Pegasus

OSINT ANALYSIS 



PEGASUS: 

THE SPY TOOL THAT SOLD AS SECURITY



1. Executive Summary

Pegasus is a modular spyware platform developed by the Israeli cyber‑intelligence firm NSO Group. Unlike traditional malware that relies on a user clicking a malicious link, Pegasus pioneered the use of “zero‑click” exploits, which compromise a device without any user interaction whatsoever. Once installed, it grants the operator complete access to the target’s messages, emails, photos, call logs, contacts, location data, camera, and microphone.

NSO Group markets Pegasus exclusively to government clients under the stated purpose of fighting terrorism and serious crime. However, a massive 2021 data leak known as the Pegasus Project revealed that NSO’s customers used the tool to target journalists, human rights activists, political opponents, and even heads of state across dozens of countries.

The fallout has been severe. NSO was placed on a U.S. trade blacklist in 2021, lost major lawsuits against WhatsApp and Apple, and was ultimately forced to sell itself to an American investor group in 2025. Pegasus remains the most infamous example of how a commercial surveillance tool, sold as a security solution, became a weapon of repression.



2. Origin and Developer

NSO Group was founded in 2010 in Herzliya, Israel, near Tel Aviv. The name is derived from “Niyar” and “Shmuel,” a reference to the biblical Book of Samuel. The company positions itself as a legitimate cyber‑defense firm, with its products approved for export by the Israeli Ministry of Defense. NSO has consistently maintained that it licenses Pegasus only to “closely vetted government users for the sole purpose of preventing or investigating serious crime including terrorism”.

The company employs approximately 600 people in Israel and around the world. Its business model is straightforward: sell access to a highly invasive surveillance platform and collect licensing fees, while leaving the actual operation of the system to the government customer.



3. Capabilities and Infection Mechanisms

Pegasus is designed to compromise both iOS and Android smartphones without tipping off the user. Its technical sophistication is what set it apart from conventional spyware.

Zero‑click exploits. The most advanced infection vector requires no action from the target. A specially crafted message (often delivered via iMessage, WhatsApp, or a phone call that does not even need to be answered) exploits an unknown vulnerability in the operating system, known as a zero‑day. The payload installs silently in the background, and the victim never sees any indication of an attack.

Complete device takeover. Once Pegasus is installed, the operator can read all messages from any encrypted messaging app (including Signal, WhatsApp, and Telegram), activate the microphone to record ambient conversations, switch on the camera to capture images, extract photos and documents, log every keystroke, and track the device’s real‑time location.

Advanced concealment. Pegasus hides its presence using rootkit techniques. It can also “scrub” forensic traces after an operation to avoid detection, making it extremely difficult for victims to know they have been compromised.

Evolution beyond the phone. Later versions of Pegasus evolved to capture data stored beyond the phone itself, including cloud backups, location histories, and archived messages from platforms like iCloud and Google Drive.

Android capabilities. While Pegasus is best known for its iOS exploits, a version for Android also exists. On Android, the infection typically relies on malicious links or a rooting technique called Framaroot to gain system‑level access.



4. The Pegasus Project: The 2021 Data Leak

In July 2021, a consortium of more than 80 journalists from 17 media organizations in 10 countries, coordinated by the Paris‑based non‑profit Forbidden Stories and supported by forensic work from Amnesty International, published the results of a year‑long investigation into NSO Group.

The investigation was based on a leaked database containing more than 50,000 phone numbers believed to be of interest to NSO’s government clients. Amnesty International conducted forensic examinations on 67 of the devices belonging to individuals on the list. The results revealed that 37 of the analyzed phones showed signs of being hacked by Pegasus or attempted penetration.

The data revealed that NSO had clients in at least 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. Amnesty International’s Secretary General, Agnès Callamard, stated: “The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril”.

NSO Group denied the findings, calling them “wrong assumptions” and “uncorroborated theories,” and reiterated that the company was on a “life‑saving mission”.



5. Global Victims

The Pegasus Project identified more than 1,000 individuals in 50 countries as potential targets. The breakdown included 189 journalists, 85 human rights activists, more than 600 politicians and government officials, at least 65 business executives, and several Arab royal family members.

Among the most high‑profile victims were 14 heads of state and government, including France’s Emmanuel Macron, Iraq’s Barham Salih, South Africa’s Cyril Ramaphosa, and Morocco’s King Mohammed VI.

