{
	"id": "179dbb84-2ebf-4084-8bf9-d448275c580d",
	"created_at": "2026-04-06T00:15:26.202937Z",
	"updated_at": "2026-04-10T03:21:18.319693Z",
	"deleted_at": null,
	"sha1_hash": "ada41f42faf5da93a7ec481c536cfd6668e6b0b0",
	"title": "Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 403512,
	"plain_text": "Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022\r\nwith a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains - The\r\nCitizen Lab\r\nArchived: 2026-04-05 16:42:53 UTC\r\nKey Findings\r\nIn 2022, the Citizen Lab gained extensive forensic visibility into new NSO Group exploit activity after\r\nfinding infections among members of Mexico’s civil society, including two human rights defenders from\r\nCentro PRODH, which represents victims of military abuses in Mexico.\r\nOur ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least\r\nthree iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world.\r\nNSO Group’s third and final known 2022 iOS zero-click, which we call “PWNYOURHOME,” was\r\ndeployed against iOS 15 and iOS 16 starting in October 2022. It appears to be a novel two-step zero-click\r\nexploit, with each step targeting a different process on the iPhone. The first step targets HomeKit, and the\r\nsecond step targets iMessage.\r\nNSO Group’s second 2022 zero-click (“FINDMYPWN”) was deployed against iOS 15 beginning in June\r\n2022. It also appears to be a two-step exploit; the first step targets the iPhone’s Find My feature, and the\r\nsecond step targets iMessage.\r\nWe shared forensic artifacts with Apple in October 2022, and additional forensic artifacts regarding\r\nPWNYOURHOME in January 2023, leading Apple to release several security improvements to HomeKit\r\nin iOS 16.3.1\r\nOnce we had identified FINDMYPWN and PWNYOURHOME, we discovered traces of NSO Group’s\r\nfirst 2022 zero-click (“LATENTIMAGE”) on a single target’s phone. This exploit may also have involved\r\nthe iPhone’s Find My feature, but is a different exploit chain than FINDMYPWN.\r\nFor a brief period, targets that had enabled iOS 16’s Lockdown Mode feature received real-time warnings\r\nwhen PWNYOURHOME exploitation was attempted against their devices. Although NSO Group may\r\nhave later devised a workaround for this real-time warning, we have not seen PWNYOURHOME\r\nsuccessfully used against any devices on which Lockdown Mode is enabled.\r\n1. Targeting in Mexico\r\nThe Citizen Lab first gained forensic visibility into NSO Group’s 2022 zero-click exploits in October 2022 in the\r\ncourse of a joint investigation with Mexican NGO Red en Defensa de los Derechos Digitales (R3D). After\r\nexamining several devices belonging to members of Mexican civil society, we discovered FINDMYPWN, which\r\nhelped us subsequently discover PWNYOURHOME and LATENTIMAGE within a broader target population\r\n(including outside Mexico). Two Mexican civil society targets consented to be named in this report.\r\nExtrajudicial Killings and Forced Disappearances\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 1 of 10\n\nMexico’s government and military have a long history of grave human rights abuses, extrajudicial killings, and\r\ndisappearances. From the 1960s through the 1980s, Mexico experienced the so-called “Dirty War” (“Guerra\r\nSucia”), a conflict between the government ruled by the Institutional Revolutionary Party (PRI), guerrilla groups,\r\nand left-wing student movements. Between 1968 and 1982, an estimated 1,200 individuals were disappeared.\r\nIn 2022, the United Nations Committee on Enforced Disappearances and the Working Group on Enforced and\r\nVoluntary Disappearances noted that there were now more than 100,000 officially registered disappearances in\r\nMexico.\r\nOne widely publicized case of disappearances relevant to this case of spyware infection occurred in September\r\n2015 when a group of 43 students at a teacher training college were forcibly disappeared after traveling to Iguala\r\nto protest teacher hiring practices. Their subsequent disappearance is referred to as the “Iguala mass kidnapping,”\r\nor simply the “Ayotzinapa case.” In 2017, we reported that three members of the Mexican legal aid and human\r\nrights organization, Centro PRODH, were targeted with Pegasus spyware, along with investigators involved in the\r\nAyotzinapa case. At the time of targeting, which was in 2016, Centro PRODH was representing families of the\r\ndisappeared students.