Moreover, researchers identified six unique samples named Pegasus HNVC (Hidden Virtual Network Computing) on the deep web between May 2022 and January 2024, which indicates the proliferation of such samples among threat actors
read more
Following Apple’s recent threat notifications to iPhone users in 92 countries, cybersecurity firm CloudSEK conducted an investigation revealing a surge in fake Pegasus spyware on the deep and dark web.
While Apple did not specify any threat actors in its warning, it cited Pegasus spyware from the NSO group as an example. CloudSEK believes this may have prompted scammers to peddle fraudulent malware under the guise of Pegasus source code.
CloudSEK’s investigation began after Apple’s advisory in April, with researchers scouring the deep and dark web as well as the surface web to ascertain the availability of authentic Pegasus spyware or if fraudsters were leveraging its name for deceitful purposes.
In a report titled “Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma,” CloudSEK revealed its findings. Researchers examined around 25,000 posts on Telegram and frequented Internet Relay Chat (IRC) platforms. A significant portion of these posts purported to sell genuine Pegasus source code.
These posts followed a consistent pattern, enticing buyers with terms like NSO Tools and Pegasus. Interacting with over 150 potential sellers of such “Pegasus” spyware, CloudSEK uncovered samples purportedly showcasing source code, live video demonstrations of malware usage, and snapshots of the source code, all under the name Pegasus.
Moreover, researchers identified six unique samples named Pegasus HNVC (Hidden Virtual Network Computing) on the deep web between May 2022 and January 2024, which indicates the proliferation of such samples among threat actors. Similar instances were observed on the surface web.
CloudSEK obtained 15 samples and over 30 indicators from various sources. However, it found that “nearly all of them have been creating their own fraudulent, ineffective tools and scripts, attempting to distribute them under Pegasus’ name to capitalise on Pegasus and NSO Group’s name for substantial financial gain.”
It is suspected that groups of malicious actors exploited the attention generated by Apple’s advisory and multiple news reports mentioning Pegasus to sell their own random samples labelled as Pegasus. Although these spyware can still pose a threat and harm victims, they are likely unrelated to the NSO Group or genuine Pegasus.
The report underscores the importance of scrutinizing threat attribution after an attack incident to aid cybersecurity firms in identification and reinforcement suggestions while preventing panic among the public.