The Rise of Fake Pegasus Malware on the Dark Web: A CloudSEK Report
Following Apple’s recent notification to users in 92 countries about a “mercenary spyware” attack, cybersecurity firm CloudSEK carried out an in-depth investigation highlighting a concerning trend: the widespread misuse of NSO’s Pegasus spyware’s name.
This is the second such threat notification Apple has issued in recent months, highlighting the growing threat of cyberattacks on mobile devices. CloudSEK’s research sheds light on how threat actors throughout the deep and dark web have been capitalizing on the popularity of Pegasus, a powerful spyware developed by the NSO Group.
This investigation, supported by robust research, evidence, and human intelligence gathered by CloudSEK researchers over recent months, sheds light on the activities of threat actors leveraging Pegasus for financial gain. (For More Information Download Full Report)
Investigation Overview
CloudSEK researchers have been meticulously triaging and investigating incidents on dark and deep web sources, providing a comprehensive view of the global threat landscape.
The research has uncovered numerous mentions of Pegasus and NSO Group, with various activities revolving around these entities. Following Apple’s recent advisory, CloudSEK intensified its efforts to deep dive into different incidents associated with these entities.
Key Findings:
- IRC Platforms and Telegram Posts: CloudSEK researchers analyzed approximately 25,000 posts on Telegram, many of which claimed to sell authentic Pegasus source code. These posts followed a common template offering illicit services, with Pegasus and NSO tools frequently mentioned.
- Interaction with Potential Sellers: By interacting with over 150 potential sellers, CloudSEK gained insights into various samples and indicators shared by these actors. This included purported Pegasus source code, live demonstrations, file structures, and snapshots.
- Proliferation of Pegasus HVNC Samples: Six unique samples of Pegasus HVNC (Hidden Virtual Network Computing) were identified, and propagated on the deep web between May 2022 and January 2024.
- Surface Web Misuse: Similar misuse was observed on surface web code-sharing platforms, where actors disseminated randomly generated source codes falsely associated with Pegasus. (For More Information Download Full Report)
Outcome of the Investigation
After analyzing 15 samples and over 30 indicators from human intelligence (HUMINT), deep, and dark web sources, CloudSEK discovered that nearly all samples were fraudulent and ineffective. Threat actors created their own tools and scripts, distributing them under Pegasus’ name to capitalize on its notoriety for financial gain.
A subset of these posts made Pegasus samples publicly available, with CloudSEK’s analysis revealing that actors were disseminating malware to compromise end users’ devices. These malicious programs leveraged Pegasus’ name to persuade victims to download them. (For More Information Download Full Report)
This trend was also noted across multiple underground forums, where perpetrators marketed and distributed samples, exploiting Pegasus’ name for monetary gain.
CloudSEK’s research highlights the importance of staying vigilant and relying on credible sources for information on cyberattacks and malware.
Note: This report is not intended to malign or portray the NSO Group negatively. It serves as an advisory against scammers and threat actors who are exploiting the growing recognition of NSO Group’s renowned product, Pegasus, for their fraudulent purposes.