{
	"id": "58c08d24-41a8-4939-9f36-d6e38b64a309",
	"created_at": "2026-04-06T00:08:23.418763Z",
	"updated_at": "2026-04-10T03:24:17.037321Z",
	"deleted_at": null,
	"sha1_hash": "260930e2d21b42a71d4e9663ebf35f52c9f20612",
	"title": "Peace through Pegasus: Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 682661,
	"plain_text": "Peace through Pegasus: Jordanian Human Rights Defenders and\r\nJournalists Hacked with Pegasus Spyware - The Citizen Lab\r\nArchived: 2026-04-05 18:12:08 UTC\r\nKey Findings\r\nPhones belonging to four Jordanian human rights defenders, lawyers, and journalists were hacked with\r\nNSO Group’s Pegasus spyware between August 2019 and December 2021.\r\nWe assess that at least two of the four targets were hacked by Pegasus operators primarily focused on\r\nJordan, based on SMS messages containing Pegasus links that map to a cluster of domain names focusing\r\non Jordanian themes.\r\nOne of the targets’ iPhones was successfully hacked on December 5, 2021, showing that NSO Group has\r\nremained active on Apple’s platform even after Apple sued NSO Group and notified Pegasus targets in\r\nNovember 2021.\r\nWe identify two Pegasus operators that we believe are likely agencies of the Jordanian government. The\r\nfirst, which we name MANSAF, has been active since at least December 2018, and the second, which we\r\nname BLACKIRIS, has been active since at least December 2020.\r\nOur findings build on an earlier report from Front Line Defenders, which found that the phone of Hala\r\nAhed Deeb, a Jordanian lawyer and woman human rights defender, was infected with Pegasus.\r\nHuman Rights in Jordan\r\nJordanian human rights defenders (HRDs) work in a generally hostile environment. Since the Arab Spring in\r\n2011, grassroots protests have emerged, reflecting growing discontent with government corruption and wealth\r\ninequality, among other issues. In response, authorities have often arrested activists and curtailed freedoms.\r\nJordan saw a wave of protests in 2011, as part of the Arab Spring. Protests were driven partly by the Hirak, groups\r\nof youth activists not connected with traditional centres of political power in Jordan. Protests flared up again in\r\nJune 2018, galvanised by a government plan to increase taxes and reduce subsidies, as required by the\r\nInternational Monetary Fund (IMF). More than 30 trade unions called a general strike, and protesters occupied the\r\nFourth Circle area of Amman near the Prime Minister’s office. In response, the government temporarily withdrew\r\nthe bill, and re-introduced it in September 2018 with minor changes. When the bill’s final text was published in\r\nthe Official Gazette in December 2018, activists once again held protests in the Fourth Circle that persisted into\r\n2019. In March 2019, Jordanian authorities began a wave of arrests against Hirak members, charging them with\r\n“insulting the King” and “undermining the political regime.”\r\nIn September 2019, Jordan’s largest union, the Jordanian Teachers Syndicate (JTS), announced a strike for higher\r\nwages. The strike shut down most schools in Jordan for a month, and the government was forced to agree to a pay\r\nincrease. However, in April 2020, the government cancelled the pay increase, citing the COVID-19 pandemic.\r\nWhen JTS planned a new wave of protests, the government arrested JTS’ entire board, ordered their offices closed\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 1 of 12\n\nfor two years, and issued a gag order preventing public discussion of the case.  Nevertheless, teachers protested\r\nagain in July 2020, and Jordanian security forces responded by arresting around 1000 teachers.\r\nFebruary and March 2022 saw additional crackdowns on activists. Detainees were charged with “spreading false\r\nnews” and “inciting strife.”\r\nHacking of Jordanian Targets\r\nIn January 2022, Front Line Defenders published a report finding that the phone of Hala Ahed Deeb, a Jordanian\r\nlawyer and woman human rights defender, was infected with Pegasus. Following publication, Front Line\r\nDefenders received numerous requests from Jordanian human rights defenders, journalists, and other civil society\r\nactivists to inspect their devices. Front Line Defenders checked more than 60 iPhones in collaboration with the\r\nCitizen Lab, with case referrals from the Jordan Open Source Association. Three of the victims consented to be\r\nidentified (listed below), while one wished to remain anonymous. The results of our forensic analysis were peer\r\nreviewed by Amnesty International’s Security Lab.\r\nVictim: Ahmed Al-Neimat\r\nAhmed Al-Neimat is a human rights defender, an anti-corruption activist, and a member of the Hirak movement.