{ "id": "51aab854-512b-446a-9a60-124cd3f4de1b", "created_at": "2026-04-06T00:22:36.166366Z", "updated_at": "2026-04-10T13:12:49.475139Z", "deleted_at": null, "sha1_hash": "5b8fdcdd4c5c00334defb53102ff8ce9b0a0a2f2", "title": "HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1161405, "plain_text": "HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to\r\nOperations in 45 Countries - The Citizen Lab\r\nArchived: 2026-04-05 15:49:59 UTC\r\nKey Findings\r\nBetween August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s\r\nPegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that\r\npointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36\r\ndistinct Pegasus systems, each one which appears to be run by a separate operator.\r\nWe designed and conducted a global DNS Cache Probing study on the matching domain names in order to\r\nidentify in which countries each operator was spying. Our technique identified a total of 45 countries where\r\nPegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be\r\nactively engaged in cross-border surveillance.\r\nOur findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six\r\ncountries with significant Pegasus operations have previously been linked to abusive use of spyware to\r\ntarget civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab\r\nEmirates.\r\nPegasus also appears to be in use by countries with dubious human rights records and histories of abusive\r\nbehaviour by state security services. In addition, we have found indications of possible political themes\r\nwithin targeting materials in several countries, casting doubt on whether the technology is being used as\r\npart of “legitimate” criminal investigations.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 1 of 31\n\n1. Executive Summary\r\nIsrael-based “Cyber Warfare” vendor NSO Group produces and sells a mobile phone spyware suite called\r\nPegasus. To monitor a target, a government operator of Pegasus must convince the target to click on a specially\r\ncrafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the\r\nphone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus\r\nis installed, it begins contacting the operator’s command and control (C\u0026C) servers to receive and execute\r\noperators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events,\r\ntext messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the\r\nphone’s camera and microphone to capture activity in the phone’s vicinity.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 2 of 31\n\nPegasus exploit links and C\u0026C servers use HTTPS, which requires operators to register and maintain domain\r\nnames. Domain names for exploit links sometimes impersonate mobile providers, online services, banks, and\r\ngovernment services, which may make the links appear to be benign at first glance. An operator may have several\r\ndomain names that they use in exploit links they send, and also have several domain names they use for C\u0026C. The\r\ndomain names often resolve to cloud-based virtual private servers (we call these front-end servers) rented either\r\nby NSO Group or the operator. The front-end servers appear to forward traffic (via a chain of other servers) to\r\nservers located on the operator’s premises (we call these the back-end Pegasus servers).\r\nScanning, Clustering, and DNS Cache Probing\r\nIn August 2016, award-winning UAE activist Ahmed Mansoor was targeted with NSO Group’s Pegasus spyware.\r\nWe clicked on the link he was sent and obtained three zero-day exploits for the Apple iPhone, as well as a copy of\r\nthe Pegasus spyware. We fingerprinted the behaviour of the exploit link and C\u0026C servers in the sample sent to\r\nMansoor, and scanned the Internet for other matching front-end servers. We found 237 servers. After we clicked\r\non the link, but before we published our findings on August 24, NSO Group had apparently taken down all of the\r\nPegasus front-end servers we detected. In the weeks after our report, we noticed a small number of Pegasus front-https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 3 of 31\n\nend servers come back online, but the servers no longer matched our fingerprint. We developed a new fingerprint\r\nand began conducting regular Internet scans.\r\nBetween August 2016 and August 2018, we detected 1,091 IP addresses and 1,014 domain names matching our\r\nfingerprint. We developed and used Athena, a novel fingerprinting technique to group most of our results into 36\r\ndistinct Pegasus systems, each one perhaps run by a separate operator (Section 2).\r\nWe next sought to identify where these Pegasus systems were being used. We hypothesized that devices infected\r\nwith Pegasus would regularly look up one or more of the domain names for the operator’s Pegasus front-end\r\nservers using their ISP’s DNS servers. We regularly probed tens of thousands of ISP DNS caches around the world\r\nvia DNS forwarders looking for the Pegasus domain names (Section 3).\r\nOur Findings\r\nWe found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45\r\ncountries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel,\r\nJordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands,\r\nOman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland,\r\nTajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States,\r\nUzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors\r\nsuch as VPNs and satellite Internet teleport locations can introduce inaccuracies.\r\nMexico\r\nIn 2017, we discovered, by retrospectively inspecting their text messages, that dozens of Mexican lawyers,\r\njournalists, human rights defenders, opposition politicians, anti-corruption advocates, and an international\r\ninvestigation operating in Mexico were targeted in 2016 with links to NSO Group’s Pegasus spyware. The Mexico\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 4 of 31\n\nrevelations sparked a major political scandal, #GobiernoEspía, and an ensuing criminal investigation, ongoing as\r\nof the date of this report. Even after our prior reporting on the abuse of the Pegasus spyware in Mexico, it appears\r\nthat there are three separate operators who operate predominantly in Mexico as of July 2018.\r\nGulf Cooperation Council (GCC) Countries\r\nWe identify what appears to be a significant expansion of Pegasus usage in the Gulf Cooperation Council (GCC)\r\ncountries in the Middle East. In total, we identify at least six operators with significant GCC operations, including\r\nat least two that appear to predominantly focus on the UAE, one that appears to predominantly focus on Bahrain,\r\nand one with a Saudi focus. Three operators may be conducting surveillance beyond the MENA region, including\r\nin Canada, France, Greece, the United Kingdom, and the United States.\r\nThe GCC countries are well known for abusing surveillance tools to track dissidents. In August 2016, UAE\r\nactivist Ahmed Mansoor was targeted with NSO Group’s Pegasus spyware after previously being targeted with\r\nspyware from FinFisher and Hacking Team. Bahrain is noteworthy for compromising journalists, lawyers,\r\nopposition politicians, and pro-democracy activists with FinFisher’s spyware between 2010 and 2012. In May and\r\nJune 2018, Amnesty International reported that an Amnesty staffer and a Saudi activist based abroad were targeted\r\nwith NSO Group’s Pegasus spyware. The same operator responsible for that targeting appears to be conducting\r\nsurveillance across the Middle East, as well as in Europe and North America. Saudi Arabia is currently seeking to\r\nexecute five nonviolent human rights activists accused of chanting slogans at demonstrations and publishing\r\nprotest videos on social media.