spyware software created by the NSO Group based in Israel
via Wikipedia infobox

HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries - The Citizen Lab
In this post, we develop new Internet scanning techniques to identify 45 countries in which operators of NSO Group’s Pegasus spyware may be operating.
citizenlab.ca →Israel-based “Cyber Warfare” vendor NSO Group produces and sells a mobile phone spyware suite called Pegasus . To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link , which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity. Diagram from purported NSO Group Pegasus documentation showing the range of information gathered from a device infected with Pegasus. Source: Hacking Team Emails. Pegasus exploit links and C&C servers use HTTPS, which requires operators to register and maintain domain names . Domain names for exploit links sometimes impersonate mobile providers, online services, banks, and government services, which may make the links appear to be benign at first glance. An operator may have several domain names that they use in exploit links they send, and also have several domain names they use for C&C. The domain names often resolve to cloud-based virtual private servers (we call these front-end servers ) rented either by NSO Group or the operator. The front-end servers appear to forward traffic (via a chain of other servers) to servers located on the operator’s premises (we call these the back-end Pegasus servers ). In August 2016, award-winning UAE activist Ahmed Mansoor was targeted with NSO Group’s Pegasus spyware. We clicked on the link he was sent and obtained three zero-day exploits for the Apple iPhone, as well as a copy of the Pegasus spyware. We fingerprinted the behaviour of the exploit link and C&C servers in the sample sent to Mansoor, and scanned the Internet for other matching front-end servers. We found 237 servers . After we clicked on the link, but before we published our findings on August 24, NSO Group had apparently taken down all of the Pegasus front-end servers we detected. In the weeks after our report, we noticed a small number of Pegasus front-end servers come back online, but the servers no longer matched our fingerprint. We developed a new fingerprint and began conducting regular Internet scans. We next sought to identify where these Pegasus systems were being used. We hypothesized that devices infected with Pegasus would regularly look up one or more of the domain names for the operator’s Pegasus front-end servers using their ISP’s DNS servers. We regularly probed tens of thousands of ISP DNS caches around the world via DNS forwarders looking for the Pegasus domain names ( Section 3 ). We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies. We identify what appears to be a significant expansion of Pegasus usage in the Gulf Cooperation Council (GCC) countries in the Middle East. In total, we identify at least six operators with significant GCC operations, including at least two that appear to predominantly focus on the
~40 min read
Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists. The sale of Pegasus licenses to foreign governments must be approved by the Israeli Ministry of Defense.
As of September 2023, Pegasus operators were able to remotely install the spyware on iOS versions through 16.6 using a zero-click exploit. While the capabilities of Pegasus may vary over time due to software updates, Pegasus is generally capable of reading text messages, call snooping, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps. The spyware is named after Pegasus, the winged horse of Greek mythology.
Excerpt from a page describing this subject · 40,000 chars · not written by Vinony
via Wikidata · CC0
via Wikidata sitelinks · CC0
Discovered by embedding cosine similarity (sentence-transformers MiniLM, 384-dim).