\r\nIn 2019, Al-Neimat was arrested for “insulting the king”. In 2020, Al-Neimat was arrested after he filed a\r\ncomplaint at the National Center for Human Rights (Jordan’s national human rights body), and was only released\r\nafter signing a pledge to never return to the Center. In 2021, Al-Neimat was again arrested after he posted bail for\r\nanother arrested Hirak activist. In February 2022, Al-Neimat was again arrested in a case relating to protests\r\nagainst the situation at Al-Salt State Hospital, where lack of oxygen killed several COVID-19 patients. He is\r\ncurrently in prison as of the publication of this report.\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 2 of 12\n\nHacking of Ahmad Al-Neimat\r\nAl-Neimat’s phone logs show that his phone was hacked on or around January 28, 2021 for a period of\r\napproximately two days. The logs indicate that this was a zero-click exploit, likely the FORCEDENTRY exploit.\r\nWe had not previously seen any cases of FORCEDENTRY deployed before February 2021, making this the\r\nearliest suspected FORCEDENTRY case.\r\nVictim: Malik Abu Orabi\r\nMalik Abu Orabi is a human rights lawyer and a member of the National Forum for the Defense of Liberties.\r\nOrabi is one of the lawyers defending the JTS, and is also the lawyer of Al-Neimat.  Orabi was arrested at a\r\nprotest in March 2021, and fined 100 Jordanian dinars (approximately 110 USD) for violating COVID-19\r\nrestrictions. Front Line Defenders has documented Orabi’s case.\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 3 of 12\n\nHacking of Malik Abu Orabi\r\nWe identified the following text messages on Orabi’s phone that contain links to Pegasus servers.\r\nWe translate the messages sent to Orabi below:\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 4 of 12\n\nSender and\r\nDate\r\nMessage Translation\r\nFrom:\r\nSMSALERT\r\nDate: 22 Sep\r\n2019, 15:32\r\nA letter to the governor without limitations and with a high stakes from\r\nBashar Al-Rawashdeh [a Jordanian political activist] received high\r\nreactions among Hirak and Islamic circles, for details [link]\r\nFrom:\r\nSMSALERT\r\nDate: 29 Sep\r\n2019, 17:10\r\nSalem Al-Falahat and Mr. Peel, a critical statement indicating the\r\npoliticization of the Teachers Syndicate and its wrapping under the cloak of\r\nthe Muslim Brotherhood, for details [link]\r\nFrom: Info\r\nDate: 20 Mar\r\n2020, 12:49\r\nLawyer Malik Abu Orabi and running for the upcoming parliamentary\r\nelection, for details [link]\r\nTable 1\r\nTranslation of Pegasus messages sent to Malik Abu Orabi.\r\nOrabi’s phone was hacked at least 21 times between August 2019 and July 2021 (see Appendix A for a full list of\r\ndates).\r\nVictim: Suhair Jaradat\r\nSuhair Jaradat is a human rights defender and journalist, who won the Al-Hussain Prize for Creativity in\r\nJournalism in 2006 and in 2018. Jaradat serves on the Executive Committee of the International Federation for\r\nJournalists (IFJ), and is an advocate for women’s issues in media.\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 5 of 12\n\nHacking of Suhair Jaradat\r\nWe identified the following SMS message on Jaradat’s phone containing a link to the Pegasus spyware:\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 6 of 12\n\nWe also identified the following WhatsApp messages on Jaradat’s phone, impersonating a popular anti-government Twitter user in Jordan https://twitter.com/GeneralInspect2:\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 7 of 12\n\nWe translate the messages sent to Jaradat below:\r\nSender and Date Message Translation\r\nFrom: Routee\r\nDate: 11 May 2020,\r\n11:20\r\nJaradat is waging war on the rich and the government that sponsors\r\nthem [link]\r\nFrom:\r\n+3197010210453\r\nDate: 4 Jan 2021,\r\n11:32\r\nI would like to present to you my humble account for your evaluation,\r\nas I will direct the account to support the free people and raise the\r\nexisting injustice towards teachers, journalists, and lawyers [link]\r\nFrom:\r\n+3197010210453\r\nDate: 5 Dec 2021,\r\n09:32\r\nGreat article and realistic projections [link]\r\nTable 2\r\nTranslation of Pegasus messages sent to Suhair Jaradat.\r\nJaradat’s iPhone was hacked six times between February and December 2021 (see Appendix A for a full list of\r\ndates).\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 8 of 12\n\nVictim: WHRD and Journalist A\r\nWHRD and Journalist A is a Jordanian Woman Human Rights Defender (WHRD) and journalist, who has\r\nchosen to remain anonymous due to the risks that she faces. Her phone was hacked at least twice, once on or\r\naround 2021-10-03, and once on or around 2021-10-05.