\r\nOther Country Contexts\r\nWe identify five operators focusing on Africa, including one that appears to be predominantly focusing on the\r\nWest African country of Togo, a staunch Israel ally whose long-serving President has employed torture and\r\nexcessive force against peaceful opposition. The operator in Togo may have used websites with names like\r\n“nouveau president” (“new president”) and “politiques infos” (“political information”) to infect targets with\r\nspyware. A separate operator that appears to focus on Morocco may also be spying on targets in other countries\r\nincluding Algeria, France, and Tunisia. We identify several operators operating in Israel: four that appear to\r\noperate domestically1 and one that appears to operate both in Israel, as well as other countries including the\r\nNetherlands, Palestine, Qatar, Turkey, and the USA.\r\n2. Fingerprinting Pegasus Infrastructure\r\nThis section describes how we traced Pegasus infrastructure, from our initial discovery in 2016 until the present.\r\nBackground\r\nWe first began tracking NSO Group’s Pegasus spyware after the operators of UAE threat actor Stealth Falcon\r\n(later revealed to be UAE cybersecurity company DarkMatter) inadvertently gave us visibility into Pegasus\r\ninfrastructure by registering a domain name whose homepage included a Pegasus link, using the same email\r\naddress as a domain for a separate PC spyware product we were tracking. In August 2016, UAE activist Ahmed\r\nMansoor was targeted with Pegasus with a text message sent to his iPhone. We clicked on the link provided in the\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 5 of 31\n\nmessage and obtained three zero-day exploits for Apple iOS 9.3.3, as well as a copy of the Pegasus spyware. We\r\ndisclosed the exploits to Apple, which quickly released a patch blocking the Pegasus spyware. According to our\r\nscans, all of the Pegasus servers we detected (except for the C\u0026C servers in the sample sent to Mansoor) were\r\nshut down at least two days before we published our results.\r\nFingerprinting in 2016: Decoy Pages\r\nWhen we sought to build fingerprints for Pegasus infrastructure in 2016, we scanned the Internet for\r\n/redirect.aspx and /Support.aspx , for which Pegasus servers returned decoy pages. A decoy page is a page\r\nshown when there is an undesired remote landing on a spyware server and is designed to convince the user that\r\nthey are viewing a normal, benign website. However, because the functionality for showing decoy pages typically\r\nresides in the spyware server’s code and likely nowhere else, it is often trivial for researchers to build fingerprints\r\nfor decoy pages, and scan the Internet for these fingerprints to identify other servers associated with the same\r\nspyware system, including perhaps the servers of other operators, if the same spyware system is used by multiple\r\noperators.\r\nFingerprinting in 2017 and 2018: No More Decoys\r\nAfter our August 2016 report, NSO Group apparently removed the /redirect.aspx and /Support.aspx decoy\r\npages, and further modified their server code to close an incoming connection without returning any data unless\r\npresented with a valid exploit link or other path on the server. This change is in line with changes made by\r\ncompetitors FinFisher and Hacking Team, after we disclosed how we fingerprinted their hidden infrastructure with\r\ndecoy pages.\r\nAfter studying the behavior of several suspected new Pegasus servers, we developed fingerprints ξ1, ξ2, and ξ3,\r\nand a technique that we call Athena.\r\n2\r\n Fingerprint ξ1 is a Transport Layer Security (TLS) fingerprint.\r\nFingerprints ξ2 and ξ3 represent two different proxying configurations we observed. We considered a server to be\r\npart of NSO Group’s infrastructure if it matched ξ1 and also one of ξ2 or ξ3. We then used Athena to group our\r\nfingerprint matches into 36 clusters. We believe that each cluster represents an operator of NSO Pegasus spyware,\r\nthough it is possible that some may represent demonstration or testing systems. As we have done in the past when\r\nreporting on vendors of targeted malware, we have chosen to withhold publication of specific fingerprints and\r\ntechniques to prevent harm that may result from external parties generating a list of NSO Group domains using\r\nthese methods.\r\nCharting the Rebirth of Pegasus\r\nNSO Group apparently told business associates that our August 2016 report and disclosures of their exploits to\r\nApple “…disrupted their work for around 30 minutes before they…resumed operations.” Our scanning of NSO\r\nGroup’s infrastructure tells a somewhat different story (Figure 4).\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 6 of 31\n\nTwelve of the servers that were shut down before we published Million Dollar Dissident (we call these Version 2\r\nservers) were back online in a September 25, 2016 scan and stayed online mostly continuously until an August 10,\r\n2017 scan. These may have been C\u0026C servers for clients that wished to continue monitoring old infections. We\r\nsaw the first Version 3 server in a September 5, 2017 scan, less than two weeks after Million Dollar Dissident.\r\nApproximately one month after Million Dollar Dissident, we saw what appeared to be seven operators online.\r\nTwo months after our report, we saw 14 operators online.\r\n3. DNS Cache Probing Results\r\nThis section describes the results of our DNS Cache Probing study to identify suspected Pegasus infections (see\r\nSection 4 for study details, as well as the definition of a “suspected infection”).\r\nBackground\r\nWe used the technique that we call Athena to cluster the IP addresses that matched our Pegasus fingerprints into\r\nwhat we believe are 36 distinct operators; each operator makes use of multiple IP addresses. We give each\r\noperator an Operator Name drawn from national symbols or geographic features of the country or region that\r\nappears to be targeted. For each IP address used by the operator, we extracted a domain name from its TLS\r\ncertificate. We coded the domain names to generate a Suspected Country Focus and assessed whether there were\r\nPolitical Themes in the domains, which might suggest politically motivated targeting. We then performed DNS\r\ncache probing to generate a list of countries in which there are Possible Infections associated with the operator.\r\nOperators Focusing on the Americas\r\nWe identified five or six operators that we believe are operating in the Americas.\r\nOne operator that we call MACAW may be focused on Honduras or neighboring countries because it made use of\r\ntwo interesting domain names showing a possible link to Honduras (politica504[.]com and eltiempo-news[.]com).\r\nHowever, our DNS cache probing technique did not identify any suspected infections relating to this system.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 7 of 31\n\nAt the time of our June 2017 Reckless Exploit report about the abuse of NSO Group’s Pegasus spyware in\r\nMexico, there were four operators using domain names that suggested a link to Mexico: RECKLESS-1,\r\nRECKLESS-2, PRICKLYPEAR, and AGUILAREAL. RECKLESS-1 and RECKLESS-2 employed some domain\r\nnames containing political themes (RECKLESS-1 used universopolitico[.]net and animal-politico[.]com;\r\nRECKLESS-2 used noticiaspoliticos[.]com and politicoportales[.]org). Operators RECKLESS-1 and\r\nRECKLESS-2 are so named because they were swiftly and completely shut down following publication of our\r\nreport. Operators PRICKLYPEAR and AGUILAREAL were partially shut down: two or three servers for each\r\nremained online. One month after publication, in July 2017, the first domain names for a new operator,\r\nMAYBERECKLESS, that would focus on Mexico were registered. The MAYBERECKLESS domains began\r\nmatching our fingerprint in September 2017. MAYBERECKLESS may be a continuation of RECKLESS-1 or\r\nRECKLESS-2. Also in September 2017, the remaining servers from PRICKLYPEAR and AGUILAREAL were\r\nsupplemented with new servers.