{
	"id": "a0af9a91-fbb1-4a8a-a417-322704072b23",
	"created_at": "2026-04-06T01:31:34.812283Z",
	"updated_at": "2026-04-10T03:25:23.45577Z",
	"deleted_at": null,
	"sha1_hash": "13659462d910c015d3d5aa3c977298d8df56af30",
	"title": "Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 568927,
	"plain_text": "Moroccan Journalist Targeted With Network Injection Attacks Using\r\nNSO Group’s Tools\r\nPublished: 2020-06-22 · Archived: 2026-04-06 00:07:06 UTC\r\nSummary\r\nIn October 2019 Amnesty International published a first report on the use of spyware produced by Israeli company\r\nNSO Group against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui. Through our\r\ncontinued investigation, Amnesty International’s Security Lab identified similar evidence of the targeting of Omar\r\nRadi, a prominent activist and journalist from Morocco from January 2019 until the end of January 2020.\r\nEvidence gathered through our technical analysis of Omar Radi’s iPhone revealed traces of the same “network\r\ninjection” attacks we described in our earlier report that were used against Maati Monjib. This provides strong\r\nevidence linking these attacks to NSO Group’s tools.\r\nThese findings are especially significant because Omar Radi was targeted just three days after NSO Group released\r\nits human rights policy. These attacks continued after the company became aware of Amnesty International’s first\r\nreport that provided evidence of the targeted attacks in Morocco. This investigation thus, demonstrates NSO Group’s\r\ncontinued failure to conduct adequate human rights due diligence and the inefficacy of its own human rights policy.\r\nIntroduction\r\nIn October 2019 Amnesty International published the report “Morocco: Human Rights Defenders Targeted with NSO\r\nGroup’s Spyware”, where we detailed the targeting of Moroccan human rights defenders Maati Monjib and Abdessadak El\r\nBouchattaoui using surveillance technology produced by the company NSO Group. In this current report, Amnesty\r\nInternational now reveals that Omar Radi, another prominent human rights defender and journalist from Morocco was also\r\ntargeted using NSO Group’s tools.\r\nPhoto Credits: Fanny Hedenmo\r\nThe Moroccan authorities have lately intensified their crackdown on peaceful dissent , with arbitrary arrests and\r\nprosecutions of individuals, including journalist Omar Radi, rappers and Youtubers, many of whom have been targeted\r\nsimply for criticizing the King or other officials. Since November 2019, Amnesty International documented ten cases of\r\nactivists who have been unlawfully arrested and prosecuted. All ten individuals have been charged with “offending” public\r\nofficials or institutions, the King or the Monarchy, which are all crimes under Morocco’s Penal Code. Between November\r\n2019 and March 2020,  all ten individuals and activists-were handed prison sentences ranging from a four months suspended\r\nsentence and a four year prison sentence. Amnesty International has called on the Moroccan authorities to drop charges and\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 1 of 11\n\nfree those sentenced for exercising their right to free expression, and to reform the criminal code to decriminalize these\r\nforms of protected expression.\r\nOn 26 December 2019, Moroccan authorities arrested Radi for a tweet he posted earlier that year, in April, criticizing the\r\njudicial system for upholding the verdict against protesters from the 2017 protest movement in Morocco’s northern region\r\nknown as the Hirak el-Rif. A few days after his arrest, a Casablanca court granted him provisional release. But on March 17,\r\na court in Casablanca convicted him to a four-month suspended sentence and a 500 dirhams (52 dollars) fine. \r\nOmar Radi is a Moroccan award-winning investigative journalist and activist who worked for several national and\r\ninternational media outlets, including Atlantic Radio, TelQuel. His work investigated the links between corporate and\r\npolitical interests in Morocco and touched upon questions of corruption and other human rights abuses in Morocco and often\r\ntackled the persistence of impunity and lack of justice in the country.\r\nAmnesty International’s Security Lab performed a forensic analysis of Omar Radi’s phone and found traces suggesting he\r\nwas subjected to the same network injection attacks we first observed against Maati Monjib and described in our earlier\r\nreport. Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the\r\nsame period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin\r\nchallenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a\r\nshrinking space for dissent.