Journalists from major news organizations appeared on the list, including employees of The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde, and The Financial Times. The phone of Jamal Khashoggi’s fiancée, Hatice Cengiz, was infected just four days after he was killed in the Saudi Consulate in Istanbul in 2018.

In India, at least 300 phone numbers were targeted, including those of over 40 senior journalists, opposition leaders, government officials, and rights activists. Forensic tests revealed that the phones of leading Indian journalists were infected as recently as June 2021.

In Mexico, fifty people close to President Andrés Manuel López Obrador were on the potential target list, including his wife, children, aides, and even his cardiologist. A Mexican reporter whose phone number was added to the list, Cecilio Pineda, was assassinated in 2017.

In the Middle East, Saudi Arabia, the UAE, and Bahrain were among the largest clients. Le Monde estimated that these three countries spent approximately 4.72 billion euros over five years on Pegasus, targeting up to 23,000 phone numbers. The UAE reportedly used Pegasus to target women members of its own royal family.

The UN High Commissioner for Human Rights, Michelle Bachelet, said that if the allegations were even partly true, a “red line has been crossed again and again with total impunity”.



6. Global Response and Sanctions

The revelations triggered a cascade of legal, regulatory, and commercial actions against NSO Group.

U.S. trade blacklist. In November 2021, the U.S. Commerce Department placed NSO Group on the Entity List, effectively barring American companies from trading with the firm. The blacklist significantly dented NSO’s financial fortunes, as it cut off access to U.S. technology and suppliers. In May 2025, the Trump administration rebuffed NSO’s efforts to be removed from the blacklist, further isolating the company.

WhatsApp lawsuit. In 2019, Meta’s WhatsApp sued NSO Group for exploiting a vulnerability in the messaging app to deploy Pegasus on approximately 1,400 devices. In November 2025, a California federal judge permanently banned NSO Group from using WhatsApp’s platform. The court’s order effectively shut down any attempt by NSO to target the messaging service, which is used by over two billion people worldwide. The ruling warned that the ban could threaten NSO’s business viability.

Apple lawsuit. Apple also filed a lawsuit against NSO Group in 2021, accusing the company of targeting Apple users with Pegasus. The lawsuit remains ongoing but further tarnished NSO’s reputation.

Multi‑company legal action. Microsoft, Google, Cisco, and Dell joined the legal fight against NSO, arguing that victims of the spyware should be able to sue the company for privacy violations.

Academic watchdog. The Citizen Lab at the University of Toronto has been tracking Pegasus abuses since 2016. The lab has repeatedly discovered new zero‑click exploits used by NSO, including the “FORCEDENTRY” exploit in 2021 and the “Homage” exploit in 2022, and has provided its findings to Apple to enable patches.



7. The Company Today: Sale to U.S. Investors

By 2025, NSO Group was a diminished company. It carried approximately $500 million in debt and faced an uncertain future. In October 2025, a group of American investors led by Hollywood producer Robert Simonds (founder of STX Entertainment, known for films starring Adam Sandler and Reese Witherspoon) agreed to acquire NSO Group in a deal valued at several tens of millions of dollars.

The deal required approval from Israel’s Defense Export Control Agency and the U.S. Securities and Exchange Commission. Upon completion, co‑founder Omri Lavie would exit the company entirely, marking the departure of NSO’s founding leadership. NSO’s spokesperson emphasized that the company’s headquarters and core operations would remain in Israel, and that it would continue to be supervised by Israeli authorities.

The sale was widely seen as an attempt by NSO to survive the combined pressure of the U.S. blacklist, mounting legal losses, and reputational ruin. However, it also raised concerns about the future direction of the company under American ownership.



8. Credibility Assessment of OSINT Sources

The OSINT community’s understanding of Pegasus relies on three categories of sources.

Technical analysis (Citizen Lab, Amnesty International, Kaspersky, AVG) – Verifiable. The forensic methodology used to detect Pegasus infections has been published and peer‑reviewed. Citizen Lab’s findings on zero‑click exploits have been confirmed by Apple’s subsequent security patches. This is the most reliable source for understanding how Pegasus works.

Journalistic investigation (The Pegasus Project) – Highly credible. The investigation involved 80 journalists from 17 reputable media organizations, including The Guardian, The Washington Post, Le Monde, and others. The forensic work was conducted by Amnesty International, a globally respected human rights organization. NSO’s denials have been general and have not addressed the specific evidence presented.