\r\nOperator Name\r\nDates\r\nOperator was\r\nActive\r\nSuspected\r\nCountry Focus\r\nPolitical\r\nThemes?\r\nSuspected\r\nInfections\r\nRECKLESS-1\r\nSep 2016 – Jun\r\n2017\r\nMexico Yes –\r\nRECKLESS-2\r\nOct 2016 – Jun\r\n2017\r\nMexico Yes –\r\nMAYBERECKLESS\r\nSep 2017 –\r\npresent\r\n– – Mexico\r\nPRICKLYPEAR\r\nOct 2016 –\r\npresent\r\nMexico –\r\nMexico, USA\r\n(Arizona)\r\nAGUILAREAL\r\nSep 2016 –\r\npresent\r\nMexico – Mexico\r\nMACAW\r\nNov 2017 –\r\npresent\r\nHonduras Yes –\r\nTable 1\r\nOperators Focusing on Africa\r\nWe identified five operators that we believe are focusing on Africa. One operator that we call REDLIONS uses\r\nfrontend domains that appear to be almost exclusively written in the French language, including two politically\r\nthemed domains (politiques-infos[.]info and nouveau-president[.]com). We found DNS cache probing hits for\r\nREDLIONS in Togo. Because we did not perform our DNS cache probing study until July 2018, we did not have\r\nthe opportunity to probe one operator, AK47, which shut down in July 2017. Operators ATLAS and\r\nGRANDLACS also made use of politically themed domains (ATLAS used revolution-news[.]co and\r\nGRANDLACS used politicalpress[.]org).\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 8 of 31\n\nOperator\r\nName\r\nDates\r\nOperator\r\nwas Active\r\nSuspected\r\nCountry Focus\r\nPolitical\r\nThemes?\r\nSuspected\r\nInfections\r\nREDLIONS\r\nMar 2017 –\r\npresent\r\n– Yes Togo\r\nATLAS\r\nAug 2017 –\r\npresent\r\nMorocco Yes\r\nAlgeria, Cote\r\nd’Ivoire, France,\r\nMorocco, Tunisia,\r\nUAE\r\nGRANDLACS\r\nJun 2017 –\r\npresent\r\nGreat Lakes\r\nregion of Africa\r\nYes\r\nKenya, Rwanda,\r\nSouth Africa,\r\nUganda\r\nMULUNGUSHI\r\nFeb 2018 –\r\npresent\r\nZambia –\r\nSouth Africa,\r\nZambia\r\nAK47\r\nDec 2016 –\r\nJul 2017\r\nMozambique – –\r\nTable 2\r\nOperators Focusing on Europe\r\nWe identified five operators that we believe are focusing on Europe. Two systems that we call TURUL and\r\nCHEQUY appear to have a Hungarian and Croatian focus in their frontend domain names, but we did not find any\r\nDNS cache probing hits for these systems.\r\nOperator\r\nName\r\nDates Operator\r\nwas Active\r\nSuspected\r\nCountry Focus\r\nPolitical\r\nThemes?\r\nSuspected\r\nInfections\r\nORZELBIALY\r\nNov 2017 –\r\npresent\r\nPoland – Poland\r\nEDELWEISS\r\nJul 2017 –\r\npresent\r\nSwitzerland – Switzerland\r\n5LATS\r\nMar 2018 –\r\npresent\r\nLatvia – Latvia\r\nTURUL\r\nFeb 2018 –\r\npresent\r\nHungary – –\r\nCHEQUY\r\nNov 2016 –\r\npresent\r\nCroatia – –\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 9 of 31\n\nTable 3\r\nOperators Focusing on the Middle East\r\nWe identified 12 operators that we believe are focusing on the Middle East. One operator, PEARL, appears to be\r\nfocused on Bahrain. One operator, KINGDOM, was behind the recent targeting of an Amnesty staffer and a Saudi\r\nArabian activist abroad. Operator PEARL used politically themed domain names including shia-voice[.]com\r\n(referring to a politically repressed religious group in Bahrain) and 14-tracking[.]com (perhaps referring to the\r\nFebruary 14 Youth Coalition, a group leading some anti-government protests), and operator FALCON used\r\nnomorewarnow[.]com.\r\nOperator Name\r\nDates\r\nOperator\r\nwas Active\r\nSuspected\r\nCountry\r\nFocus\r\nPolitical\r\nThemes?\r\nSuspected Infections\r\nPEARL\r\nJul 2017 –\r\npresent\r\nBahrain Yes Bahrain, Qatar\r\nFALCON\r\nOct 2016 –\r\npresent\r\nUAE Yes UAE\r\nBABYFALCON\r\nMay 2018 –\r\npresent\r\nGCC Region – UAE\r\nMAYBEFALCON\r\nSep 2016 –\r\npresent\r\n– – UAE\r\nBLACKBIRD\r\nSep 2016 –\r\npresent\r\n– –\r\nGreece, Jordan, Kuwait,\r\nLibya, Qatar, UAE, UK,\r\nUSA, Yemen\r\nKINGDOM\r\nOct 2017 –\r\npresent\r\nSaudi Arabia –\r\nBahrain, Canada, Egypt,\r\nFrance, Iraq, Jordan,\r\nLebanon, Morocco,\r\nQatar, Saudi Arabia,\r\nTurkey, UK\r\nMIDDLE\r\nSep 2016 –\r\npresent\r\n– –\r\nFrance, Jordan, Lebanon,\r\nOman, Qatar, Tunisia,\r\nTurkey, UAE\r\nOLIVE-1\r\nJun 2017 –\r\npresent\r\n– – Israel\r\nOLIVE-2\r\nAug 2017 –\r\npresent\r\n– – Israel\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 10 of 31\n\nOperator Name\r\nDates\r\nOperator\r\nwas Active\r\nSuspected\r\nCountry\r\nFocus\r\nPolitical\r\nThemes?\r\nSuspected Infections\r\nOLIVE-3\r\nDec 2016 –\r\npresent\r\n– – Israel\r\nOLIVE-4\r\nOct 2016 –\r\npresent\r\n– – Israel\r\nDOME\r\nMar 2018 –\r\npresent\r\n– –\r\nIsrael, Netherlands,\r\nPalestine, Qatar, Turkey,\r\nUSA\r\ntable 4\r\nOperators Focusing on Asia\r\nWe identified five operators that we believe are focusing on Asia. One operator, GANGES, used a politically\r\nthemed domain signpetition[.]co.\r\nOperator\r\nName\r\nDates\r\nOperator was\r\nActive\r\nSuspected\r\nCountry Focus\r\nPolitical\r\nThemes?\r\nSuspected Infections\r\nCHANG\r\nJan 2018 –\r\npresent\r\nAsia – Thailand\r\nGANGES\r\nJun 2017 –\r\npresent\r\n– Yes\r\nBangladesh, Brazil,\r\nHong Kong, India,\r\nPakistan\r\nMERLION\r\nDec 2016 –\r\npresent\r\n– – Singapore\r\nTULPAR\r\nFeb 2017 –\r\npresent\r\nKazakhstan – Kazakhstan\r\nSYRDARYA\r\nSep 2016 –\r\npresent\r\nUzbekistan –\r\nKazakhstan,\r\nKyrgyzstan,\r\nTajikistan, Turkey,\r\nUzbekistan\r\ntable 5\r\nHighly Customized Operators with Unclear Focus\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 11 of 31\n\nWe identified three operators with an unclear focus, which all appeared to use a large degree of customization in\r\ntheir operations.\r\nOperator SUPERSIZE (active Sep 2016 – present) had by far the largest Pegasus deployment based on number of\r\ndomain names; we found 118 domain names belonging to SUPERSIZE. We found interesting DNS cache hits in\r\nIsrael and Bahrain, but did not have enough information to determine whether these might be suspected infections.\r\nIt may be the case that SUPERSIZE was monitoring relatively few people with a relatively large amount of\r\ninfrastructure, or that some of SUPERSIZE’s targets may have been outside areas we could measure with DNS\r\ncache probing, or that SUPERSIZE was operating in an especially stealthy manner with targets under sporadic,\r\nrather than continuous, surveillance.\r\nOperator SNEAK (active Oct 2016 – present) had infrastructure that appeared to reflect a high level of\r\ncustomization, including running C\u0026C servers on nonstandard ports, and making use of dynamic DNS services.\r\nSNEAK was the operator that accidentally reused some of its old infrastructure, facilitating our continued\r\nvisibility into NSO Group’s infrastructure after our Million Dollar Dissident report. We found interesting DNS\r\ncache hits on this system in Syria, Lebanon, Qatar, the Netherlands, and the United States, but did not have\r\nenough information to determine whether these might be suspected infections.\r\nOperator PARTY (active May 2017 – present) used domain names with extremely long TTLs. We found\r\ninteresting DNS cache hits on this system in Syria and Lebanon, but did not have enough information to determine\r\nwhether these might be suspected infections.\r\n4. DNS Cache Probing Technique\r\nThis section describes our DNS Cache Probing technique.