\r\nNetwork Injection, rogue cell towers and NSO\r\nThe lack of transparency around the surveillance industry makes it difficult to know what tools are being used, sold,\r\npurchased and abused, and therefore for victims and watchdogs to seek accountability. Despite this, our research so far has\r\nshed light on how NSO’s technologies have evolved. Until early 2018, NSO Group’s customers were found primarily using\r\nSMS and WhatsApp messages in order to trick targets into opening a malicious link, which would result in exploitation and\r\ninfection of their mobile devices. As we documented in our October 2019 report, Amnesty International first observed\r\nattackers adopting new techniques to more stealthily and effectively deliver the malware. Using what we describe as\r\n“network injections”, attackers are now capable of installing the spyware without requiring any interaction by the target.\r\nWhereas previous techniques relied to some extent on tricking the user into taking an action, network injections allow for\r\nthe automatic and invisible redirection of targets’ browsers and apps to malicious sites under the attackers’ control, most\r\nlikely unknown to the victim. These will rapidly leverage software vulnerabilities in order to compromise and infect the\r\ndevice.\r\nThis is only possible where attackers are able to monitor and manipulate the Internet traffic of the target. In both Omar and\r\nMaati’s cases all injections happened while using their LTE/4G mobile connection.\r\nThis type of attack is possible using two techniques: deploying a device commonly referred to as a “rogue cell tower”,\r\n“IMSI Catcher” or “stingray”, or by leveraging access to the mobile operator’s internal infrastructure. It is currently unclear\r\nwhich of these two options have been used against Omar and Maati.\r\nHowever, NSO Group’s network injection capabilities were briefly described in a document named “Pegasus – Product\r\nDescription” – apparently written by NSO Group – that was found in the 2015 leak of the competing Italian spyware vendor,\r\nHacking Team. Specifically, in January 2020, Business Insider reported about mobile interception technology NSO Group\r\nexhibited during Milipol, an event and trade show on homeland security held in Paris in November 2019.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 2 of 11\n\nPhoto Credit: Becky Peterson/Business Insider\r\nThe picture displays what appears to be a model of rogue cell tower sold by NSO Group – a tool which could be used in one\r\nof the two above-identified techniques to bring about a network injection attack.\r\nThese devices act as portable base stations and impersonate legitimate cellular towers in order to trick phones in the vicinity\r\nto connect to them and enable the attacker to manipulate the intercepted mobile traffic. The rogue cell tower in the picture\r\nseems to be composed of different cards stacked horizontally, likely to allow the operators to intercept over multiple\r\nfrequency bands for GSM, 3G, 4G networks etc. Just as NSO Group simulated for their exhibition booth at Milipol, this\r\nelectronic equipment can be quite small in size and easily transported and hidden on small vehicles.\r\nAlternatively, attackers can similarly intercept and hijack mobile Internet traffic of targeted smartphones if they can leverage\r\naccess to the victim’s mobile operator. In this case, instead of placing a rogue cell tower in the vicinities of the target,\r\nattackers would rely on the existing network infrastructure of the mobile operator in use by the target.\r\nIn sum, previous attacks against HRDs documented by Amnesty in Morocco have raised the possibility of NSO tools being\r\nused in network injection attacks. It is also clear from publicly available information  that NSO Group sells network\r\ninjection capabilities. Taken together with the technical evidence that we detail in the next section, showing overlaps in\r\ntiming, recovered forensic artifacts and attack infrastructure linked to previous surveillance attacks in Morocco using NSO\r\ntools, this strengthens the evidence linking NSO’s network injection tools to this attack.