{
	"id": "819baa54-8e19-4b09-a3b3-88dd593caeac",
	"created_at": "2026-04-06T00:07:57.505682Z",
	"updated_at": "2026-04-10T03:21:57.042152Z",
	"deleted_at": null,
	"sha1_hash": "70cb466d393ae7e117f8bad1b13845866718e230",
	"title": "Threat advisory: Mobile spyware continues to evolve",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 587148,
	"plain_text": "Threat advisory: Mobile spyware continues to evolve\r\nBy Jamf Threat Labs\r\nArchived: 2026-04-05 14:09:02 UTC\r\nIntroduction\r\nJamf Threat Labs has been studying the ongoing use of sophisticated spyware, including indicators previously\r\nattributed to NSO Group’s Pegasus, to target iPhones used by high-risk individuals. Over a period of six months,\r\nJamf Threat Labs investigated multiple mobile devices belonging to different individuals and organizations that\r\nshowed unique indicators of compromise (IOCs) and evidence of active spyware campaigns.\r\nThis advisory is intended to highlight the active use of spyware against workers in a variety of regions and to\r\nshare research with the security community that can help with the ongoing monitoring of these exploits.\r\nTo protect the organizations and individuals that have been targeted, we have anonymized certain details, but that\r\ndoes not change the findings; all other findings remain intact for analysis.\r\nResearch led by Nir Avraham.\r\nWhat we know\r\nTargeted spyware has been identified in attacks around the globe\r\nUsers in multiple regions have been impacted by spyware over the past six months\r\nThe instances have each involved individuals at high risk of targeted attacks\r\nEach attack scenario has yielded unique indicators of compromise\r\nhttps://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/\r\nPage 1 of 5\n\nVariations in the compromised hardware and software indicate that new exploits continue to be\r\ndiscovered as security patches are issued, expanding the population of vulnerable devices\r\nApple is actively monitoring devices for compromise\r\nApple notified one of the compromised users working with Jamf Threat Labs and confirmed\r\nunusual activity on the device\r\nNot all users impacted by spyware have been contacted by Apple, illustrating the challenges with\r\nmaintaining a comprehensive list of IOCs and with extracting relevant data remotely\r\nHigh-risk individuals and organizations do not consistently execute full investigations as a result of threat\r\nindicators or user-reported issues\r\nSome organizations pursue complete investigations in response to threat indicators to confirm\r\nattacks\r\nSome organizations decide to wipe devices upon seeing initial IOCs without performing a full\r\nanalysis on the device\r\nInconsistent investigations and data collection hinders timely and comprehensive research on\r\nemerging attacks\r\nVerifying a mobile spyware infection\r\nThe first device we will examine is an iPhone 12 Pro Max that was used as the daily communications tool by a\r\nhuman rights activist based in the Middle East. We will subsequently refer to this as the Middle East iPhone.\r\nA known IOC\r\nAnalysis from Jamf Threat Labs revealed traces of the “libtouchregd” process. According to Amnesty\r\nInternational, this process name is an IOC associated with the Pegasus spyware.\r\nWhile another threat actor purposefully reusing the same process name for misattribution can never be entirely\r\nruled out, it is unlikely in the case of the Middle East iPhone for the following reasons:\r\nAnother threat actor would not want to name their processes the same name since this can lead to an\r\nunwanted discovery of an attack and destroy the exploit chain used in the attack.\r\nJamf Threat Labs has determined that the attack on the device from the Middle East happened three months\r\nbefore the publication of Amnesty International’s IOCs. Therefore, the chances of a third party mimicking\r\nthe process identified in the Amnesty report prior to publication is reduced significantly.\r\nTherefore, our analysis strongly suggests that the same threat actor that was described by the Amnesty\r\nInternational blog is behind the attack on the Middle East iPhone.\r\nIndicator of possible exploitation via crash log analysis\r\nThe Middle East iPhone also yielded additional indicators of compromise via subsequent analysis of the\r\ncom.apple.CrashReporter.plist file.\r\nThe com.apple.CrashReporter.plist file is located within a root folder on iOS\r\n(/private/var/root/Library/Preferences/). This plist serves as a configuration file for the system daemon,\r\nhttps://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/\r\nPage 2 of 5\n\nReportCrash.\r\nUnder normal operating conditions, applications are not granted permission to access or modify this file.\r\nAlteration of this file could potentially impede the reporting of crash report logs to Apple. Additionally, the\r\nexistence of the file is rare for normal users.\r\nIn rare cases that this file exists legitimately, it will keep state for urgentSubmission crash reports and have\r\ncontents similar to the following example. This example illustrates that there have been 5 crash logs classified as\r\nurgentSubmission, with the last submitted on Thursday, March 9, 2023 (19425 days since Jan 1 1970).\r\nThe system daemon ReportCrash defines urgentSubmission. On Beta versions of iOS all crash logs are considered\r\nurgentSubmission. Otherwise, ReportCrash reserves its usage for the reporting of rare and critical events (see\r\nbelow).\r\nAnalysis of the ReportCrash daemon on iOS 16.2 leads us to believe that only crash logs that meet a strict set of\r\ncriteria will be classified as urgentSubmission. These conditions include:\r\nSpecial types of reports, such as probGuard and quarantine.\r\nUndefined behavior detected by the UBSan, a tool utilized by LLVM to detect issues at runtime.\r\nA specific snapshot error code, as the snapshot mechanism is utilized to maintain the integrity of the file\r\nsystem.\r\nVarious overflow alerts from the libsystem_c library.\r\nUltimately, Jamf Threat Labs treats the existence of these urgent submission reports as an indicator of exploitation\r\nrequiring follow-on device analysis.