\r\nBackground on DNS and Cache Probing\r\nWhen a user (or a computer program) instructs a computer or mobile device to communicate with a domain name\r\n(e.g., www.citizenlab.ca), the device first sends a request to a Domain Name Service (DNS) server, in order to\r\nlearn the IP address corresponding to the domain name. By default, the device communicates with a DNS server\r\nmaintained by the ISP or telecom company to which the device is connected.\r\nDNS servers cache mappings between IP addresses and domain names temporarily, typically for a duration\r\nspecified by the owner of the domain name (e.g., 300 seconds). When a device looks up a domain name that is not\r\nin the server’s cache, the server contacts other DNS servers to resolve the domain name “recursively” and then\r\nstores the record in the cache. When a device looks up a domain name that is already in the server’s cache, the\r\nserver returns the record from the cache, along with a time to live (TTL) value, that indicates when the server will\r\nexpire the record from the cache. If the TTL value returned by the server is less than that set by the owner of the\r\ndomain, then it is likely that the record returned by the DNS server was present in the server’s cache, and thus was\r\nlooked up by some other ISP user relatively recently.\r\nOne can also send a query to a DNS server with the Recursion Desired flag set to 0 (called a nonrecursive query),\r\nindicating to the server that it should only consult its cache before responding; if the record is not in the cache, the\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 12 of 31\n\nserver should not contact other servers to attempt to resolve the domain and should not add anything to its cache.\r\nSome DNS servers may choose to not respect this flag.\r\nSending queries (whether nonrecursive or recursive) to a DNS server for the purpose of observing less-than-full\r\nTTLs is a measurement technique called DNS cache probing or DNS cache snooping. The author of the original\r\npresentation of DNS cache probing in 2004 framed it as detrimental to security and privacy and proposed that\r\noperators of DNS servers, such as ISPs, should block DNS queries not originating from their own network.\r\nImplementing such a precaution would make it harder for a single observer to directly probe caches of DNS\r\nservers. A 2006 investigation of a botnet C\u0026C server employed DNS cache probing to investigate prevalence of\r\nbotnet infections; the authors in that case appear to have probed DNS servers that were authoritative for some\r\ndomain, rather than DNS forwarders.\r\nEven in cases where ISPs block requests to their DNS servers from non-ISP-users, it is sometimes possible to\r\nprobe the DNS servers’ caches, by using open DNS forwarders on the ISP’s network. An open DNS forwarder is a\r\nservice that accepts queries from any Internet user, and forwards the query, unmolested, perhaps to an ISP server,\r\nwhich then responds to the forwarder, which in turn responds to the user. From the perspective of the ISP’s DNS\r\nserver, the submitter of the query (the forwarder) is on the ISP’s network. Open DNS forwarders may be running\r\non improperly configured routers or IoT devices.\r\nNote: Ethics of DNS Cache Probing\r\nIn keeping with the growing emphasis on ethics in network measurement research, we considered the impacts of\r\nour technical activities on persons that are not the targets of our research, and sought to minimize the likelihood of\r\nany disruption. Notably we examined the possibility of costs to users, service disruption, or unwanted warnings\r\nfrom their ISPs. We believe that this research was conducted in a manner that mitigates these risks, and serves the\r\npublic interest.\r\nFirstly, we considered the possibility that users might incur costs or service disruption as a result of our DNS\r\nCache Probing. We believe that this is a highly unlikely outcome, given the small number of requests made during\r\nthe activity. As deployed, the technique results in fewer than one request per second per IP address, and thus is less\r\nthan one kilobyte per second. The total traffic is thus less than 100 megabytes per day. To further minimize load\r\non the authoritative name servers for the domains that we are probing, we use nonrecursive queries only. As a\r\nresult, we do not anticipate costs incurred by users, or bandwidth degradation.\r\nWe determined that it was unlikely that users would receive unwelcome inquiries from their ISPs, or other\r\nauthorities, as the result of our DNS cache probing. Certainly, open DNS forwarders are a major Internet security\r\nrisk, as they may be employed in DNS amplification DDoS attacks. Such high-volume attacks might come to the\r\nnotice of ISPs or other authorities and trigger inquiries or sanction by ISPs. DNS Cache Probing, in contrast, is a\r\nvery low-volume activity. If an open DNS operator has not already received a contact from their ISP, we think it\r\nvery unlikely that this technique will trigger contacts, since it does not look ‘attack-like.’\r\nAt the time of writing, we are unaware of any evidence of DNS Cache Probing used in malicious real-world\r\nattacks. As the technique of DNS Cache Probing continues to be developed as a research tool, it will be important\r\nto ensure that it continues to be used in ways that do not present privacy and security concerns.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 13 of 31\n\nFinding Suitable DNS Forwarders\r\nWe first develop a list of suitable DNS forwarders. We run three tests to answer the following questions:\r\n1. Does the forwarder appear to use resolvers that honour nonrecursive queries? We send a nonrecursive\r\nquery for a randomized subdomain of a domain we control and check if we get a response. The randomized\r\nsubdomain resolves to an IP but should not be in any cache. We check each IP twice; if we ever get a\r\ncorrect answer, then the IP does not honour nonrecursive queries.\r\n2. Which resolvers does the forwarder use? We run a customized nameserver for a domain we control; the\r\nnameserver returns the source IP of an incoming DNS query as one of the answers in the response. We\r\nquery each IP 10 times with a recursive query for a randomized subdomain of the domain we control and\r\ncollect the set of IPs returned by our nameserver.\r\n3. Is the forwarder likely to have access to an interesting cache? We query each IP 10 consecutive times\r\nwith a recursive query for google.com. If an IP returns a response with an IP in Google’s autonomous\r\nsystem (AS #15169) at least once, then the forwarder may have access to an interesting cache.\r\nA DNS forwarder is suitable if:\r\nIt appears to honour nonrecursive queries.\r\nThe forwarder appears to only ever forward requests to resolvers in a single Autonomous System (AS). We\r\nexclude forwarders that use resolvers in multiple ASes because when such a forwarder shows a DNS cache\r\nhit, we do not know in which AS the DNS cache hit actually occurred.\r\nThe (single) AS of the forwarder’s resolvers is designated as “Transit/Access” by CAIDA’s AS\r\nClassification dataset. This helps avoid some cloud providers and shared DNS providers like Google,\r\nOpenDNS, Yandex, CloudFlare, etc.\r\nThe AS of the forwarder’s resolvers is not equal to any AS where we found a match for an NSO Group\r\nserver.\r\nThe forwarder is not itself a resolver; in other words, the forwarder IP does not appear amongst the\r\nresolvers.\r\nThe forwarder is likely to have access to an interesting cache.