\r\nOmar Radi targeted with network injections between January 2019 and January 2020\r\nOur previous analysis of Maati Monjib’s phone indicated the execution of malicious software on it from early 2018 until at\r\nleast June 2019. While between 2017 and 2018 he was targeted through SMS messages carrying malicious links tied to NSO\r\nGroup, in our report from October 2019 we described how Maati Monjib’s phone appeared to have been subjected to\r\nmalicious redirects while he was navigating the Internet using the Safari browser. We argued that those redirects were\r\nsymptomatic of network injection attacks which manipulated unencrypted web traffic in order to force Maati Monjib’s\r\nbrowser to visit an exploitation site, located at the domain free247downloads[.]com, without his knowledge.\r\nWhile analysing Omar Radi’s iPhone, we found traces of the same domain. Forensic artefacts that Amnesty International\r\nextracted from the device suggests network injection attacks occurred on 27th January, 11\r\nth\r\n February, and 13th of September\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 3 of 11\n\n2019.\r\nIn addition to the same exploitation site, we identified the same evidence of execution of malicious software we recovered\r\nfrom Maati Monjib’s phone in Radi’s too. This provides us additional evidence that the same spyware was used in both\r\ncases, which we believe – based on infrastructure overlaps and characteristics of the links used – to be NSO Group’s\r\nPegasus.\r\nThe following timeline records the key dates linked to NSO Group’s spyware in Morocco. Forensics evidence recovered\r\nfrom both phones shows the links between the different stages of the attacks.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 4 of 11\n\nAnd below, a graphic depicting the network injection attack on Omar’s phone observed while he was visiting a website in\r\nclear text (HTTP and not HTTPS):\r\nOn 2nd October 2019, as part of our publication process, we provided NSO Group with an advanced copy of our findings\r\nfrom our report “Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware” and gave them an opportunity\r\nto respond to the revelations in the report. According to data collected by the Internet survey service Censys.io, the\r\nattackers-controlled infrastructure associated with subdomains of free247downloads[.]com were shut down by 6th October\r\n2019, after nearly uninterrupted operation since its first appearance a year earlier, just days after we notified NSO of our\r\nfindings but before our publication on 10th October 2019.\r\nAdditionally, our analysis of Omar’s phone revealed traces of similar network injections as recently as 29th  January\r\n2020. These most recent attempts involved the new, previously undisclosed, domain name urlpush[.]net.\r\nThe domain name urlpush[.]net was only registered on 6th November 2019, several weeks after our previous publication,\r\nsuggesting that our publication may have pushed the attackers to change infrastructure.\r\nIn sum, while the timing is suggestive of a link to NSO, technical details of the attacks, including that both sites redirect to\r\nthe same website, and operate attacks with several matching execution and forensic artefacts, is strong evidence to link NSO\r\nGroup’s tools to the targeted attack on Omar Radi.\r\nWho is behind these attacks?\r\nNSO Group claims that they only sell their products to government agencies. According to their website, “NSO products are\r\nused exclusively by government intelligence and law enforcement agencies to fight crime and terror”.\r\nIn their September 2018 report “Hide and Seek: Tracking NSO Group’s Spyware Operations in 45 Countries” Citizen Lab\r\nidentifies an operator they dubbed “ATLAS” focused on Morocco. Our own research indicates the continued use of the same\r\nmalicious network infrastructure across attacks to be characteristic of a single and same entity behind the use of NSO\r\nGroup’s product in Morocco. In addition, as described earlier, the network injection attacks we have documented in\r\nMorocco require either physical proximity to the targets or leverage over mobile operators in the country which only a\r\ngovernment could authorize. Because of this, and the continued targeting of Moroccan human rights defenders, we believe\r\nMoroccan authorities to be responsible.\r\nTherefore, despite the unlawful surveillance of Maati Monjib and Abdessadak El Bouchattaoui that Amnesty\r\nInternational uncovered and documented in October 2019, we conclude that the Moroccan government actively\r\nremained a customer of NSO Group until at least January 2020 and continues to unlawfully target HRDs, such as in\r\nthe case of Omar Radi.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 5 of 11\n\nAll this is happening in a context where HRDs in Morocco are increasingly being put under surveillance. The continued\r\nabuse of NSO Group’s tools in the country indicates Moroccan authorities are failing to respect and protect the rights to\r\nfreedom of expression, association, and peaceful assembly.