CloudSEK exposes misuse of Pegasus spyware on the deep web

Following Apple's recent warning about "mercenary spyware" attacks, cybersecurity firm CloudSEK has uncovered a disturbing trend of the misuse of NSO Group's Pegasus spyware name by threat actors on the deep and dark web. Apple's advisory, which affected users in 92 countries, is its second warning in recent months, underscoring the growing threat of cyberattacks on mobile devices.

CloudSEK's comprehensive investigation highlights how malicious actors are capitalising on the infamous reputation of Pegasus, a powerful spyware developed by the NSO Group, for financial gain. The research, which spans months of evidence gathering and human intelligence, unveils widespread fraudulent activity associated with the Pegasus name.

According to the findings, CloudSEK researchers reviewed around 25,000 posts on IRC platforms and Telegram, revealing a plethora of claims about selling the authentic Pegasus source code. These posts generally follow a template offering illicit services, prominently featuring mentions of Pegasus and NSO Group tools.

By engaging with over 150 potential sellers, CloudSEK obtained various samples and indicators claimed to be Pegasus. These included alleged source codes, live demonstrations, file structures, and snapshots. Of significant concern were six unique samples of Pegasus HVNC (Hidden Virtual Network Computing) propagated on the deep web between May 2022 and January 2024.

Further misuse was identified on surface web code-sharing platforms, where threat actors disseminated randomly generated source codes under the guise of Pegasus. This activity highlights a broader trend of leveraging the Pegasus name for fraudulent purposes across both the deep web and surface web.

Upon analysing 15 samples and over 30 indicators from a mix of human intelligence (HUMINT), deep, and dark web sources, CloudSEK determined that nearly all samples were fraudulent and ineffective. These findings suggest that threat actors created bespoke tools and scripts, falsely branding them as Pegasus to exploit its notoriety and entice victims.

In some instances, purported Pegasus samples were made publicly available, tricking end users into downloading malicious programs. These programs compromised devices, originating from actors who capitalised on the Pegasus name to deceive users.

CloudSEK noted this pattern across multiple underground forums, where perpetrators marketed and distributed malware using the Pegasus name for monetary gain. The findings shed light on the critical importance of vigilance and reliance on credible information sources when dealing with cyberattacks and malware threats.

This report serves as a warning against scammers and threat actors exploiting the high-profile recognition of the NSO Group's Pegasus spyware. It is not intended to malign the NSO Group but to alert individuals and organisations to the dangers posed by these fraudulent actors.

CloudSEK's research underlines the ongoing necessity for robust cybersecurity measures and proactive threat intelligence to safeguard against such pervasive threats. The firm urges stakeholders to stay informed and cautious to navigate the evolving landscape of cyber threats effectively.