{ "id": "4f2f77a4-2c35-48ec-8974-e9aa5120ecbb", "created_at": "2026-04-06T00:17:18.721816Z", "updated_at": "2026-04-10T13:13:02.827675Z", "deleted_at": null, "sha1_hash": "40ab002e9b537d70074e1670e13274caf9c445e7", "title": "Chrysaor (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139268, "plain_text": "Chrysaor (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:35:15 UTC\r\nThere is no description at this point.\r\n2024-03-25 ⋅ iVerify ⋅\r\nClipping Wings: Our Analysis of a Pegasus Spyware Sample\r\nChrysaor 2023-03-07 ⋅ The Record ⋅ Dina Temple-Raston, Will Jarvis\r\nInternal documents show Mexican army used spyware against civilians, set up secret military intelligence unit\r\nChrysaor Guacamaya 2022-10-31 ⋅ Cyber Geeks ⋅ Vlad Pasca\r\nA Technical Analysis of Pegasus for Android - Part 3\r\nChrysaor 2022-09-27 ⋅ Cyber Geeks ⋅ Vlad Pasca\r\nA technical analysis of Pegasus for Android – Part 2\r\nChrysaor 2022-08-29 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV\r\nA Technical Analysis of Pegasus for Android – Part 1\r\nChrysaor 2022-08-10 ⋅ ⋅ Cybersecurity Trends ⋅ Costin Raiu\r\n“Pegasus”, the spyware for smartphones. How does it work and how can you protect yourself?\r\nChrysaor 2022-05-22 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nGoogle: Predator spyware infected Android devices using zero-days\r\nAlien Chrysaor 2022-04-18 ⋅ CitizenLab ⋅ Bahr Abdul Razzak, Bill Marczak, Elies Campo, Gözde Böcü, John Scott-Railton, Ron\r\nDeibert, Salvatore Solimano, Siena Anstis\r\nCatalanGate Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru\r\nChrysaor Caramel Tsunami 2022-04-05 ⋅ CitizenLab ⋅ Bill Marczak, CitizenLab, Front Line Defenders, Mohammed Al-Maskati,\r\nRon Deibert, Siena Anstis\r\nPeace through Pegasus Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware\r\nChrysaor 2022-02-18 ⋅ Reuters ⋅ Christopher Bing, Joel Schectman\r\nHow a Saudi woman's iPhone revealed hacking around the world\r\nChrysaor 2022-01-12 ⋅ LIFARS\r\nForensics Analysis of the NSO Group’s Pegasus Spyware\r\nChrysaor 2021-12-29 ⋅ Palo Alto Networks Unit 42 ⋅ Daiping Liu, Jielong Xu, Wanjin Li, Zhanhao Chen\r\nStrategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends\r\nChrysaor SUNBURST 2021-12-16 ⋅ CitizenLab ⋅ Bahr Abdul Razzak, Bill Marczak, John Scott-Railton, Kristin Berdan, Noura Al-Jizawi, Ron Deibert, Siena Anstis\r\nPegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware\r\nChrysaor Caramel Tsunami 2021-11-17 ⋅ ⋅ Investigative reporting project Italy ⋅ Lorenzo Bagnoli, Riccardo Coluccini\r\nSorveglianza: l’azienda italiana che vuole sfidare i colossi NSO e Palantir\r\nChrysaor 2021-11-08 ⋅ CitizenLab ⋅ CitizenLab\r\nDevices of Palestinian Human Rights Defenders Hacked with NSO Group’s Pegasus Spyware\r\nChrysaor 2021-10-26 ⋅ cyjax ⋅ william thomas\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor\r\nPage 1 of 4\n\nMercenary APTs – An Exploration\r\nChrysaor 2021-10-24 ⋅ CitizenLab ⋅ Bahr Abdul Razzak, Bill Marczak, John Scott-Railton, Ron Deibert, Siena Anstis\r\nBreaking the News New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous\r\nHacking Attempts\r\nChrysaor 2021-09-16 ⋅ Objective-See ⋅ Tom McGuire\r\nAnalysis of CVE-2021-30860 the flaw and fix of a zero-click vulnerability, exploited in the wild\r\nChrysaor 2021-09-15 ⋅ Trend Micro ⋅ Mickey Jin\r\nAnalyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus (CVE-2021-30860)\r\nChrysaor 2021-09-14 ⋅ ZecOps ⋅ ZecOps Research Team\r\nThe Recent iOS 0-Click, CVE-2021-30860, Sounds Familiar. An Unreleased Write-up: One Year Later\r\nChrysaor 2021-08-24 ⋅ CitizenLab ⋅ Ali Abdulemam, Bill Marczak, John Scott-Railton, Kristin