\r\n2022 Targets: Human Rights Defenders\r\nOur research collaboration with R3D led to the identification of two human rights defenders working at Centro\r\nPRODH whose devices were infected with Pegasus spyware. Both targets consented to participate in a research\r\nstudy with the Citizen Lab and to be named in this report. The timing of the infections on their devices\r\ncorresponds to events of importance to the activities of Centro PRODH, and suggests that the Pegasus operator\r\nmay have been seeking to penetrate and perhaps blunt the impact of Centro PRODH’s work relating to human\r\nrights violations committed by the Mexican Army.\r\nOne infected device belongs to Jorge Santiago Aguirre Espinosa, the Director of Centro PRODH. Mr. Aguirre was\r\npreviously identified as one of the Centro PRODH Pegasus targets by Citizen Lab in 2017, which found evidence\r\nof Pegasus infection attempts via text message on his device that he had been sent in 2016. In 2022, he was\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 2 of 10\n\ninfected at least twice via the FINDMYPWN exploit.  The spyware was active on his device on June 22, 2022\r\nand July 13, 2022.\r\nOn June 22, 2022, the same date as the first infection of Mr. Aguirre’s phone, Mexico’s truth commission\r\ninvestigating the Dirty War launched its activities in a ceremony at a Mexican military camp where many of the\r\nabuses had taken place. Victims of human rights violations participated in the ceremony, including Alicia de los\r\nRíos, who is represented by Centro PRODH. She is currently appealing to national and international bodies to\r\nseek justice for the disappearance of her mother at the hands of the Mexican army.\r\nA second Centro PRODH staffer was infected the day after the ceremony. María Luisa Aguilar Rodríguez,\r\nInternational Coordinator at Centro PRODH, was infected on June 23, 2022. Her work includes representing\r\nvictims of human rights violations perpetrated by the Mexican army, including the Ayotzinapa case. She was\r\nsubsequently infected twice more via the FINDMYPWN exploit.  The spyware was active on her device on\r\nSeptember 24, 2022 and September 29, 2022.\r\nThe September 2022 Pegasus attacks coincided with several events in the Ayotzinapa case, in which Centro\r\nPRODH represents the families of the disappeared. This includes the publication of a report by an international\r\ngroup of experts that questioned the authenticity of evidence published by the government, denounced the\r\nMexican Army for refusing to surrender key documents for the case, and called out governmental interference in\r\nthe investigation.\r\nThe attacks also coincide with the cancellation of several arrest warrants against military personnel involved in the\r\nAyotzinapa case after pushback from the Mexican Army, and the resignation of the Special Prosecutor for the case\r\nwho denounced interference by Mexico’s General Prosecutor in his investigation.\r\n2. NSO Group Zero-Clicks Released in 2022\r\nIn 2022, while examining cases of suspected infections in Mexico, including the two cases named in this report,\r\nwe found matches with four Pegasus indicators that we had seen in previous infections between August and\r\nDecember 2021 using both FORCEDENTRY and one-click attacks. Further analysis yielded additional indicators,\r\nwhich were then applied to analyze additional devices in the global pool of 2022 Pegasus victims to uncover more\r\ndetails about NSO Group’s 2022 exploits.\r\nThese indicator overlaps allow us to attribute the 2022 zero-click chains to NSO Group’s Pegasus spyware with\r\nhigh confidence. Overall, we believe NSO Group deployed at least three zero-click chains in 2022 (Figure 2),\r\nexploiting a variety of apps and features on the iPhone. We have observed cases of some of the chains deployed as\r\nzero-days against iOS versions 15.5 and 15.6 (FINDMYPWN), and 16.0.3 (PWNYOURHOME).