\r\nAdditionally, despite numerous instances of human rights abuse, exporting jurisdictions that grant NSO Group licences have\r\nfailed in their responsibility to protect human rights by not adequately scrutinising and failing to deny export authorization\r\nwhere there is a substantial risk that the export in question could be used to violate human rights.\r\nWe asked NSO Group to respond to the revelations detailed in their report. Their response is included in its entirety in the\r\nAppendix. NSO Group did not confirm or deny whether the Moroccan authorities use their technologies and stated that they\r\nwill review the information submitted. Amnesty International will follow up on their response. We also wrote to the\r\nMoroccan government, however did not receive a response.\r\nAdditional details of these attacks are discussed in the Technical Appendix annexed to this report.\r\nNSO Group’s repeated failure to check the abuse of its tools\r\nIn October 2019, in response to our report that NSO Group’s tools were used to unlawfully target HRDs in Morocco, NSO\r\nGroup told Amnesty International in a letter: “Our products are developed to help the intelligence and law enforcement\r\ncommunity save lives. They are not tools to surveil dissidents or human rights activists. That’s why contracts with all of our\r\ncustomers enable the use of our products solely for the legitimate purposes of preventing and investigating crime and\r\nterrorism. If we ever discover that our products were misused in breach of such a contract, we will take appropriate action.”\r\nWe asked NSO Group whether they took any action in response to our previous report including details about investigations,\r\nwhy they did not terminate its contract with Moroccan authorities, and details of any mitigation measures they may have\r\ntaken. NSO Group did not specifically respond to these questions in their response, stating confidentiality reasons.\r\nDespite these assertions, this report provides strong evidence that Omar Radi was unlawfully targeted using NSO Group’s\r\ntools in January 2020. This is after NSO Group became aware of Amnesty International’s first investigation. The company’s\r\ntools are being used in support of Moroccan government’s efforts to persecute people for free expression and clamp down on\r\ndissent.\r\nThis suggests that contrary to its claims, NSO Group has not taken adequate action to stop the use of its tools for unlawful\r\ntargeted surveillance of HRDs in Morocco, despite being aware that this was taking place. This indicates that NSO Group\r\nhas failed to conduct adequate human rights due diligence in order to prevent or mitigate harm, and as a result has not met\r\nits responsibility under international standards not to contribute to human rights violations.\r\nIn February 2019, UK-based private equity firm Novalpina Capital supported a management buyout of NSO Group.\r\nNovalpina Capital owns a controlling stake of the company. On 10th September 2019, Novalpina Capital/NSO Group said\r\nthat it would implement a human rights policy and the company would be governed by a ‘Governance, Risk, and\r\nCompliance Committee’. As detailed in this report, merely three days after this announcement, on 13th September 2019,\r\nOmar Radi was targeted. This is further evidence that there is a significant gap between the company’s stated policy and\r\nactual practice. \r\nHow to check for similar attacks on your iPhone\r\nIf you are a Moroccan human rights defender and an iPhone user, you can follow the steps described in the following video\r\nto check for evidence of attacks similar to those described in this report:\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 6 of 11\n\nHow to protect against network injection attacks\r\nBecause they rely on hijacking your own mobile Internet traffic, in order to be successful the attackers need to inspect the\r\ncontent of the websites you visit. To do so it waits for unencrypted HTTP visits. While many websites by now support\r\ntransport encryption (indicated by links starting with https:// instead of https://), many still don’t.\r\nNetwork injection attacks are difficult to identify because they provide very little visual clues. With other tactics for the\r\ndelivery of the spyware, such as with malicious links sent via alluring SMS messages, someone targeted might be alerted\r\nand avoid clicking. A network injection attack instead happens invisibly while regularly navigating the Web.