\r\nEach time we scanned, our list included ~38,000 suitable forwarders, excluding forwarders in China.\r\nUnderstanding DNS Cache Probing False Positives\r\nDNS cache probing can produce false positives, i.e., the DNS cache probing technique reports that the domain is\r\nin the cache, when it is in fact not in the cache, or when we caused it to be in the cache. This can happen in the\r\nfollowing three cases:\r\n1. A DNS forwarder does not honor nonrecursive queries all of the time; it may forward some subset of our\r\nqueries to a resolver that does not honor nonrecursive queries. This can result in our query adding the\r\ndomain to the cache.\r\n2. A DNS forwarder might return the entry that we added to the cache in (1). This can happen even for DNS\r\nforwarders that do honour nonrecursive queries 100% of the time.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 14 of 31\n\n3. Automated processes or curious researchers may observe our DNS cache probing and send DNS queries\r\nfor the domain names we are probing; this may add the domain names to caches we are probing.\r\nWe conducted several control experiments to determine how best to exclude false positives. In our control\r\nexperiments, we selected 50 domain names with a wildcard record and an authoritative TTL of at least 300\r\nseconds, then generated a random string to use as a subdomain, and continuously queried all 50 domains (with the\r\nsubdomain) on all resolvers once roughly every 300 seconds in a fixed order, at a rate ensuring each domain was\r\nqueried at least once every 300 seconds. We ran the experiment for 24 hours.\r\nAny results we received during the control experiments we treated as false positives. We developed a set of\r\nheuristics to reduce the false positive rate to 0 in these experiments, with the idea that these same heuristics might\r\nhelp us eliminate many false positives from our DNS cache probing study of the spyware domains. These are the\r\nconditions we applied to eliminate false positives from our results:\r\n1. Exclude duplicate observations of the same lookup: For each DNS server response, we check to see if\r\nthe observation is a duplicate. Specifically, if a response for a given domain name was preceded by a\r\nresponse (from any DNS forwarder) for that same domain name n seconds ago, and the TTL of the prior\r\nresponse differed by n (± 2) from the present response, then we excluded the present response.\r\n2. Exclude possible duplicate observations even if clocks run at an incorrect rate: For each ASN, we\r\nexcluded a record if its TTL was less than or equal to the immediately prior record for that domain returned\r\nby any DNS forwarder for the same ASN (or IP). We implemented this condition because for some ASNs,\r\nwe identified monotonically nondecreasing sequences of TTLs (for domains with large TTLs) that\r\nappeared to correspond with clocks running at incorrect rates, and suspected that these may have been false\r\npositives.\r\n3. Exclude any observation with an improper TTL: We exclude all observations with TTLs larger than the\r\nTTL set by the domain name’s authoritative DNS server (authoritative TTL), as well as all observations\r\nwith TTLs within 2 of the authoritative TTL, as well as all observations with popular fixed TTL values (0,\r\n1, 9, 10, 11, 30, 60, 80, 100, 300, 1000, 10000).\r\n4. Exclude all responses from DNS forwarders that ever return a wrong answer: We also excluded all\r\nresponses from a DNS forwarder if it ever returned an incorrect IP address in a response for the query.\r\n5. Exclude all responses from caches in same country as domain name hosted: For a given domain name,\r\nwe excluded all DNS cache responses coming from DNS forwarders for ASNs in the same country where\r\nthe domain name was hosted. For instance, if a domain name pointed to an IP address in Italy, we would\r\nexclude all DNS cache hits from Italy on that domain name as potential false positives.\r\n6. Exclude infrequent responses: Unless resolvers in a given ASN returned at least four responses for a\r\ngiven domain that were not otherwise excluded, we excluded the responses for that domain from the ASN.\r\nOur conditions for excluding results were very liberal, and could result in false negatives. Note that when we say\r\nwe excluded a response, we mean that the response was not included as a final result. We continued to consider\r\nexcluded responses as reasons to exclude other responses.\r\nWhy Is a Domain Name in the Cache?\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 15 of 31\n\nThere are many reasons a domain name may be in a cache (assuming we did not accidentally put it there). We are\r\nonly interested in cache entries that might arise from suspected infections. We briefly introduce our working\r\nmodel of how NSO’s Pegasus spyware deployments operate, supported by evidence from a staged shutdown of\r\nNSO Group’s infrastructure.\r\nOur mental model of deployment of the Pegasus spyware is that most operators have two C\u0026C servers to which\r\nmost infections talk, and that the rest of their infrastructure comprises domains that are used in exploit links. After\r\nreports concerning the use of Pegasus spyware were published by Amnesty International and Citizen Lab on\r\nAugust 1, 2018, a staged shutdown of the Pegasus infrastructure was conducted over a period of several days. At\r\nfirst, the bulk of frontend domains appeared to be shut down, while a handful of final domains (usually two)\r\nremained active for each operator. We believe that these were the C\u0026C servers and that the domains were kept\r\nonline so that infected devices would have an opportunity to beacon back and receive instructions on new C\u0026C\r\nservers with which they should communicate.\r\nIf a given operator had exactly two final domains, we assumed that these were C\u0026C servers. If an operator had\r\nmore than two final domains, we assumed that some subset of size 2 were the C\u0026C servers. We did not identify\r\nany operator for which our DNS cache probing technique reported hits on different subsets of size 2 from the final\r\ndomains. We then filtered our responses for ASNs which had hits on both hypothesized C\u0026C domains and\r\nconsidered these to be suspected infections.\r\nThe Experiments\r\nOnce we had developed our technique for reducing false positives, we DNS cache probed for all domains we\r\nlinked to NSO Group’s infrastructure that were active and matching our fingerprints. We queried domains at least\r\nonce per their period of authoritative TTL. Because of the large number of domains and servers, and our desire to\r\nconserve bandwidth, we alternated which domains we were probing. Each domain name was probed for at least\r\nthree 24-hour periods.\r\nPossible Limitations\r\nFactors such as the use of VPNs and satellite Internet connections may skew our geolocation results. Thus, the\r\ncountry mapping should serve as a guide for further investigation, rather than ironclad evidence of monitoring.\r\nAdditionally, it is possible that unusual configurations of DNS forwarders (such as the use of consistent hashing to\r\nconsult different resolvers for different domain names) could defeat our filtering techniques and introduce false\r\npositives.\r\nWe are not sure what percentage of all DNS queries are observable by our method and note that the percentage\r\ncould vary greatly across different countries and ISPs. Therefore, it is possible that our technique has missed a\r\nsignificant number of infections and may have failed to measure certain countries or ISPs entirely. Importantly,\r\noperators that appear in our results to be operating in a single country may actually be operating in multiple\r\ncountries. We did not conduct any DNS cache probing of IPs in Mainland China.