\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 3 of 10\n\nTo protect our continued ability to identify Pegasus infections, we are not releasing further details about these\r\nPegasus indicators at this time as we continue to observe what we interpret to be concerted efforts by NSO Group\r\nto evade detection by the methods deployed by researchers. For example, in contrast to previous versions of\r\nPegasus, the versions deployed in 2022 appear to more thoroughly remove data from various iPhone log files, in\r\nan apparent attempt to thwart researchers from understanding the nature of the vulnerabilities exploited to\r\ncompromise phones, and to evade detection.\r\nWe shared our observations of these exploit chains with Apple in October 2022 and in January 2023.  Targets we\r\nfound in the 2022 target pool reported receiving notifications from Apple in November and December 2022, and\r\nMarch 2023.\r\nIn the next sections, we review the three exploit chains in reverse chronological order.\r\n3. PWNYOURHOME: An iOS 15 and iOS 16 Zero-Click Exploit\r\nThe PWNYOURHOME exploit appears to be a novel two-phase zero-click exploit, with each of the two phases\r\ntargeting a different process on the phone. The first phase of the exploit involves the HomeKit functionality built\r\ninto iPhones (via the homed process), and the second phase of the exploit involves iMessage (via the\r\nMessagesBlastDoorService process). PWNYOURHOME appears to succeed against a target even if the target has\r\nnever configured a “Home” inside HomeKit. However, in some cases, the email address of the\r\nPWNYOURHOME attacker is logged and Pegasus fails to delete this email from the HomeKit database.\r\nWe obtained logs from multiple devices compromised with PWNYOURHOME. In one case, the attacker’s email\r\naddress ([REDACTED]@gmail.com) was logged. The phone logs showed that the [REDACTED]@gmail.com\r\nemail address was added to HomeKit approximately eight minutes before the Pegasus spyware was recorded\r\nrunning on the phone, and an iMessage attachment was deleted.\r\nPhase One: HomeKit Daemon Crashes\r\nLogs from another PWNYOURHOME-exploited device from the 2022 global target pool examined in the course\r\nof this investigation showed the homed process decoding what appears to be an unusual NSKeyedUnArchiver\r\nwhen it crashed. Logs showed that the NSKeyedUnArchiver decoding had been kicked off by the following\r\nfunction:\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 4 of 10\n\n-[HMDHomeManager _handleHomeDataSync:] (in HomeKitDaemonLegacy)\r\nThe NSKeyedUnArchiver decoder invoked the decoder for NSDictionary, which in turn invoked the decoder for an\r\nimplausible class not normally used within HomeKit. Issues with NSKeyedUnArchiver deserialization have been\r\nused in past iOS zero-click exploits targeting iMessage, so we redact the specific class to avoid assisting attackers.\r\nWe disclosed this issue to Apple, who made several changes to HomeKit in iOS 16.3.1, including adding a new\r\nmethod, -[HMDHomeManager _shouldDecodeMessage:error:], which declines to decode certain HomeKit\r\nmessages unless they arrive from a plausible source. This check guards the HomeKit code path we saw exploited.\r\nPhase Two: BlastDoor Crashes\r\nLogs from yet another PWNYOURHOME-exploited device from the 2022 target pool show that, following the\r\nhomed phase of PWNYOURHOME, the phone downloaded PNG images from iMessage. Processing these images\r\ncaused crashes in the MessagesBlastDoorService process. These crashes give us glimpses of what the exploit was\r\ndoing at various stages, and suggest that the exploit may have circumvented pointer authentication codes (PAC) in\r\nsome cases by repurposing PAC-valid pointers already present in memory, such as signed pointers to callback\r\nfunctions present in constant structs.\r\nThis is a well-known technique to circumvent PAC, and a mitigation exists in the form of contexts, which include\r\nan additional salt value in the PAC to thwart repurposing of signed pointers. However, in practice, the context is\r\noften set to zero, as it may be nontrivial for the compiler to automatically retrofit existing legacy code with a\r\nsuitable context.\r\nWhen MessagesBlastDoorService crashed, it appeared to be processing (via ImageIO) Apple MakerNote metadata\r\nincluded in a PNG image file. We have reconstructed a vignette of the exploit’s activity that seems to illustrate\r\nsome gadgets it employs, though we have not yet fully identified the vulnerabilities exploited.