Legal and regulatory actions – Verifiable. The U.S. Commerce Department’s Entity List, the WhatsApp court ruling, and the Apple lawsuit are matters of public record. The sale to U.S. investors has been confirmed by multiple business outlets.

NSO Group’s official statements – Treated with caution. The company has consistently denied misuse of its products, but the weight of evidence from forensic analysis and leaked data contradicts these denials. NSO does not disclose its clients and claims to have “no visibility” into how customers use Pegasus, a claim that security researchers have contested.

Conclusion on credibility: The technical capabilities of Pegasus, the list of victims, the involvement of NSO’s government clients, and the subsequent sanctions and legal actions are all supported by verifiable, cross‑referenced open sources. The core narrative – that NSO Group sold a powerful surveillance tool to governments, which then used it to target journalists, activists, and political opponents on a massive scale – is established beyond reasonable doubt.



9. Conclusion

Pegasus represents a watershed moment in the history of digital surveillance. It proved that a commercial company could develop and sell nation‑state‑grade cyber‑weapons to any government with sufficient funds, regardless of that government’s human rights record. The tool that was marketed as a counter‑terrorism and law enforcement solution became, in practice, a weapon for silencing dissent, crushing political opposition, and surveilling the very individuals who most needed protection.

The Pegasus Project revealed the scale of the abuse: 50,000 potential targets, 189 journalists, 85 activists, more than 600 politicians, and 14 heads of state. The forensic evidence was clear, the journalistic investigation was rigorous, and the subsequent legal and regulatory consequences were severe.

NSO Group survived, but in a transformed state – sold to American investors, banned from WhatsApp, blacklisted by the U.S. government, and stripped of its founding leadership. Yet the industry it helped create continues to thrive. Other spyware vendors have emerged, and the demand for commercial surveillance tools shows no sign of abating.

Pegasus is no longer an isolated scandal. It is a case study in the dangers of unregulated surveillance technology, a warning about the thin line between security and repression, and a reminder that in the digital age, the most powerful weapon in a state’s arsenal can be sold to the highest bidder.

Current status: NSO Group is under new ownership, but its legacy as the pioneer of commercial zero‑click spyware endures. The debate over how to regulate the mercenary spyware industry remains unresolved.


https://www.newsofbahrain.com/business/55719.html



Comments

Post a Comment

Popular posts from this blog

Electronic Warfare & Drone Saturation

Image
  Electronic Warfare & Drone Saturation A Strategic Analysis of Threats to High‑End Air Defense Airspace Strategic Review March 2026 1. The New Operational Reality The war in Ukraine has rewritten the rules for air defense. What was once a contest of missiles versus aircraft has become a three‑domain fight: kinetic, electromagnetic, and informational. For systems like Patriot, the most dangerous adversary is no longer a cruise missile or a fighter—it is a $20,000 drone escorted by a $50 million jamming complex. Russian forces have perfected a two‑layer approach: · Electromagnetic suppression to degrade sensors and command links. · Drone swarms to overwhelm the defense, force expenditure of expensive interceptors, and, in some cases, deliver a kinetic blow. This combination does not require destroying the Patriot battery. It aims to make it operationally ineffective at the critical moment—creating a window for other strikes or simply exhausting its ammunition. --- 2. How the Adv...
Read more

Electronic Warfare in the Iran–Israel–US Confrontatio

Image
  Airspace Strategic Review Electronic Warfare in the Iran–Israel–US Confrontation (2026) Analysis & Insights by JE 1. Strategic Context The 2026 Iran–Israel–US conflict has not been defined solely by missile strikes or drone swarms — it has evolved into a multi‑domain electronic and cyber battleground. Kinetic warfare is layered with intensive electronic warfare (EW) and cyber operations that shape airspace control, sensor reliability, and battlefield communication integrity. The integrated use of EW, cyber strikes, radar suppression, GPS interference, and influence operations marks a significant escalation in modern conflict paradigms.  --- 2. EW and Cyber as Operational Tools Electronic Warfare Impact EW has been used by the U.S. and Israeli forces to disrupt Iranian air defense networks, communications, and missile guidance systems. According to emerging reports, U.S. and allied forces have deployed: radar jamming systems advanced electronic countermeasures against mis...
Read more