arms Race and Strategic Recommendations

The battle against Pegasus is a dynamic arms race, with each exploit disclosure prompting new defensive measures from platform vendors, which in turn forces NSO Group to develop even more sophisticated attack techniques. This final section analyzes the defensive side of this conflict, focusing on vendor responses and providing actionable guidance for at-risk individuals and organizations.

6.1 The Vendor Response: Apple’s Hardening of iOS

Apple, whose devices have been a primary target for NSO Group, has implemented several significant architectural changes to iOS in direct response to the Pegasus threat.

BlastDoor (iOS 14): Introduced in iOS 14, BlastDoor was a direct response to zero-click iMessage exploits like KISMET. It is a new, heavily sandboxed service that acts as a secure quarantine for all incoming iMessage data. It unpacks and analyzes message content in an isolated environment, separate from the core operating system, with the goal of preventing any malicious payload from ever reaching a state where it could execute code or interact with user data. While it was ultimately bypassed by the novel techniques of the FORCEDENTRY exploit, BlastDoor represented a major hardening of the iMessage attack surface and significantly raised the cost and complexity for attackers.
Lockdown Mode (iOS 16): The repeated success of NSO in bypassing even hardened defenses led Apple to a new strategic approach with the introduction of Lockdown Mode in iOS 16. This is an optional, extreme security setting designed for the small number of users who face grave, targeted threats, such as journalists and human rights activists. When enabled, Lockdown Mode drastically reduces the device’s attack surface by disabling or severely limiting features that are known to be vectors for exploitation. These limitations include:
- Blocking most message attachment types other than images.
- Disabling link previews in messages
- Turning off complex web technologies like just-in-time (JIT) JavaScript compilation.
- Blocking incoming invitations and service requests, including FaceTime calls, from unknown contacts.
- Preventing the installation of configuration profiles and enrollment in mobile device management (MDM).

The introduction of Lockdown Mode is a tacit admission that a single, default security model is insufficient for all users. It represents a bifurcation of the user base into “standard” users and “high-risk” users. It signals a strategic shift from simply building incrementally higher walls to providing users with an emergency “citadel” they can retreat into, consciously trading functionality for a radical reduction in their attack surface. Citizen Lab has confirmed that Lockdown Mode successfully blocked the BLASTPASS attack chain, proving its efficacy against at least one real-world zero-click exploit.

Rapid Patching: A key component of the defensive strategy is the speed of response. In nearly every case of a publicly disclosed Pegasus exploit, Apple has worked quickly with the reporting researchers to develop and release a security patch, often within a week to ten days of being notified.

6.2 A Chronology of Vulnerability and Response

The timeline of exploit disclosures and subsequent vendor patches illustrates the tempo of the arms race and highlights the critical “patch gap”—the period during which users are vulnerable before a fix is available.

Table 3: Timeline of Major Disclosures and Vendor Patches

Date of Public Disclosure

August 25, 2016

December 20, 2020

September 13, 2021

April 18, 2023

September 7, 2023

This timeline demonstrates the effectiveness of the responsible disclosure process. The collaboration between independent researchers and platform vendors is crucial for closing these windows of vulnerability and protecting users at scale.

6.3 Recommendations for High-Risk Individuals and Organizations

Based on the analysis of Pegasus’s methods, a clear set of defensive measures can be recommended for individuals and organizations who believe they are at high risk of being targeted by such sophisticated threats.

Update Devices Immediately: The single most critical defense is to install operating system and application updates as soon as they become available. Many attacks, even from advanced actors, exploit vulnerabilities for which a patch is already available but has not yet been applied by the user. Enable automatic updates whenever possible.
Enable Lockdown Mode: For journalists, activists, lawyers, politicians, and others who may be targets of state-sponsored surveillance, enabling Lockdown Mode on Apple devices is the most effective defensive measure currently available. It is specifically designed to block the types of attack vectors Pegasus has historically used.
Restart Your Phone Daily: Some components of Pegasus spyware are not persistent, meaning they reside only in the device’s memory and do not survive a reboot. Restarting the phone daily can flush these non-persistent elements, forcing an attacker to re-infect the device. This increases the cost and effort for the attacker and creates more opportunities for the attack to be detected.
Reduce the Attack Surface: Disable services that are not essential. Given their history as primary vectors for zero-click attacks, security researchers specifically recommend disabling iMessage and FaceTime if they are not critical for communication. Consider using alternative, secure messaging apps, but remain aware that no app is secure on a compromised device.
Maintain Skepticism: While the most advanced threat is zero-click, 1-click exploits that rely on phishing and social engineering remain in the arsenals of NSO and other actors. Do not click on suspicious links or download attachments from unknown or untrusted sources.
Utilize Forensic Tools: For individuals with the necessary technical expertise, or for organizations with dedicated security staff, regularly using tools like Amnesty International’s MVT to analyze device backups can provide an early warning of a potential compromise.
Seek Expert Help: If a compromise is suspected, it is crucial to contact expert organizations like the Citizen Lab or Access Now’s Digital Security Helpline. They can provide assistance with forensic analysis and help confirm an infection.