Berdan, Noura Al-Jizawi, Ron Deibert,\r\nSiena Anstis\r\nFrom Pearl to Pegasus Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits\r\nChrysaor 2021-08-17 ⋅ Trend Micro ⋅ Daniel Lunghi\r\nConfucius Uses Pegasus Spyware-related Lures to Target Pakistani Military\r\nChrysaor Confucius 2021-08-04 ⋅ Zero Day ⋅ Kim Zetter\r\nPegasus Spyware: How It Works and What It Collects\r\nChrysaor 2021-08-03 ⋅ nex.sx ⋅ Claudio Guarnieri\r\nThe Pegasus Project\r\nChrysaor 2021-07-26 ⋅ The Wire ⋅ Kabir Agarwal, Sangeeta Barooah Pisharoty\r\nFrom Army and BSF to RAW, Spyware Threat Touched National Security Field Too\r\nChrysaor 2021-07-25 ⋅ Arkadiy Tetelman A Security Blog ⋅ Arkadiy Tetelman\r\nScanning your iPhone for Pegasus, NSO Group's malware\r\nChrysaor 2021-07-22 ⋅ Twitter (@HackSysTeam) ⋅ HackSys Team\r\nTweet on analysis of Pegasus\r\nChrysaor 2021-07-20 ⋅ Twitter (@alexanderjaeger) ⋅ alexander jaeger\r\nTweet on timesketch timeline for Pegasus related activities\r\nChrysaor 2021-07-20 ⋅ Threatpost ⋅ Tara Seals\r\nResearchers: NSO Group’s Pegasus Spyware Should Spark Bans, Apple Accountability\r\nChrysaor 2021-07-19 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\niPhones running latest iOS hacked to deploy NSO Group spyware\r\nChrysaor 2021-07-19 ⋅ Vice ⋅ Joseph Cox\r\nAmazon Shuts Down NSO Group Infrastructure\r\nChrysaor 2021-07-19 ⋅ Washington Post ⋅ Craig Timberg, Elodie Guéguen, Reed Albergotti\r\nDespite the hype, iPhone security no match for NSO spyware\r\nChrysaor 2021-07-19 ⋅ Washington Post ⋅ Joanna Slater, Niha Masih\r\nThe spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others.\r\nChrysaor 2021-07-18 ⋅ Github (AmnestyTech) ⋅ Amnesty International\r\nNSO Group Pegasus Indicator of Compromise\r\nChrysaor 2021-07-18 ⋅ Amnesty International ⋅ Amnesty International\r\nForensic Methodology Report: How to catch NSO Group’s Pegasus\r\nChrysaor 2021-07-18 ⋅ Amnesty International ⋅ Amnesty International\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor\r\nPage 2 of 4\n\nForensic Methodology Report: Pegasus Forensic Traces per Target\r\nChrysaor 2021-07-18 ⋅ CitizenLab ⋅ Bill Marczak, John Scott-Railton, Ron Deibert, Siena Anstis\r\nIndependent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware\r\nChrysaor 2021-07-18 ⋅ Washington Post ⋅ Craig Timberg, Dana Priest, Souad Mekhennet\r\nPrivate spy software sold by NSO Group found on cellphones worldwide\r\nChrysaor 2021-07-18 ⋅ Washington Post ⋅ Washington Post Staff\r\nTakeaways from the Pegasus Project\r\nChrysaor 2021-07-18 ⋅ Washington Post ⋅ Arthur Bouvart, Dana Priest, Souad Mekhennet\r\nJamal Khashoggi’s wife targeted with spyware before his death\r\nChrysaor 2021-07-18 ⋅ Washington Post ⋅ Craig Timberg, Drew Harwell\r\nNSO Group vows to investigate potential spyware abuse following Pegasus Project investigation\r\nChrysaor 2021-07-18 ⋅ forbidden stories ⋅ Phineas Rueckert\r\nPegasus: The new global weapon for silencing journalists\r\nChrysaor 2021-07-18 ⋅ forbidden stories ⋅ Laurent Richard, Sandrine Rigaud\r\nThe Pegasus Project: A Worldwide Collaboration to Counter a Global Crime\r\nChrysaor 2021-07-18 ⋅ forbidden stories ⋅ forbidden stories\r\nAbout The Pegasus Project\r\nChrysaor 2021-07-18 ⋅ The Wire ⋅ Sukanya Shantha\r\nDigital Forensics Show S.A.R. Geelani’s Phone Was Hacked, Likely With Zero-Click Exploit\r\nChrysaor 2021-07-18 ⋅ The Wire ⋅ Siddharth Varadarajan\r\nPegasus Project: How Phones of Journalists, Ministers, Activists May Have Been Used to Spy On Them\r\nChrysaor 2021-07-18 ⋅ The Wire ⋅ The Wire\r\nThe WIre's covereage on Pegasus Project\r\nChrysaor 2021-07-18 ⋅ The Guardian ⋅ David Pegg, Michael Safi, Nina Lakhani, Paul