\r\nA CFTree‘s CopyDescription Method is Called\r\nWhile deallocating various data structures as part of the _CGImageMetadataFinalize function, a series of events\r\ntranspired, causing the CFCopyDescription method to be called on a CFTree object. Somehow, the attackers had\r\nset this CFTree‘s copyDescription callback function to be an unrelated function, “func1” (a name we assigned to\r\nthe function in lieu of its real name, in order to avoid assisting attackers), in another framework within the iOS\r\nshared cache.\r\nThe copyDescription callback is invoked using the blraaz instruction, which validates the pointer’s PAC using a\r\nzero context. Because a pointer to func1 exists in a constant struct within the shared cache, a PAC-valid pointer\r\nwith zero context is automatically generated at a known offset in the shared cache after relocation, when the\r\nlibrary is loaded.\r\nA Gadget is Invoked\r\nThe func1 function calls another function, “func2” (also a name we assigned in order to avoid assisting attackers),\r\nin a loop that appears intended to execute five times, followed by a sixth, final call.\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 5 of 10\n\nThe func2 function can be thought of as an “execute function with first argument” gadget. Within the func2\r\nfunction, there are two possible locations where branches can be made (via blraaz). The first location sets the first\r\nfunction argument (register x0) to a value read from memory, and the second argument (register x1) to a fixed\r\nconstant of 0xE7. The second call sets the first argument in the same way, but does not set register x1. The first\r\ncall (and clobbering of x1) can be avoided if the pointer to the first function is null. The second call can be\r\navoided if the first function returns an integer not equal to one.\r\nBecause the attacker (presumably) controls the data in the CFTree, and because the CFTree‘s copyDescription\r\ncallback gets a pointer to the CFTree‘s root node, the attacker can craft the contents of the node to line up a series\r\nof additional gadgets (and first arguments) to be executed, provided that PAC-valid (with context of zero) pointers\r\nto these gadgets are available.\r\nThe exploit could execute arbitrarily many gadgets by recursively invoking func1, though we cannot say for sure\r\nif the exploit does this or not. The loop will be broken if func2 takes the second call and the second call returns a\r\nvalue greater than 3.\r\nAnother function, func3, whose signed pointer is present in the same struct as the signed pointer to func1, appears\r\nto be a loop around an “execute function with first two arguments” gadget.\r\nA Possible Memory Copy Gadget\r\nWe were not able to identify the full library of gadgets used by this exploit, but we did notice that a particular\r\nmemory copy gadget caused a segfault in the crash we observed.  This memory copy gadget, which takes two\r\narguments, dereferences the first argument, and stores a 64-bit value comprising the bottom 32-bits of the value\r\nread (setting the top 32-bits to zero) at the location pointed to by the second argument.  Since the memory offsets\r\nfor the ldr and str instructions do not need to be doubleword aligned, with manipulation of x1 (via a separate\r\ngadget), this gadget could be chained together to copy chunks of memory of arbitrary size, with the caveat that a\r\nsingle zero word is copied to the end of the destination.\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 6 of 10\n\nThe crash showed that the first call within func2 had been made, thus supplying 0xE7 for the memory copy\r\ngadget’s second argument.  Because 0xE7 is not a valid memory address, the gadget caused\r\nMessagesBlastDoorService to crash.  We redact specific details of the memory copy gadget to avoid assisting\r\nattackers, but we note that a pointer to this memory copy gadget is located within a constant struct within a library\r\nin the shared cache, thus ensuring availability of a signed pointer to attackers who are able to read known offsets\r\nwithin the shared cache.\r\nWe are presently unsure how PWNYOURHOME escapes the BlastDoor sandbox. However, the exploit ultimately\r\nlaunches Pegasus via mediaserverd.