\r\nEquipping your phone with a VPN could help, as it would obfuscate all incoming and outgoing traffic, preventing it from\r\nbeing manipulated. However, picking a good one is important. Many malicious or dubious VPN apps are available on iOS\r\nand Android app stores. Avoid the ones that are free of cost, because they are more likely to monetize the data you generate\r\nand be less respectful of your right to privacy.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 7 of 11\n\nMake sure to always keep your device and installed applications up-to-date. Security patches are regularly shipped by the\r\ndevice and software manufacturers. Lagging behind might unnecessarily expose your device even to casual attackers.\r\nRecent reports from security researchers suggest that even advanced attackers increasingly struggle to maintain persistent\r\naccess to a compromised mobile device. If so, a reboot of the device would disable the infection. Therefore, as a precaution,\r\nyou might want to occasionally turn your smartphone off and on again.\r\nConclusion\r\nIn October 2019, we first documented evidence of NSO Group’s tools being used to target two Moroccan HRDs. One of the\r\ntwo HRDs, Maati Monjib, was also targeted using network injection attacks. We suspected that these were also linked to\r\nNSO Group’s tools. In this report, we detail the unlawful targeted surveillance of another Moroccan HRD, Omar Radi,\r\nincluding the strong technical evidence that links NSO Group’s tools to this attack.\r\nThese attacks on HRDs are part of an intensifying clampdown of peaceful dissent in Morocco. The continued abuse of NSO\r\nGroup’s tools in the country indicates Moroccan authorities are failing to respect and protect the rights to freedom of\r\nexpression, association, and peaceful assembly.\r\nIn addition, NSO Group’s repeated failure to act on the misuse of its tools by Moroccan authorities, indicates that it has\r\nfailed in its human rights responsibilities to not contribute to human rights violations and failed to conduct adequate human\r\nrights due diligence in order to mitigate harm.\r\nRecommendations\r\nMoroccan authorities and exporting countries should implement a proper human rights regulatory framework that governs\r\nsurveillance. Until such a framework is implemented, a moratorium on the sale, transfer, and use of surveillance equipment\r\nshould be enforced, as recommended by the UN Special Rapporteur for Freedom of Expression issues, David Kaye. This\r\nhuman rights framework, at a minimum, should include:\r\nFor Moroccan Authorities:\r\nDisclose information about all previous, current, or future contracts with private surveillance companies, including\r\nthose with NSO Group.\r\nHalt the unlawful surveillance of journalists and human rights defenders in violation of their rights to privacy and\r\nfreedom of expression.\r\nEnsure the effective implementing and enforcement of article 24 of the Moroccan constitution and the Code of\r\nCriminal Procedure, Chapter 5 to ensure that any digital surveillance is authorised by competent judicial authorities\r\nin advance.\r\nEnsure that public prosecutors and the National Control Commission for the protection of Personal Data (CNDP)\r\nconduct an independent and effective investigation in cases of unlawful targeted digital surveillance.\r\nFor Exporting States:\r\nDeny export authorization where there is a substantial risk that the export in question could be used to violate human\r\nrights.\r\nEnsure that all relevant technologies are scrutinized prior to transfer.\r\nIn addition to this, NSO Group and Novalpina Capital should, at a minimum:\r\nUrgently take pro-active steps to ensure that they do not cause or contribute to human rights abuses, and to respond to\r\nany human rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out\r\nadequate human rights due diligence and take steps to ensure that HRDs in Morocco do not continue to become\r\ntargets of unlawful surveillance.\r\nTerminate or suspend its contract with the Moroccan authorities.\r\nEnsure transparency regarding the volume, nature, value, destination, and end user of surveillance transfers.