\r\nSpyware in Jordan\r\nThe Jordanian Government appears to have used spyware for a number of years, including FinFisher spyware,\r\nwhich the Citizen Lab detected in December 2014. However, no civil society targets of FinFisher spyware in\r\nJordan have been publicly identified.\r\nSuspected Jordanian Use of Pegasus\r\nBased on our Internet scanning and monitoring of NSO Pegasus servers at the Citizen Lab, we believe that there\r\nare two Pegasus customers that are primarily focused on spying in Jordan.\r\nOne of the customers, which we name MANSAF, appears to be spying primarily in Jordan, with limited\r\nadditional operations in Iraq, Lebanon, and Saudi Arabia. We believe that MANSAF has been operating since\r\nDecember 2018.\r\nThe other customer, which we name BLACKIRIS, appears to be spying almost exclusively in Jordan, and has\r\nbeen active since at least December 2020. An April 2021 report in Axios mentioned negotiations between NSO\r\nGroup and Jordanian authorities “in recent months,” with one source mentioning a contract had been signed.\r\nTargets in This Case\r\nBoth Jaradat and Orabi received text messages (Figures 3, 5, 6) that included links to Pegasus websites. The\r\nwebsites matched our Internet scanning for Pegasus servers, and appear to all have been registered by Dreamhost.\r\nThis is noteworthy as we have typically observed different Pegasus customers’ infrastructure set up with different\r\nhosting providers.\r\nWe provide a list of all Dreamhost websites that we detected in scanning below. We redact several names given\r\nthat they contain themes suggestive of targeting terrorist groups:\r\nDomain Name What is it?\r\nakhbar-almasdar[.]com  \r\nakhbar-islamyah[.]com  \r\nakhbarnew[.]com  \r\nal-nusr[.]net  \r\nal-taleanewsonline[.]net May impersonate Jordanian news website al-taleanews[.]net\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 9 of 12\n\nDomain Name What is it?\r\nal7erak247[.]com May be a reference to the Jordanian Hirak movement\r\nalrainew[.]com May impersonate Jordanian news website alrai[.]com\r\narabia-islamion[.]com  \r\ncozmo-store[.]net May impersonate Jordanian retailer Cozmo\r\nkhilafah-islamic[.]com  \r\nlogin-service[.]net  \r\nmangoutlet[.]net\r\nMay be a reference to Mango, a Spanish clothing retailer with\r\nstores in dozens of countries around the world\r\nmobiles-security[.]net  \r\nrss-me[.]com  \r\ntalabatt[.]net\r\nMay impersonate Talabat food delivery service that operates in the\r\nMiddle East\r\nunsubscribe-now[.]net  \r\nwww.al7eraknews[.]com May be a reference to the Jordanian Hirak movement\r\nwww.hona-alrabe3[.]com\r\nMay be a reference to the Fourth Circle (الرابع الدوار (area of Amman,\r\nwhich is near Jordan’s Prime Ministry, and is often a focal point of\r\nprotests\r\nTable 3\r\nPegasus websites hosted on Dreamhost detected in Internet scanning.\r\nWhile we cannot directly connect these names to any specific Pegasus operator (because of the way the domain\r\nnames are set up), we do believe that this cluster of domains shows a focus indicative of Jordan.\r\nConclusion\r\nIn this report, we find once again that a government client of NSO Group has used Pegasus to spy on civil society\r\ntargets that are neither terrorists nor criminals. This case adds to the large number of other cases of abuse of\r\nPegasus worldwide, which amount to an indisputable indictment against NSO Group, and its ownership, for their\r\ninability or unwillingness to put in place even the most basic human rights-respecting safeguards. The fact that the\r\ntargeting we uncovered happened after the widespread publicity around Apple’s lawsuit and notifications to\r\nvictims is especially remarkable; a firm that truly respected such concerns would have at least paused operations\r\nfor government clients, like Jordan, that have a widely publicised track record of human rights concerns and had\r\nenacted emergency powers giving authorities widespread latitude to infringe on civil liberties.\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 10 of 12\n\nGender Dimensions of Online Surveillance \r\nThe targeting of women HRDs merits special attention. Our research, and that of a growing number of others, has\r\ndocumented a disturbing rise in gender-based digital repression practices. Pegasus mercenary spyware guarantees\r\nthe state’s clients to have full control over the infected devices’ camera, microphone, emails, applications, text\r\nmessages, call logs, and to obtain unlimited amounts of the targets’ data. In the case of female targets, the risk is\r\nhigher. It is seriously concerning that private chats, private photographs, and other personal data may have been\r\nexfiltrated from the female targets’ devices.