\r\nLockdown Mode Highlights Attack\r\nApple’s Lockdown Mode feature makes signs of an attempted PWNYOURHOME attack visible to the phone’s\r\nuser by displaying notifications (Figure 4).  We have seen no recent notifications on Lockdown Mode, nor have\r\nwe seen any evidence of successful PWNYOURHOME compromise on Lockdown Mode.  Given that we have\r\nseen no indications that NSO has stopped deploying PWNYOURHOME, this suggests that NSO may have\r\nfigured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode.\r\nAdditionally, we have not seen any cases of exploitation of iOS versions 16.1 and greater, suggesting that\r\nPWNYOURHOME may have been fixed or mitigated around this time.\r\n4. FINDMYPWN: An iOS 15 Zero-Day, Zero-Click Exploit\r\nWe also identified an earlier exploit, FINDMYPWN, deployed against iOS 15 as a zero-day, zero-click exploit.\r\nWe believe that, like PWNYOURHOME, FINDMYPWN is also a two-phase exploit.\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 7 of 10\n\nIn FINDMYPWN, exploitation appears to begin with the fmfd process exiting and relaunching. The fmfd process\r\nis associated with the iPhone’s built-in Find My functionality. We were unable to determine the reason for fmfd\r\nexiting and relaunching. In several cases we observed, FINDMYPWN apparently caused an item (which we\r\nsuspect is the unacceptedShares folder) to be written and then deleted inside a cache directory related to the Find\r\nMy app.\r\nAfter fmfd exits and relaunches, phone logs indicate that MessageBlastDoorService is launched or relaunched,\r\nindicating that the phone was likely processing items received via iMessage.\r\nWe did not obtain sufficient crash logs from FINDMYPWN victims to identify whether the\r\nMessagesBlastDoorService activity was related to the PWNYOURHOME crashes, though we suspect that it is, as\r\nFINDMYPWN launches the Pegasus spyware via mediaserverd, just like PWNYOURHOME.\r\n5. LATENTIMAGE: Traces of an Earlier Zero-Click Come to Light\r\nAfter we had characterized PWNYOURHOME and FINDMYPWN, we re-checked our forensic analysis for\r\nearlier cases, and found a case of a third, distinct iOS 15 zero-click exploit deployed in January 2022. We call the\r\nexploit LATENTIMAGE because it appears to leave very few traces on the device.\r\nThe LATENTIMAGE exploit could also involve the iPhone’s Find My feature, as fmfd exited and re-loaded\r\nduring exploitation, though we were unable to determine if it was the initial vector.\r\nIn contrast to FINDMYPWN and PWNYOURHOME, the LATENTIMAGE exploit launches the Pegasus\r\nspyware via springboard, indicating a different exploit chain.  We identified a single case of LATENTIMAGE\r\nused against a target on 17 January 2022, using iOS version 15.1.1, which was out-of-date at the time.\r\n6. Conclusion\r\nNSO Group’s Evolving Attack Techniques\r\nNSO Group’s Pegasus spyware remains a threat, and their attack techniques continue to evolve.\r\nPWNYOURHOME and FINDMYPWN are the first zero-click exploits we have observed that makes use of two\r\nseparate remote attack surfaces on the iPhone.\r\nThe use of multiple attack surfaces should encourage developers to think holistically about device security, and\r\ntreat the entire surface reachable through a single identifier as a single surface. For example, an attacker may be\r\nable to leak information or set up a framework in one process, and use that information or framework to attack a\r\nsecond process.\r\nAlso, it is clear that modern exploit mitigations like pointer authentication codes (PAC) significantly reduce\r\nattacker freedom to execute arbitrary code on a device, but as PWNYOURHOME demonstrates, real-world\r\nattackers can (and do) find practical ways around these mitigations, such as by repurposing signed pointers located\r\nat known offsets in the iOS shared cache.  Further work should focus on improvements to legacy code to add\r\nmeaningful context values to safeguard these pointers.\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 8 of 10\n\nAs we noted in this report, NSO Group’s escalating efforts to block researchers and obscure traces of infection,\r\nwhile still ultimately unsuccessful, underline the complex challenges of these sorts of investigations, including\r\nbalancing the publication of indicators while maintaining the ability to identify future infections.