Lewis, Sam Cutler, Stephanie Kirchgaessner\r\nRevealed: leak uncovers global abuse of cyber-surveillance weapon\r\nChrysaor 2021-07-18 ⋅ The Guardian ⋅ Stephanie Kirchgaessner\r\nSaudis behind NSO spyware attack on Jamal Khashoggi’s family, leak suggests\r\nChrysaor 2021-07-18 ⋅ The Guardian ⋅ Nina Lakhani\r\nRevealed: murdered journalist’s number selected by Mexican NSO client\r\nChrysaor 2021-07-18 ⋅ The Guardian ⋅ Shaun Walker\r\nViktor Orbán using NSO spyware in assault on media, data suggests\r\nChrysaor 2021-07-18 ⋅ The Guardian ⋅ The Guardian\r\nThe Guardian's covereage on Pegasus Project\r\nChrysaor 2021-07-18 ⋅ The Wire ⋅ Anuj Srivas, Kabir Agarwal\r\nSnoop List Has 40 Indian Journalists, Forensic Tests Confirm Presence of Pegasus Spyware on Some\r\nChrysaor 2021-07-18 ⋅ Twitter (@billmarczak) ⋅ Bill Marczak\r\nTwitter thread with a couple of interesting bits from AmnestyTech's new report on Pegasus\r\nChrysaor 2021-07-18 ⋅ ⋅ Lemonde ⋅ Damien Leloup\r\nFrom Rabat to Paris, Morocco does not let go of journalists\r\nChrysaor 2021-07-18 ⋅ Amnesty International ⋅ Amnesty International\r\nMassive data leak reveals Israeli NSO Group's spyware used to target activists, journalists, and political leaders\r\nglobally\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor\r\nPage 3 of 4\n\nChrysaor 2020-12-20 ⋅ CitizenLab ⋅ Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Ron Deibert, Siena Anstis\r\nThe Great iPwn Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit\r\nChrysaor 2020-12-15 ⋅ Google Project Zero ⋅ Ian Beer, Samuel Groß\r\nA deep dive into an NSO zero-click iMessage exploit: Remote Code Execution\r\nChrysaor 2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center\r\nAPT Report 2019\r\nChrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus\r\nBONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike\r\nDacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS\r\nHOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax\r\nMiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot\r\nVolgmer X-Agent Zebrocy 2020-01-28 ⋅ CitizenLab ⋅ Bill Marczak, John Scott-Railton, Masashi Crete-Nishihata, Ron Deibert,\r\nSiena Anstis\r\nStopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator\r\nChrysaor 2018-09-18 ⋅ The Citizenlab ⋅ Bahr Abdul Razzak, Bill Marczak, John Scott-Railton, Ron Deibert, Sarah McKune\r\nHide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries\r\nChrysaor 2017-04-03 ⋅ Google ⋅ Jason Woloz, Ken Bodzak, Megan Ruthven, Neel Mehta, Rich Cannings, Wentao Chang\r\nAn investigation of Chrysaor Malware on Android\r\nChrysaor 2017-04-03 ⋅ Google ⋅ Jason Woloz, Ken Bodzak, Megan Ruthven, Neel Mehta, Rich Cannings, Wentao Chang\r\nAn Investigation of Chrysaor Malware on Android\r\nChrysaor 2017-04-01 ⋅ Lookout ⋅ Lookout\r\nPegasus for Android: Technical Analysis and Findings of Chrysaor\r\nChrysaor 2016-12-27 ⋅ CCC ⋅ Max Bazally\r\nPegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain\r\nChrysaor\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor" ], "report_names": [ "apk.chrysaor" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "ae7c5e09-a79b-4dae-8ed3-f288b8d99810", "created_at": "2023-11-08T02:00:07.110982Z", "updated_at": "2026-04-10T02:00:03.416181Z", "deleted_at": null, "main_name": "Guacamaya", "aliases": [], "source_name": "MISPGALAXY:Guacamaya", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434638, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40ab002e9b537d70074e1670e13274caf9c445e7.pdf", "text": "https://archive.orkl.eu/40ab002e9b537d70074e1670e13274caf9c445e7.txt", "img": "https://archive.orkl.eu/40ab002e9b537d70074e1670e13274caf9c445e7.jpg" } }