\r\nWomen are also disproportionately vulnerable to online harms, blackmail, and digitally-related acts of violence or\r\ntechnology-facilitated gender-based violence, especially in patriarchal societies and in countries with\r\ndiscriminatory practices and laws against women. In conservative countries like Jordan, women are also\r\nfrequently the subject of “family honour” and “honour crimes,” which are rendered immune by state regulations\r\nand practices. There are multifold and severe impacts on female activists and journalists who experience device\r\nhacking, such as blackmail and harassment, judicial consequences, social impacts, physical or emotional harm, the\r\nundermining of freedom of expression, self censorship, loss of employment, and a negative impact on self-worth\r\nand dignity. Moreover, such attacks are not isolated to the victims themselves; they can impact the lives of\r\nvulnerable people in their communities who journalists and activists document and on whose behalf they\r\nundertake advocacy. As Lama Fakih, director of Middle East and North Africa at Human Rights Watch, who was\r\nalso targeted with Pegasus, pointed out: “My first thought when I found out I was targeted was ‘How does this\r\nimpact the people I am advocating for in my network?” According to sociologist Sarah Sobieraj, “[e]ntering and\r\nusing digital publics to share work, ideas, opinions, and experiences often comes at a great cost for women” who\r\n“bear the brunt of digital hate.”\r\nAs Access Now and Front Line Defenders noted in a previous report regarding the targeting of women HRDs in\r\nBahrain and Jordan with Pegasus spyware, the impacts for women are particularly severe, causing women to “live\r\nin a perpetual state of fear, become socially isolated and restricted in their social lives, work, and activism.” Our\r\nlatest report adds yet another troubling indicator to the NSO Group file and to the deeply harmful impact that the\r\nuse of Pegasus spyware has on women activists. The fact that Jaradat and WHRD / Journalist A are also both\r\nwomen journalists compounds and amplifies these concerns. There can be no doubt that NSO Group has become\r\none of the world’s leading purveyors of these harms, and its continued use will invariably contribute to further\r\ndiscrimimation against women and marginalized groups. Going forward, further research into the impact of digital\r\nrepression on women HRDs in the Global South is critical. Amplifying the voices of women in the Global South\r\ntargeted by Pegasus spyware, as well as other forms of digital repression, is important to showing how severe the\r\nimpacts of digital repression are—particularly in regions where human rights are routinely disregarded—and\r\nbringing accountability to an industry running wild.\r\nAcknowledgements\r\nThanks to a contributor who wishes to remain anonymous.  Thanks to the Jordan Open Source Association\r\n(JOSA) for case referrals.  Thanks to Amnesty International’s Security Lab for peer review. Thanks to John Scott-Railton, Adam Senft, and Miles Kenyon for review and assistance.\r\nAppendix A\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 11 of 12\n\nDates of Hacking of Ahmed Al-Neimat:\r\nOn or around 2021-01-28\r\nDates of Hacking of Malik Abu Orabi:\r\n On or around 2019-08-25\r\n On or around 2019-08-26\r\n On or around 2019-09-05\r\n On or around 2020-03-20\r\n On or around 2021-03-16\r\n On or around 2021-03-17\r\n On or around 2021-03-20\r\n On or around 2021-03-24\r\n On or around 2021-04-16\r\n On or around 2021-04-22\r\n On or around 2021-04-25\r\n On or around 2021-04-28\r\n On or around 2021-05-02\r\n On or around 2021-05-06\r\n On or around 2021-05-20\r\n On or around 2021-06-06\r\n On or around 2021-06-11\r\n On or around 2021-06-27\r\n On or around 2021-07-01\r\n On or around 2021-07-04\r\n On or around 2021-07-09\r\nDates of Hacking of Suhair Jaradat:\r\nOn or around 2021-02-08\r\nOn or around 2021-02-21\r\nOn or around 2021-04-09\r\nOn or around 2021-06-07\r\nOn or around 2021-07-17\r\nOn or around 2021-12-05\r\nDates of Hacking of WHRD and Journalist A:\r\nOn or around 2021-10-03\r\nOn or around 2021-10-05\r\nSource: https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nhttps://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/"
	],
	"report_names": [
		"peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775791457,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/260930e2d21b42a71d4e9663ebf35f52c9f20612.pdf",
		"text": "https://archive.orkl.eu/260930e2d21b42a71d4e9663ebf35f52c9f20612.txt",
		"img": "https://archive.orkl.eu/260930e2d21b42a71d4e9663ebf35f52c9f20612.jpg"
	}
}