\r\nMexico: A Serial Spyware Abuser\r\nThe targeting of Mexican civil society with Pegasus spyware is but the latest in a long series of cases dating back\r\nto 2016 which we and our partners, and other investigative teams including Amnesty Tech and the Pegasus Project\r\ncollective, have uncovered in Mexico concerning the abuse of commercial spyware.\r\nA first wave of abuse disclosures (2016-2019) showed widespread targeting of many sectors of Mexican civil\r\nsociety, which all took place during the presidency of Enrique Peña Nieto. After a change of government, the new\r\nPresident Andrés Manuel López Obrador, whose intimate circle was among potential Pegasus targets, claimed that\r\nhis administration stopped using Pegasus. However, recent reporting, and our collaborative investigations, suggest\r\notherwise.\r\nIn March 2023, Mexican civil society groups published documents showing that the Mexican army used Pegasus\r\nto hack the device of Raymundo Ramos, a human rights defender investigating yet another massacre involving\r\nMexican army personnel. In October 2022, the Citizen Lab and R3D had reported that Ramos ‘ device was hacked\r\nwith Pegasus during the same time period in which those documents showed senior Mexican army officials\r\nreceiving a report summarizing Ramos ‘ private communications with investigative journalists.\r\nIt is particularly concerning that human rights defenders representing victims of human rights abuses, including\r\nfamilies of the Ayotzinapa students, had their phones hacked with Pegasus spyware. It is widely suspected that\r\nindividuals connected to the Mexican army were involved in those disappearances, and the subsequent cover-up\r\nthat followed.\r\nAlthough we are not conclusively identifying a particular Pegasus operator at this time, the targeting of human\r\nrights defenders representing victims of human rights violations in which the Mexican military is involved, in\r\naddition to reports and evidence of military involvement in previous recent Pegasus attacks, provides troubling\r\ncircumstantial evidence suggestive of governmental involvement in these latest cases.\r\nRecommendation: High-Risk Users, Give Lockdown Mode a Try\r\nIt is encouraging to see that Apple’s Lockdown Mode notified targets of in-the-wild attacks. While any one\r\nsecurity measure is unlikely to blunt all targeted spyware attacks, and security is a multi-faceted problem, we\r\nbelieve this case highlights the value of enabling this feature for high-risk users that may be targeted because of\r\nwho they are or what they do.\r\nWe highly encourage all at-risk users to enable Lockdown Mode on their Apple devices. While the feature comes\r\nwith some usability cost, we believe that the cost may be outweighed by the increased cost incurred on attackers.\r\nAcknowledgements\r\nWe would like to thank R3D for their invaluable logistical and investigative assistance with these and other recent\r\ncases, especially their director Luis Fernando Garcia.\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 9 of 10\n\nWe also thank Access Now, and especially their Digital Security Helpline for their ongoing collaboration and\r\nsupport in investigating the targeting of high-risk individuals with spyware.\r\nWe acknowledge additional collaborators and organizations that refer cases to us, and provide additional\r\ninvestigative assistance.\r\nWe thank Siena Anstis, Adam Senft, Paolo Nigro H, and Alberto Fittarelli for review and editing.  We thank Mari\r\nZhou for graphical assistance and Snigdha Basu for communications support.\r\nSource: https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nhttps://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/"
	],
	"report_names": [
		"nso-groups-pegasus-spyware-returns-in-2022"
	],
	"threat_actors": [],
	"ts_created_at": 1775434526,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ada41f42faf5da93a7ec481c536cfd6668e6b0b0.pdf",
		"text": "https://archive.orkl.eu/ada41f42faf5da93a7ec481c536cfd6668e6b0b0.txt",
		"img": "https://archive.orkl.eu/ada41f42faf5da93a7ec481c536cfd6668e6b0b0.jpg"
	}
}