\r\n5. Conclusion\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 16 of 31\n\nThis report identifies 45 countries with suspected Pegasus spyware infections operated by at least 33 likely NSO\r\ncustomers. We determined this by performing DNS cache probing on domain names we extracted from command\r\nand control (C\u0026C) servers matching a newly devised fingerprint for Pegasus. We grouped the C\u0026C servers, with\r\neach group representing a single Pegasus operator (assumed to be an NSO customer) using a technique that we\r\ncall Athena. The resulting global map of NSO Pegasus infections reveals several issues of urgent concern.\r\nKnown spyware abusers operating Pegasus\r\nWhile some NSO customers may be using Pegasus spyware as part of ‘lawful’ criminal or national security\r\ninvestigations investigations, at least six countries with significant Pegasus operations have a public history of\r\nabusing spyware to target civil society.\r\nThree Pegasus operators appear to be operational in Mexico, despite the extensive evidence of abuses of Pegasus\r\nto target Mexican civil society uncovered by Citizen Lab and our partners in 2017. The findings of widespread\r\ntargeting in Mexico led to international outcry and a criminal investigation. However, they do not appear to have\r\nresulted in the termination of all of the Pegasus operations in that country.\r\nIn 2016, Citizen Lab exposed the use of Pegasus to target Ahmed Mansoor, a UAE-based human rights defender.\r\nDespite this disclosure and resulting public outcry, it appears that a suspected UAE-based Pegasus deployment\r\nremains operational. Most recently, a Saudi Arabia-linked campaign appears to be continuing, despite a recent\r\ninvestigation linking it to the targeting of an Amnesty International staff member and a Saudi activist.\r\nBahrain, another country that may host a Pegasus operator, has a notorious history of abusing spyware to target\r\ncivil society. Notably, the operator linked to Bahrain appears to be using domain names with political themes,\r\nwhich is highly concerning, given that country’s history of abuses of surveillance technology. The Togo-linked\r\noperator also appears to be using politically-themed domains. Togo has a history of authoritarian rule and human\r\nrights abuses.\r\nWidespread cross-border surveillance with Pegasus\r\nTen Pegasus operators appear to be conducting surveillance in multiple countries. While we have observed prior\r\ncases of cross-border targeting, this investigation suggests that cross-border targeting and/or monitoring is a\r\nrelatively common practice. The scope of this activity suggests that government-exclusive spyware is widely used\r\nto conduct activities that may be illegal in the countries where the targets are located. For example, we have\r\nidentified several possible Pegasus customers not linked to the United States, but with infections in US IP space.\r\nWhile some of these infections may reflect usage of out-of-country VPN or satellite Internet service by targets, it\r\nis possible that several countries may be actively violating United States law by penetrating devices located within\r\nthe US.\r\nFailures at due diligence, contribution to global cyber insecurity\r\nThe cases identified in this report raise serious doubts as to the depth and seriousness of NSO’s due diligence and\r\nconcern for human rights protections. They also suggest that the company has a significant number of customers\r\nthat maintain active infections in other countries, likely violating those countries laws. The global market for\r\ngovernment exclusive spyware continues to grow, and as it does, more governments and security services with\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 17 of 31\n\nhistories of abuse will acquire this technology. The expanding user base of spyware like Pegasus will enable a\r\ngrowing number of authoritarian states to pry into into the digital lives of their own citizens, but also into phones\r\nand computers in pockets and purses around the globe.\r\nCommunications with NSO Group\r\nOn 14 September 2018, Citizen Lab Director Ron Deibert sent a letter to two NSO Group principals, Mr. Omri\r\nLavrie and Mr. Shalev Hulio, notifying them of the details of this report, explaining that we had shared an\r\nembargoed copy with journalists and offering to publish in full any response they wished to communicate on the\r\nrecord.\r\nOn 14 September 2018, Mr. Hulio responded by email saying “we have suggested several times in the past to meet\r\nyou and your colleagues, but, unfortunately, our requests have been ignored.” The Citizen Lab Director and staff\r\nhave no record of any such outreach. Moreover, the Citizen Lab does not believe that a private meeting with\r\nresearchers is a proper substitute for responsible public communication on such a serious matter of public interest.\r\nMr. Hulio also claimed “Contrary to statements made by you, our product is licensed to government and law\r\nenforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is\r\nconducted in strict compliance with applicable export control laws.” Citizen Lab research does not speak to what\r\nstatements NSO may make during marketing, sales, or export compliance. However, our research continues to\r\ndemonstrate some highly concerning real-world examples of the abuse of NSO Group technology in practice.\r\nThese uses have included apparent government customers of NSO Group abusing Pegasus spyware to target civil\r\nsociety groups, human rights defenders, lawyers, politicians, and journalists.\r\nOn 17 September 2018, we then received a public statement from NSO Group. The statement mentions that “the\r\nlist of countries in which NSO is alleged to operate is simply inaccurate. NSO does not operate in many of the\r\ncountries listed.” This statement is a misunderstanding of our investigation: the list in our report is of suspected\r\nlocations of NSO infections, it is not a list of suspected NSO customers. As we describe in Section 3, we observed\r\nDNS cache hits from what appear to be 33 distinct operators, some of whom appeared to be conducting operations\r\nin multiple countries. Thus, our list of 45 countries necessarily includes countries that are not NSO Group\r\ncustomers. We describe additional limitations of our method in Section 4, including factors such as VPNs and\r\nsatellite connections, which can cause targets to appear in other countries.\r\nThe NSO statement also claims the “NSO’s Business Ethics Committee, which includes outside experts from\r\nvarious disciplines, including law and foreign relations, reviews and approves each transaction and is authorized\r\nto reject agreements or cancel existing agreements where there is a case of improper use.” We have seen no public\r\ndetails concerning the membership or deliberations of this committee but encourage NSO Group to disclose them.\r\nNSO’s statements about a Business Ethics Committee recall the example of Hacking Team’s “outside panel of\r\ntechnical experts and legal advisors … that reviews potential sales.” This “outside panel” appears to have been a\r\nsingle law firm, whose recommendations Hacking Team did not always follow.\r\nThe continued supply of services to countries with problematic human rights track records and where highly-publicized abuses of spyware have occurred raise serious doubts about the effectiveness of this internal\r\nmechanism, if it exists at all.