\r\nOfficial notification\r\nIn late 2022, the targeted user of the Middle East iPhone received a threat notification from Apple, notifying them\r\nof a potential attack and recommending that the device be updated to iOS 16.2. Following the update, the user\r\nengaged with security researchers to better understand the attack timeline and details.\r\nUpon investigation, the Middle East iPhone proved to be a treasure trove for our analysis given the compounded\r\nset of compromise indicators and the clear association with Pegasus. These findings have allowed Jamf Threat\r\nLabs to build a more robust profile on a device with “proven” compromise status.\r\nAnalyzing spyware targeting older iPhones\r\nThe second device we will showcase is an iPhone used by a journalist in Europe working for a global news\r\nagency. We will subsequently refer to this as the Europe iPhone. It is noteworthy that this device was an iPhone\r\n6s, a device that is no longer supported with the latest iOS version.\r\nhttps://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/\r\nPage 3 of 5\n\nNew IOC discovery via filesystem analysis\r\nLike the Middle East iPhone, the Europe iPhone showed evidence of critical system crashes as indicated by the\r\nexistence of a com.apple.CrashReporter.plist file discussed in detail above.\r\nEven more suspiciously, the Europe iPhone included files found at an atypical location within iPhone’s strict\r\nfilesystem. Furthermore, at least one file at this location is clearly masquerading as a built-in binary:\r\n/private/var/containers/appconduitd_helper. Based on this path and filename, we have strong reason to believe this\r\nmay be a new indicator that can be used to assess if a device has been targeted by this threat actor. We have also\r\nnotified Apple of this potential new indicator.\r\nWhile we have seen similar activities across other targeted devices, we cannot conclusively determine that the\r\nEurope iPhone was compromised by a specific threat actor. Based on previous infections by a threat actor that\r\nshares striking similarities, we estimate that the Europe iPhone was targeted using a commercial tool.\r\niPhone 6s and Unsupported Devices\r\nThe continued targeting of older devices, such as the iPhone 6s, serves as a reminder that malicious threat actors\r\nwill exploit any vulnerabilities in an organization's infrastructure, attacking wherever possible.\r\nApple occasionally releases updates to prior iOS versions to back-port critical security fixes to older devices. iOS\r\n15.7.5 was released on April 10, 2023, which is the latest iOS version available for iPhone 6s at the time this blog\r\nwas published. It is important to note that not all vulnerabilities are addressed on prior iOS versions for legacy\r\ndevices, and newer security mitigations may not be back-ported either. Additionally, these security patches often\r\ntrail updates issued for current OS versions (iOS 15.7.5 contained security fixes that Apple patched three days\r\nearlier in iOS 16.4.1). As a result, threat actors can continue to exploit unpatched vulnerabilities that have been\r\npatched on newer supported devices, potentially giving attackers more time and more information to gain remote\r\naccess to targeted devices.\r\nhttps://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/\r\nPage 4 of 5\n\nAs a general best practice, we strongly recommended upgrading outdated devices to newer iPhone or iPad models\r\nthat are running the latest available updates and operating system versions.\r\nRecommended actions\r\nModern spyware is very advanced and, as evidenced by the continued evolution of commercial spyware,\r\ncontinues to leverage zero-day vulnerabilities in both old and new devices to ensure any user can be effectively\r\ntargeted.\r\nThough the attacks through commercial spyware are expensive to operate, any individual or organization with\r\nmobile devices that are used to access sensitive data should take action to implement a layered set of defenses to\r\ninsulate from attack.\r\nJamf Threat Labs recommends that organizations:\r\nEnsure all devices are running the most current operating system and have all available security patches\r\napplied.\r\nKeep all applications, both business oriented and personal, up-to-date and fully patched; mobile application\r\nvulnerabilities are easily exploited and frequently overlooked by security teams.\r\nRun security software to monitor for suspicious activity and report alongside all other endpoint monitoring\r\ndashboards, ensuring that mobile devices are treated with the same attention and urgency as desktops,\r\nlaptops and servers.\r\nMonitor communications for suspicious downloads, command \u0026 control indicators and data exfiltration;\r\nutilize automated policy controls to block known bad activity before it can cause further damage.\r\nEducate high-risk users about the symptoms of spyware, which can include performance issues and\r\nfrequent crashes. Encourage them to reach out to their security team if they observe any of these issues to\r\nmaximize the extraction of IOCs from their device.\r\nEncourage high-risk users to use Lockdown Mode, which is designed to protect devices against extremely\r\nrare and highly sophisticated cyber attacks.\r\nImplement a security monitoring process that includes mobile telemetry analysis and stay up-to-date on\r\nknown IOCs related to mobile spyware.\r\nLearn more about how you can engage Jamf Threat Labs within your organization.\r\nSubscribe to the Jamf Blog\r\nHave market trends, Apple updates and Jamf news delivered directly to your inbox.\r\nTo learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy\r\nPolicy.\r\nSource: https://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/\r\nhttps://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.jamf.com/blog/threat-advisory-mobile-spyware-continues-to-evolve/"
	],
	"report_names": [
		"threat-advisory-mobile-spyware-continues-to-evolve"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434077,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70cb466d393ae7e117f8bad1b13845866718e230.pdf",
		"text": "https://archive.orkl.eu/70cb466d393ae7e117f8bad1b13845866718e230.txt",
		"img": "https://archive.orkl.eu/70cb466d393ae7e117f8bad1b13845866718e230.jpg"
	}
}