CloudSEK Report Highlights the Surge of the Fake Pegasus Spyware Following Apple’s Threat Notifications

CloudSEK, a cybersecurity firm, led an investigation after Apple's threat notifications were sent out to iPhone users in 92 countries last month, and found that soon after the advisory was released, the deep and dark web saw a rise of fake Pegasus spyware. Notably, Apple did not name any threat actors in association with its warning, but it did mention Pegasus spyware from the NSO group as an example. CloudSEK believes this could have led to scammers selling fraudulent malware as Pegasus source code.

Details of CloudSEK's investigation

After Apple's warning in April, CloudSEK researchers began delving into the deep and dark web, as well as the surface web to see whether authentic Pegasus spyware was available to purchase or if fraudsters were using its name to swindle potential buyers.

In a report titled “Behind the Advisory: Decoding Apple's Alert and Spyware Dilemma”, the cybersecurity firm stated that it frequented Internet Relay Chat (IRC) platforms. After analysing approximately 25,000 posts on Telegram, researchers found that a major portion of the posts claimed to sell authentic Pegasus source code.

CloudSEK's investigation in Telegram
Photo Credit: CloudSEK

These sale alert posts followed the same pattern. It used words such as NSO Tools and Pegasus to entice buyers. Interacting with more than 150 potential sellers of such “Pegasus” spyware, the report found that the samples included source code, live video demonstrations of using the malware, and snapshots of the source code. These were all done with names suggesting Pegasus.

Researchers also found six unique samples named Pegasus HNVC (Hidden Virtual Network Computing) posted on the deep web between May 2022 and January 2024, suggesting the proliferation of these samples among threat actors. Similar instances were also found on the surface web.

CloudSEK's findings

The cybersecurity group eventually obtained 15 samples and more than 30 indicators from various sources. However, it found that “nearly all of them have been creating their own fraudulent, ineffective tools and scripts, attempting to distribute them under Pegasus' name to capitalise on Pegasus and NSO Group's name for substantial financial gain.”

It is believed that groups of bad actors have used the sensationalism created by Apple's advisory and multiple news reports mentioning the Pegasus name and used it to sell self-created random samples labelled Pegasus. While these spyware can still be nefarious and harm the victims, they are likely not associated with the NSO Group or Pegasus.

The report has urged critical examination after an incident of a threat attack to correctly attribute the threat actors as it can both help cybersecurity firms in identifying and suggesting reinforcements and will ensure no panic is spread among people.