{ "id": "5c1f39db-9f41-444f-a5bb-85fd11d1a8b9", "created_at": "2026-04-06T00:14:40.508675Z", "updated_at": "2026-04-10T13:12:16.973865Z", "deleted_at": null, "sha1_hash": "420682d35b6cfe9bf4903603b3bde47bd25d8bfe", "title": "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 179939, "plain_text": "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit\r\nCaptured in the Wild - The Citizen Lab\r\nArchived: 2026-04-05 18:33:29 UTC\r\nOpens in a new window Opens an external site Opens an external site in a new window\r\nContents\r\nKey Findings\r\nDiscovery\r\nAttribution to NSO Group\r\nPrevious NSO Zero-Click Exploits\r\nConclusion\r\nAcknowledgements\r\nKey Findings\r\nWhile analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered\r\na zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets\r\nApple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.\r\nWe determined that the mercenary spyware company NSO Group used the vulnerability to remotely\r\nexploit and infect the latest Apple devices with the Pegasus spyware. We believe that FORCEDENTRY has\r\nbeen in use since at least February 2021.\r\nThe Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the\r\nFORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a\r\nmaliciously crafted PDF may lead to arbitrary code execution.”\r\nToday, September 13, 2021, Apple is releasing an update that patches CVE-2021-30860. We urge readers\r\nto immediately update all Apple devices.\r\nDevices affected by CVE-2021-30860 per Apple:\r\nAll iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big\r\nSur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.\r\nDiscovery\r\nIn March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined\r\nthat they had been hacked with NSO Group’s Pegasus spyware. During the course of the analysis we obtained an\r\niTunes backup of the device.\r\nhttps://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/\r\nPage 1 of 4\n\nRecent re-analysis of the backup yielded several files with the “.gif” extension in Library/SMS/Attachments that\r\nwe determined were sent to the phone immediately before it was hacked with NSO Group’s Pegasus spyware.\r\nPayload\r\nThe files were:\r\n27 copies of an identical file with the “.gif” extension. Despite the extension, the file was actually a 748-\r\nbyte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files\r\neach had random-looking ten-character filenames.\r\nFour different files with the “.gif” extension that were actually Adobe PDF files containing a JBIG2-\r\nencoded stream. Two of these files had 34-character names, and two had 97-character names.\r\nThe output of the pdfid tool on these four “.gif” files was (NB: the stream had varying length):\r\nPDF Comment '%PDF-1.3nn'\r\nobj 1 0\r\n Type: /XRef\r\n Referencing:\r\n Contains stream\r\n \u003c\u003c /Type /XRef /Size 9 /W [1 3 1] /Length ... /Filter [/FlateDecode /FlateDecode /JBIG2Decode] /DecodeParms \u003e\u003e\r\ntrailer\r\n \u003c\u003c /Size 2 \u003e\u003e\r\nstartxref 10\r\nPDF Comment '%%EOFn'\r\nDiscovery and Disclosure\r\nhttps://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/\r\nPage 2 of 4\n\nBecause the format of the files matched two types of crashes we had observed on another phone when it was\r\nhacked with Pegasus, we suspected that the “.gif” files might contain parts of what we are calling the\r\nFORCEDENTRY exploit chain.\r\nCitizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple\r\nconfirmed that the files included a zero-day exploit against iOS and MacOS. They designated the\r\nFORCEDENTRY exploit CVE-2021-30860, and describe it as “processing a maliciously crafted PDF may lead to\r\narbitrary code execution.”\r\nThe exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library\r\n(CoreGraphics). We are publishing limited technical information about CVE-2021-30860 at this time.\r\nAttribution to NSO Group\r\nWe observed multiple distinctive elements that allowed us to make a high-confidence attribution to NSO Group:\r\nThe spyware installed by the FORCEDENTRY exploit exhibited a forensic artifact that we call\r\nCASCADEFAIL, which is a bug whereby evidence is incompletely deleted from the phone’s\r\nDataUsage.sqlite file. In CASCADEFAIL, an entry from the file’s ZPROCESS table is deleted, but not\r\nentries in the ZLIVEUSAGE table that refer to the deleted ZPROCESS entry. We have only ever seen this\r\ntype of incomplete deletion associated with NSO Group’s Pegasus spyware, and we believe that the bug is\r\ndistinctive enough to point back to NSO. The specific CASCADEFAIL artifact can be detected by\r\nSELECT \"CASCADEFAIL\" FROM ZLIVEUSAGE WHERE ZLIVEUSAGE.ZHASPROCESS NOT IN (SELECT Z_PK FROM ZPROCESS);\r\nThe spyware installed by the FORCEDENTRY exploit used multiple process names, including the name\r\n“setframed”. That process name was used in an attack with NSO Group’s Pegasus spyware on an Al\r\nJazeera journalist in July 2020. Notably, we did not publish that detail at the time.\r\nPrevious NSO Zero-Click Exploits\r\nFORCEDENTRY is the latest in a string of zero-click exploits linked to NSO Group. In 2019, WhatsApp fixed\r\nCVE-2019-3568, a zero-click vulnerability in WhatsApp calling that NSO Group used against more than 1400\r\nphones in a two-week period during which it was observed, and in 2020, NSO Group employed the KISMET\r\nzero-click iMessage exploit.\r\nTo our knowledge, the KISMET vulnerability was never publicly identified, though we suspect that the underlying\r\nvulnerability (if it still exists) can no longer be exploited via iMessage due to Apple’s introduction of the\r\nBlastDoor mitigation in iOS14. We suspect that NSO Group developed FORCEDENTRY, which circumvents\r\nBlastDoor, in response to this mitigation.\r\nConclusion\r\nDespite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains\r\nthe seeds of their ongoing unmasking. Selling technology to governments that will use the technology recklessly\r\nhttps://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/\r\nPage 3 of 4\n\nin violation of international human rights law ultimately facilitates discovery of the spyware by investigatory\r\nwatchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here.\r\nIn 2016, we titled our report on the discovery of an iOS and MacOS Apple zero-day the “Million Dollar\r\nDissident.” The title was chosen to reflect the huge sums that autocratic governments are willing to pay to hack\r\ntheir critics. Mercenary spyware companies devote substantial resources to identifying software vulnerabilities on\r\nwidely used applications and then package those exploits to eager government clients, creating a highly lucrative\r\nbut widely abused commercial surveillance marketplace.\r\nOur latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates\r\nthat companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security\r\nagencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.\r\nOur finding also highlights the paramount importance of securing popular messaging apps. Ubiquitous chat apps\r\nhave become a major target for the most sophisticated threat actors, including nation state espionage operations\r\nand the mercenary spyware companies that service them. As presently engineered, many chat apps have become\r\nan irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily\r\ntargeted, and successfully exploited.\r\nAcknowledgements\r\nWe thank the targets of Pegasus spyware that have allowed us to analyze their devices, with a special thanks to the\r\nindividual that worked with us on this case. It is thanks to them, and their bravery, that we were able to make this\r\ndiscovery.\r\nSpecial thanks to all at Apple for quick and responsive action.\r\nThanks to our Citizen Lab colleagues for feedback and editing.\r\nThanks to TNG.\r\nSource: https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/\r\nhttps://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/" ], "report_names": [ "forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434480, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/420682d35b6cfe9bf4903603b3bde47bd25d8bfe.pdf", "text": "https://archive.orkl.eu/420682d35b6cfe9bf4903603b3bde47bd25d8bfe.txt", "img": "https://archive.orkl.eu/420682d35b6cfe9bf4903603b3bde47bd25d8bfe.jpg" } }