{
	"id": "fecb03e7-cea9-43bb-987f-0e8d9b6912b0",
	"created_at": "2026-04-06T00:16:39.927558Z",
	"updated_at": "2026-04-10T03:35:29.174879Z",
	"deleted_at": null,
	"sha1_hash": "1e1aebfcdcb238734dbd156e2c0217d0403e7ad9",
	"title": "Spyware attack targeted Spanish prime minister’s phone",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66249,
	"plain_text": "Spyware attack targeted Spanish prime minister’s phone\r\nBy Emma Vail\r\nPublished: 2023-01-12 · Archived: 2026-04-05 18:20:34 UTC\r\nMobile phones used by Spain’s Prime Minister Pedro Sanchez and Defense Minister Margarita Robles were\r\ninfected with Pegasus spyware, a well-known surveillance tool made by Israel’s NSO Group, government officials\r\nsaid in a press conference on Monday.\r\nFélix Bolaños, the minister for the presidency, confirmed that the spyware infiltrated the prime minister’s phone in\r\nMay 2021 while the defense minister’s phone was targeted in June 2021. Data was successfully extracted from the\r\nphones in a breach that Bolaños called “illegal and external” and “alien”, as there was no prior governmental\r\nauthorization. \r\nA spokesperson for NSO Group told The Record that the company is “not familiar with the details of this specific\r\ncase,” but that using cyber tools to monitor politicians would be a “severe misuse” of the technology.\r\n“We have committed before that we will investigate any suspicion of misuse, and will cooperate and assist with\r\nany governmental investigation of these issues,” the spokesperson said. “NSO is a software provider, the company\r\ndoes not operate the technology nor is privy to the collected data. The company does not and cannot know who\r\nthe targets of its customers are, yet implements measures to ensure that these systems are used solely for the\r\nauthorized uses.”\r\nPegasus spyware vigorously surveils the phone of intended targets by gaining access to calls, messages, media,\r\nemails, microphones, and cameras. NSO Group, which has been sued by tech giants and effectively blacklisted by\r\nthe Biden administration, advertises the software as a means for governments to monitor criminal activity and\r\nterrorism, but has been criticized for its links to human rights violations. \r\nNSO Group’s spyware has been flagged by various governments and human rights organizations over the years\r\nlargely due to its ties in targeting dissidents, journalists, activists, and government officials. The U.S. Department\r\nof Commerce added NSO Group to their entity list for malicious cyber activities in November 2021. “These tools\r\nhave also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian\r\ngovernments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent,”\r\nthe department’s Bureau of Industry and Security said.\r\nIn March, the European Parliament created a new committee to investigate the use of Pegasus spyware in various\r\nbreaches conducted by an array of countries including Poland and Hungary, while also focusing on reviewing\r\nsurveillance law.\r\nPrior to the recent attack, Citizen Lab published research last month displaying 65 instances of spyware used to\r\ntarget European Parliament officials and Catalan Presidents, legislators, jurists, and members of civil society\r\norganizations — 63 of them used Pegasus spyware. Catalonia is an autonomous community of Spain. Catalan\r\nhttps://therecord.media/spyware-attack-targeted-spanish-prime-ministers-phone/\r\nPage 1 of 2\n\npresident Pere Aragonès, whose phone was among those infected with the spyware,  addressed the previous\r\nespionage in a tweet.\r\nThe massive surveillance operation against the Catalan pro-independence movement is shameful and\r\nunjustifiable. It is a very serious attack on democracy and fundamental rights. Another example of\r\nrepression against a peaceful and civic movement. We will take all necessary steps.\r\n— Pere Aragonès i Garcia (@perearagones) April 18, 2022\r\nOfficials are still investigating whether or not the phones of other government employees have been infected in\r\nthe recent hack. According to Bolaños, the national court will be handling the investigation.\r\nEmma Vail\r\nEmma Vail is an editorial intern for The Record. She is currently studying anthropology and women, gender, and\r\nsexuality at Northeastern University. After creating her own blog in 2018, she decided to pursue journalism and\r\nfurther her experience by joining the team.\r\nSource: https://therecord.media/spyware-attack-targeted-spanish-prime-ministers-phone/\r\nhttps://therecord.media/spyware-attack-targeted-spanish-prime-ministers-phone/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/spyware-attack-targeted-spanish-prime-ministers-phone/"
	],
	"report_names": [
		"spyware-attack-targeted-spanish-prime-ministers-phone"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434599,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e1aebfcdcb238734dbd156e2c0217d0403e7ad9.pdf",
		"text": "https://archive.orkl.eu/1e1aebfcdcb238734dbd156e2c0217d0403e7ad9.txt",
		"img": "https://archive.orkl.eu/1e1aebfcdcb238734dbd156e2c0217d0403e7ad9.jpg"
	}
}