\r\nAppendix I: NSO Group’s Response\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 8 of 11\n\n“We have received your letter of 9 June 2020, regarding the alleged targeting of a human rights defender by authorities in\r\nMorocco using our technology. Due to the confidentiality constraints detailed below, we cannot confirm or deny that such\r\nauthorities use our technology. We appreciate your bringing this issue to our attention. Consistent with our Human Rights\r\nPolicy, NSO Group takes seriously its responsibility to respect human rights, and is strongly committed to avoiding causing,\r\ncontributing to, or being directly linked to negative human rights impacts.\r\nWe are deeply troubled by the allegations in your letter, and will immediately review the information therein and initiate an\r\ninvestigation if warranted. While you have provided certain information regarding the alleged misuse, to investigate the\r\nissue thoroughly, we need certain details, such as a phone number, the name of the individual, or a MSISDN (Mobile Station\r\nInternational Subscriber Directory Number) as set out in our public Whistleblowing Policy. Absent that information, our\r\ninquiries will be substantially constrained. If you would provide some or all of that information, it would greatly facilitate\r\nour ability to determine whether our products have been used in a manner inconsistent with our policies, any commercial\r\nagreements that may exist, international norms, or applicable domestic laws. In accordance with our policies we shall\r\nmaintain this information in strict confidence and not divulge it other than as required to conduct a thorough investigation.\r\nYour letter also poses several questions regarding any relationship NSO Group might have with Moroccan authorities, and\r\nthe actions we undertook following a report by Amnesty International into alleged misuse of NSO’s products by those\r\nauthorities. While we seek to be as transparent as feasible in response to allegations that our products have been misused,\r\nbecause we develop and license to States and State agencies technologies to assist in combatting terrorism, serious crimes,\r\nand threats to national security, we are obligated to respect state confidentiality concerns and cannot disclose the identities of\r\ncustomers. However, the attached correspondence with UN Special Rapporteur David Kaye contains a fulsome description\r\nof how we address human rights due diligence, measures that we may require in individual customer relationships to\r\nmitigate or prevent the risk of human rights impacts, our investigatory steps when we receive allegations of potential misuse,\r\nand a range of responses when a misuse is identified. We can assure you that we followed this approach with respect to your\r\nprevious report, though due to the aforementioned confidentiality constraints we are unable to provide further details.\r\nWe do hope you will provide us with further details, as noted above, to allow us to investigate the disconcerting allegations\r\ndescribed in your letter.\r\nBest Regards,\r\nChaim Gelfand, Adv. Head of Compliance NSO Group”\r\nTechnical Appendix\r\nOmar’s Safari browsing history was purged in early October 2019, eliminating records of earlier Safari redirects using\r\nfree247downloads[.]com. However, additional traces left on the device indicated us the timings of network injection attacks\r\nagainst him.\r\nForensic evidence of network injection attacks\r\nOn 27th January 2019 a folder was created associated with the domain:\r\nprivate/var/mobile/Containers/Data/Application/4FC7C4F8-602A-4EA0-AF28-\r\n3264694AB07B/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/https_skapth05c.get1tn0w.free247downloads.co\r\nInterestingly, this folder acts as storage for Twitter’s mobile app for iOS. The folder name “com.apple.SafariViewService”\r\nrefers to a service of the same name provided by the operating system which allows other apps to leverage Safari’s browser\r\nengine to easily preview websites from within the app. We believe the presence of a “WebsiteData” folder for the malicious\r\nfree247downloads[.]com domain indicates that a network injection attack occurred while Omar Radi was using the Twitter\r\napp and, after clicking on a link that lead to an unencrypted HTTP website, an exploitation was attempted on his phone.\r\nOn 11\r\nth\r\n February 2019 the following folder was created:\r\nprivate/var/mobile/Containers/Data/Application/AE2D9AEB-8935-408D-9499-\r\n023635ACA6E7/Library/WebKit/WebsiteData/IndexedDB/https_d9z3sz93x5ueidq3.get1tn0w.free247downloads.com_30897/\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 9 of 11\n\nThis folder, located inside Safari’s application data storage, contains several empty IndexedDB databases created\r\nsubsequently to a visit to the malicious domain. While this detail was not included in our previous report, our forensics\r\ninvestigation of Maati Monjib’s phone also revealed similar IndexedDB files. While we have not managed to recover any\r\nexploit payload, we suspect the creation of these files might be symptomatic of the vulnerabilities used against Omar Radi’s\r\nand Maati Monjib’s phones in 2019.