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 18 of 31\n\nUpdate\r\nOn 18 September 2018, NSO emailed the following addendum to their previous public statement:\r\n“There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which\r\nNSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does\r\nnot sell its products in many of the countries listed. The product is only licensed to operate in countries approved\r\nunder our Business Ethics Framework and the product will not operate outside of approved countries. As an\r\nexample, the product is specifically designed to not operate in the USA.”\r\nIn addition to our DNS cache probing technique showing suspected infections in the United States, we previously\r\nobserved a suspected Mexican operator target a minor child in the United States with Pegasus infection attempts,\r\nincluding messages impersonating the US embassy.  Also, as part of our Million Dollar Dissident report in 2016,\r\nwe successfully infected our test phone (in the United States at the time) with a Pegasus link sent to UAE activist\r\nAhmed Mansoor\r\nAcknowledgements\r\nBill Marczak’s work on this project was supported by the Center for Long Term Cybersecurity (CLTC) at UC\r\nBerkeley. This work was also supported by grants to the Citizen Lab from the Ford Foundation, the John T. and\r\nCatherine D. MacArthur Foundation, the Oak Foundation, the Open Society Foundations, and the Sigrid Rausing\r\nTrust. This work includes data from Censys.\r\nEditing and other assistance provided by Cynthia Khoo, Jeffrey Knockel, Jakub Dalek, Miles Kenyon, Adam\r\nSenft, Jon Penney, and Masashi Nishihata.\r\nAppendix A: Interesting Domains and ASNs of DNS Cache Hits by Operator\r\nIn this appendix we list DNS cache hits by ASN for all systems in which we observed them. We list some domain\r\nnames for systems which may be used for political targeting, but redact domain names in other cases, as other\r\nsystems may be used for legitimate law enforcement purposes.\r\nOperator RECKLESS-1\r\nInteresting Domains Why Interesting\r\nuniversopolitico[.]net\r\nanimal-politico[.]comMay show political focus.\r\nun0noticias[.]com\r\nun0noticias[.]net\r\nUno TV is a Mexican provider of news. The domain name\r\nunonoticias[.]net was previously used to target Mexican journalists\r\nwith Pegasus spyware.\r\nTable 6\r\nInteresting domains for operator RECKLESS-1.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 19 of 31\n\nOperator RECKLESS-2\r\nInteresting Domains Why Interesting\r\nnoticiaspoliticos[.]com\r\npoliticoportales[.]org\r\nMay show political focus.\r\nTable 7\r\nInteresting domains for operator RECKLESS-2.\r\nOperator MAYBERECKLESS\r\nASN Description Country\r\n8151 Uninet S.A. de C.V. Mexico\r\n13999 Mega Cable, S.A. de C.V. Mexico\r\n17072 TOTAL PLAY TELECOMUNICACIONES SA DE CV Mexico\r\n6503 Axtel, S.A.B. de C.V. Mexico\r\n18734 Operbes, S.A. de C.V. Mexico\r\nTable 8\r\nSuspected infections for operator MAYBERECKLESS.\r\nOperator PRICKLYPEAR\r\nASN Description Country\r\n8151 Uninet S.A. de C.V. Mexico\r\n11888 Television Internacional, S.A. de C.V. Mexico\r\n17072 TOTAL PLAY TELECOMUNICACIONES SA DE CV Mexico\r\n13999 Mega Cable, S.A. de C.V. Mexico\r\n6503 Axtel, S.A.B. de C.V. Mexico\r\n28548 Cablevisión, S.A. de C.V. Mexico\r\n11172 Alestra, S. de R.L. de C.V. Mexico\r\n22773 Cox Communications Inc. USA (Arizona)\r\n7922 Comcast Cable Communications, LLC USA (Arizona)\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 20 of 31\n\nTable 9\r\nSuspected infections for operator PRICKLYPEAR.\r\nOperator AGUILAREAL\r\nASN Description Country\r\n8151 Uninet S.A. de C.V. Mexico\r\n6503 Axtel, S.A.B. de C.V. Mexico\r\n17072 TOTAL PLAY TELECOMUNICACIONES SA DE CV Mexico\r\nTable 10\r\nSuspected infections for operator AGUILAREAL.\r\nOperator ORZELBIALY\r\nASN Description Country\r\n8374 Polkomtel Sp. z o.o. Poland\r\n50767 FIBERLINK Sp. z o.o. Poland\r\n5617 Orange Polska Spolka Akcyjna Poland\r\n12912 T-mobile Polska Spolka Akcyjna Poland\r\n198112 PROSAT s.c. Poland\r\n29314 Vectra S.A. Poland\r\n12741 Netia SA Poland\r\nTable 11\r\nSuspected infections for operator ORZELBIALY.\r\nOperator EDELWEISS\r\nASN Description Country\r\n3303 Swisscom (Switzerland) Ltd Switzerland\r\nTable 12\r\nSuspected infections for operator EDELWEISS.\r\nOperator 5LATS\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 21 of 31\n\nASN Description Country\r\n12578 SIA Lattelecom Latvia\r\nTable 13\r\nSuspected infections for operator 5LATS.\r\nOperator REDLIONS\r\nASN Description Country\r\n24691 TogoTelecom, Togo Togo\r\nTable 14\r\nSuspected infections for operator REDLIONS.\r\nInteresting Domains Why Interesting\r\npolitiques-infos[.]info\r\nnouveau-president[.]com\r\nMay show political focus.\r\nTable 15\r\nInteresting domains for operator REDLIONS.\r\nOperator ATLAS\r\nASN Description Country\r\n6713 Itissalat Al-MAGHRIB Morocco\r\n37705 Topnet Tunisia\r\n36947 Telecom Algeria Algeria\r\n3215 Orange France\r\n36925 Orange Maroc Morocco\r\n8220 COLT Technology Services Group Limited France\r\n5410 Bouygues Telecom SA France\r\n2609 Tunisia BackBone AS Tunisia\r\n15557 SFR SA France\r\n29571 Orange Cote D’ivoire Cote D’ivoire\r\n5384 Emirates Telecommunications Corporation UAE\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 22 of 31\n\nTable 16\r\nSuspected infections for operator ATLAS.\r\nInteresting Domains Why Interesting\r\nrevolution-news[.]co May indicate political themes in targeting.\r\nTable 17\r\nInteresting domains for operator ATLAS.\r\nOperator GRANDLACS\r\nASN Description Country\r\n20294 MTN- Uganda\r\n29975 VODACOM- South Africa\r\n2905 TICSA-ASN South Africa\r\n5713 SAIX-NET South Africa\r\n37061 Safaricom Kenya\r\n36890 MTNRW-ASN Rwanda\r\n37228 Olleh-Rwanda-Networks Rwanda\r\n37027 SIMBANET-AS Kenya\r\nTable 18\r\nSuspected infections for operator GRANDLACS.\r\nInteresting Domains Why Interesting\r\npoliticalpress[.]org May indicate political themes in targeting.\r\nTable 19\r\nInteresting domains for operator GRANDLACS.\r\nOperator MULUNGUSHI\r\nASN Description Country\r\n36962 MTN Zambia Zambia\r\n3741 IS South Africa\r\nTable 20\r\nSuspected infections for operator MULUNGUSHI.\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 23 of 31\n\nOperator FALCON\r\nASN Description Country\r\n5384 Emirates Telecommunications Corporation UAE\r\n15802 Emirates Integrated Telecommunications Company PJSC (EITC-DU) UAE\r\nTable 21\r\nSuspected infections for operator FALCON.\r\nDomain Name Why Interesting\r\nnomorewarnow[.]com\r\nMay indicate anti-war themes in the targeting; UAE is currently\r\nengaged in military operations in Yemen.\r\nTable 22\r\nInteresting domains for operator FALCON.\r\nOperator BABYFALCON\r\nASN Description Country\r\n5384 Emirates Telecommunications Corporation UAE\r\n15802 Emirates Integrated Telecommunications Company PJSC (EITC-DU) UAE\r\nTable 23\r\nSuspected infections for operator BABYFALCON.\r\nOperator MAYBEFALCON\r\nASN Description Country\r\n5384 Emirates Telecommunications Corporation UAE\r\nTable 24\r\nSuspected infections for operator MAYBEFALCON.\r\nOperator PEARL\r\nASN Description Country\r\n51375 VIVA Bahrain BSC Closed Bahrain\r\n5416 Bahrain Telecommunications Company (BATELCO) B.S.C. Bahrain\r\n39015 Mena Broadband Services WLL Bahrain\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 24 of 31\n\nASN Description Country\r\n8781 Ooredoo Q.S.C. Qatar\r\nTable 25\r\nSuspected infections for operator PEARL.\r\nDomain Name Why Interesting\r\n14-\r\ntracking[.]com\r\nMay be a reference to the 2011 Bahrain protests, which started on Feb 14.