\r\nThis network injection attack and exploitation appear to have been successful, and few seconds later the following file was\r\nmodified:\r\n/private/var/root/Library/Preferences/com.apple.CrashReporter.plist\r\nOn 13th September 2019 an additional network injection attack succeeded, suspicious processes were executed on the\r\nphone, and the following file was modified:\r\n/private/var/root/Library/Preferences/com.apple.CrashReporter.plist\r\nThe contained value SUAutomaticUpdateV2Enabled was set to false, disabling the auto-update functionality of the phone\r\nand locking it at a vulnerable version.\r\nNameserver is shut down after communicating with NSO Group\r\nThe nameserver associated with the network injection subdomains was located at ns-get1tn0w.free247downloads[.]com\r\nand resolved to the IP address 35.180.42.148. This IP addresses was assigned to an Amazon Web Service data center located\r\nin France. According to Censys data, this host remained operational from October 2018 until it was shut down on October\r\n4\r\nth\r\n or 5th 2019:\r\n[{“table”:”20190929″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-09-29 13:22:40″}]\r\n[{“table”:”20190930″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-09-29 13:22:40″}]\r\n[{“table”:”20191001″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-09-29 13:22:40″}]\r\n[{“table”:”20191002″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-09-29 13:22:40″}]\r\n[{“table”:”20191003″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-10-03 06:47:28″}]\r\n[{“table”:”20191004″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-10-03 06:47:28″}]\r\n[{“table”:”20191005″,”ports”:[“53″],”tags”:[“dns”],”updated_at”:”2019-10-03 06:47:28″}]\r\n[{“table”:”20191006″}]\r\nThe shutdown occurred shortly after we provided advanced notice of our findings  from our previous report “Morocco:\r\nHuman Rights Defenders Targeted with NSO Group’s Spyware” to NSO Group on 2nd October 2019. The report was\r\npublished only on October 10th.\r\nNew Infrastructure is set up after our disclosures\r\nLess than a month after our publication new infrastructure was set up on the domain urlpush[.]net, which we later\r\ndiscovered involved in more recent network injection attacks against Omar Radi.\r\nOn 27th January 2020, while visiting a link to a news site he clicked from the Facebook app, Omar’s browser was hijacked\r\nand finally redirected in under 3 milliseconds to the new exploitation server with the same URL structure as the one we\r\npreviously observed in 2019:\r\nhttps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946#2\r\nSuspicious of this unusual behavior, Omar Radi promptly took a screenshot of his Safari browser attempting to open the\r\nmalicious site while being connected to the 4G network:\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 10 of 11\n\nA second network injection and exploitation was attempted on 29th January 2020. This apparently failed, and instead\r\nredirected the browser to the website of a legitimate business based in France. We observed this same website used as a\r\ndecoy in failed attacks against Maati Monjib in 2019.\r\nThe nameserver for the urlpush.net subdomains resolved to the IP address 72.105.81.177. This IP address is assigned to the\r\nhosting provider Linode and is located in Germany.\r\nSource: https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nhttps://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/\r\nPage 11 of 11\n\nbrowser to visit an exploitation While analysing Omar site, located Radi’s iPhone, we found at the domain free247downloads[.]com, traces of the same domain. Forensic without his knowledge. artefacts that Amnesty International\nextracted from the device suggests network injection attacks occurred on 27th January, 11 th February, and 13th of September\n  Page 3 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/"
	],
	"report_names": [
		"moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439094,
	"ts_updated_at": 1775791523,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13659462d910c015d3d5aa3c977298d8df56af30.pdf",
		"text": "https://archive.orkl.eu/13659462d910c015d3d5aa3c977298d8df56af30.txt",
		"img": "https://archive.orkl.eu/13659462d910c015d3d5aa3c977298d8df56af30.jpg"
	}
}