\r\nThe February 14 Youth Coalition is an ongoing presence in anti-government\r\ndemonstrations.\r\nshia-voice[.]comMay indicate targeting of the Shia community, a community targeted for\r\npolitical persecution by the Bahraini Government.\r\nTable 26\r\nInteresting domains for operator PEARL.\r\nOperator KINGDOM\r\nASN Description Country\r\n8781 Ooredoo Q.S.C. Qatar\r\n43766 MTC KSA Saudi Arabia\r\n25019 Saudi Telecom Company JSC Saudi Arabia\r\n35819 Bayanat Al-Oula For Network Services Saudi Arabia\r\n48832 Linkdotnet-Jordan Jordan\r\n8376 Jordan Data Communications Company LLC Jordan\r\n24863 LINKdotNET Egypt\r\n8452 TE-AS Egypt\r\n24835 RAYA Telecom – Egypt Egypt\r\n9051 IncoNet Data Management sal Lebanon\r\n42003 Libantelecom Lebanon\r\n6713 Itissalat Al-MAGHRIB Morocco\r\n2856 British Telecommunications PLC UK\r\n5769 Videotron Telecom Ltee Canada (Quebec)\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 25 of 31\n\nASN Description Country\r\n376 Reseau d’informations scientifiques du Quebec (RISQ) Canada (Quebec)\r\n9121 Turk Telekom Turkey\r\n203217 Horizon Scope Mobile Telecom WLL Iraq\r\n50597 ScopeSky Communication and Internet Ltd. Iraq\r\n3215 Orange France\r\n5416 Bahrain Telecommunications Company (BATELCO) B.S.C. Bahrain\r\n51375 VIVA Bahrain BSC Closed Bahrain\r\nTable 27\r\nSuspected infections for operator KINGDOM.\r\nInteresting\r\nDomains\r\nWhy Interesting\r\nsocial-life[.]info\r\nAmnesty observed this targeted at a Saudi activist abroad. Another target\r\npossibly in Qatar; the Qatar link went viral on WhatsApp and Twitter.\r\nakhbar-arabia[.]com\r\nTargeted at an Amnesty Researcher.\r\nTable 28\r\nInteresting domains for operator KINGDOM.\r\nOperator MIDDLE\r\nASN Description Country\r\n42003 Libantelecom Lebanon\r\n8781 Ooredoo Q.S.C. Qatar\r\n8529 Oman Telecommunications Company (S.A.O.G) Oman\r\n50010 Omani Qatari Telecommunications Company SAOC Oman\r\n5384 Emirates Telecommunications Corporation UAE\r\n9121 Turk Telekom Turkey\r\n12670 Completel France\r\n48832 Linkdotnet-Jordan Jordan\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 26 of 31\n\nASN Description Country\r\n2609 Tunisia BackBone AS Tunisia\r\nTable 29\r\nSuspected infections for operator MIDDLE.\r\nOperator DOME\r\nASN Description Country\r\n9121 Turk Telekom Turkey\r\n1680 013 NetVision Ltd Israel\r\n8551 Bezeq International Israel\r\n12849 Hot-Net internet services Ltd. Israel\r\n15975 Hadara Palestine\r\n12975 Palestine Telecommunications Company (PALTEL) Palestine\r\n51407 Mada ALArab LTD Palestine\r\n8781 Ooredoo Q.S.C. Qatar\r\n8737 KPN B.V. Netherlands\r\n7922 Comcast Cable Communications, LLC USA (Southeast/Florida)\r\nTable 30\r\nSuspected infections for operator DOME.\r\nOperator OLIVE-1\r\nASN Description Country\r\n1680 013 NetVision Ltd Israel\r\nTable 31\r\nSuspected infections for operator OLIVE-1.\r\nOperator OLIVE-2\r\nASN Description Country\r\n16116 Pelephone Communications Ltd. Israel\r\n1680 013 NetVision Ltd Israel\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 27 of 31\n\nASN Description Country\r\n9116 012 Smile Communications LTD. Israel\r\nTable 32\r\nSuspected infections for operator OLIVE-2.\r\nOperator OLIVE-3\r\nASN Description Country\r\n16116 Pelephone Communications Ltd. Israel\r\n9116 012 Smile Communications LTD. Israel\r\nTable 33\r\nSuspected infections for operator OLIVE-3.\r\nOperator OLIVE-4\r\nASN Description Country\r\n16116 Pelephone Communications Ltd. Israel\r\n8551 Bezeq International Israel\r\nTable 34\r\nSuspected infections for operator OLIVE-4.\r\nOperator BLACKBIRD\r\nASN Description Country\r\n8781 Ooredoo Q.S.C. Qatar\r\n5089 Virgin Media Limited UK\r\n5607 Sky UK Limited UK\r\n6799 OTEnet S.A. Greece\r\n15802\r\nEmirates Integrated Telecommunications Company PJSC\r\n(EITC-DU)\r\nUAE\r\n5384 Emirates Telecommunications Corporation UAE\r\n30873 Public Telecommunication Corporation Yemen\r\n9038 Batelco Jordan Jordan\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 28 of 31\n\nASN Description Country\r\n21003 GPTC Autonomous System, Tripoli Libya Libya\r\n21050 Fast Telecommunications Company W.L.L. Kuwait\r\n56478 Hyperoptic Ltd UK\r\n3225 Gulfnet Kuwait Kuwait\r\n20001 Time Warner Cable Internet LLC\r\nUSA (Southern\r\nCalifornia)\r\nTable 35\r\nSuspected infections for operator BLACKBIRD.\r\nOperator CHANG\r\nASN Description Country\r\n131090 CAT TELECOM Public Company Ltd,CAT Thailand\r\n7470 TRUE INTERNET Co.,Ltd. Thailand\r\n9931 The Communication Authoity of Thailand, CAT Thailand\r\nTable 36\r\nSuspected infections for operator CHANG.\r\nOperator GANGES\r\nASN Description Country\r\n9498 BHARTI Airtel Ltd. India\r\n24560 Bharti Airtel Ltd., Telemedia Services India\r\n18209 Atria Convergence Technologies pvt ltd India\r\n17813 Mahanagar Telephone Nigam Limited India\r\n9829 National Internet Backbone India\r\n17488 Hathway IP Over Cable Internet India\r\n38571 Star Broadband Services India\r\n7738 Telemar Norte Leste S.A. Brazil\r\n45595 Pakistan Telecom Company Limited Pakistan\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 29 of 31\n\nASN Description Country\r\n45609 Bharti Airtel Ltd. AS for GPRS Service India\r\n4657 StarHub Internet Exchange Singapore\r\n45588\r\nBangladesh Telecommunications Company Limited (BTCL),\r\nNationwide\r\nBangladesh\r\nTable 37\r\nSuspected infections for operator GANGES.\r\nInteresting Domain Why Interesting\r\nsignpetition[.]co May indicate political themes in the targeting.\r\nTable 38\r\nInteresting domains for operator GANGES.\r\nOperator MERLION\r\nASN Description Country\r\n4773 MobileOne Ltd. Mobile/Internet Service Provider Singapore Singapore\r\n9506 Singtel Fibre Broadband Singapore\r\n10091 StarHub Cable Vision Ltd Singapore\r\nTable 39\r\nSuspected infections for operator MERLION.\r\nOperator SYRDARYA\r\nASN Description Country\r\n8193 Uzbektelekom Joint Stock Company Uzbekistan\r\n34250 Uzbektelecom Joint-Stock Company Uzbekistan\r\n41750 Mega-Line Ltd. Kyrgyzstan\r\n8449 ElCat Ltd. Kyrgyzstan\r\n41329 SkyMobile LTD Kyrgyzstan\r\n29061 Saimanet Telecomunications Kyrgyzstan\r\n47139 Cjsc Indigo Tajikistan Tajikistan\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 30 of 31\n\nASN Description Country\r\n206026 Kar-Tel LLC Kazakhstan\r\n9121 Turk Telekom Turkey\r\n24722 LLC Babilon-T Tajikistan\r\n59668 PE Turon Media Uzbekistan\r\n12735 TurkNet Iletisim Hizmetleri A.S Turkey\r\n9198 JSC Kazakhtelecom Kazakhstan\r\n34718 LLC texnoprosistem Uzbekistan\r\n47452 Super iMAX Uzbekistan\r\n12365 Sarkor-Telecom Uzbekistan\r\n31203 Sharq Telekom CJSC Uzbekistan\r\n50025 Net Television Ltd Uzbekistan\r\nTable 40\r\nSuspected infections for operator SYRDARYA.\r\nOperator TULPAR\r\nASN Description Country\r\n29555 Mobile Telecom-Service LLP Kazakhstan\r\n9198 JSC Kazakhtelecom Kazakhstan\r\nTable 41\r\nSuspected infections for operator TULPAR.\r\nSource: https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nhttps://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" ], "report_names": [ "hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "bd084d2f-4233-49b1-b0e6-c7011178dae0", "created_at": "2022-10-25T15:50:23.544316Z", "updated_at": "2026-04-10T02:00:05.325921Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "Stealth Falcon" ], "source_name": "MITRE:Stealth Falcon", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434956, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b8fdcdd4c5c00334defb53102ff8ce9b0a0a2f2.pdf", "text": "https://archive.orkl.eu/5b8fdcdd4c5c00334defb53102ff8ce9b0a0a2f2.txt", "img": "https://archive.orkl.eu/5b8fdcdd4c5c00334defb53102ff8ce9b0a0a2f2.jpg" } }