{ "id": "20980873-4a4f-48d5-8691-f66634759fd8", "created_at": "2026-04-06T00:11:26.602275Z", "updated_at": "2026-04-10T03:25:07.647503Z", "deleted_at": null, "sha1_hash": "d79b4ac0ee20cae2e21cfaa8abce79a9e4f60e8c", "title": "Clipping Wings: Our Analysis of a Pegasus Spyware Sample", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2501189, "plain_text": "Clipping Wings: Our Analysis of a Pegasus Spyware Sample\r\nPublished: 2024-03-25 · Archived: 2026-04-05 21:53:47 UTC\r\nBlack Hat Asia 2024 Preview from iVerify VP of Research, Matthias Frielingsdorf\r\nAccording to\r\nKaspersky\r\n, mobile threats now account for 40% of all detected threats. Similarly, Google’s Threat Analysis Group (TAG)\r\nrecently\r\nreported\r\nthat 20 out of 25 zero-days discovered in 2023 were exploited by commercial spyware vendors (CSVs). Once\r\nthought to be contained to high-risk individuals such as journalists and political dissidents, the immediate threat of\r\nmobile-first zero-days has finally hit businesses resulting in intellectual property theft, credential breaches,\r\ncorporate espionage, and ransomware attacks.\r\nOne of the most commonly detected spyware in 2023 was Pegasus, developed by NSO Group and the subject of\r\nAmnesty International’s investigative journalism initiative: the\r\nPegasus Project\r\n. Several months ago our team discovered evidence of Pegasus during an analysis of a customer’s iPhone and we\r\nwere able to extract the PassKit file from the device’s backup. \r\nThis post is a preview of my briefing at the upcoming Black Hat Asia conference, where I’ll show the results of\r\nour analysis of the malware sample!\r\nMobile-First Zero-Days: Acknowledging Past Research\r\nPrevious studies from the research community identified several iOS vulnerabilities exploited by attacks to install\r\nPegasus on target devices.  \r\nOne of them, which was subsequently fixed by Apple was CVE-2023-41064, which allowed an attacker to craft an\r\nimage to gain code execution inside of ImageIO using the WebP image format. Existing resources provide an\r\nexcellent description of this vulnerability, including:\r\nAdditionally, CitizenLab previously released details about an exploit chain called PWNYOURHOME that used a\r\ncombination of HomeKit and iMessage to attack devices. They later revealed details about BLASTPASS, an\r\nexploit discovered in the wild targeting iMessage and PassKit (Wallet). \r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 1 of 8\n\nOur analysis of an actual BLASTPASS exploit sample adds to the industry’s current body of knowledge catalyzed\r\nby these researchers and more.\r\nBackups, Backups, Backups\r\nFor this analysis, we had access to the customer’s iTunes backups, crash logs, and sysdiagnose files. One of the\r\nbest things about Threat Hunter is that we can gather these artifacts remotely without needing physical access to\r\nthe device.\r\nThis was one of the rare cases where we could spot something obvious right away.\r\nWe started our analysis by reviewing the available files and directory of crash logs. To our surprise, this was one\r\nof the rare cases where we should spot something obvious right away. We found 25 crashes of the homed process\r\noccurring within a 19-minute window. As we’ve seen before, recurring crashes of the same process often suggest\r\nthe presence of a nasty bug or an attempted exploit. We often see both when analyzing suspicious iPhones since\r\niOS is far from bug-free, which you’ll notice if you routinely check your crash logs or Apple’s Security\r\nReleases.    \r\nAn important note about the homed crashes we saw – they weren’t the kind of crashes we’d characterize as severe\r\nlike Segmentation Fault or Null Pointer Deref. These are pretty normal crashes, but they occurred with unusual\r\nfrequency. \r\nWe also noticed a couple of crashes of the MessagesBlastDoorService. BlastDoor is the tightened sandbox that\r\nApple introduced in iOS 14 to thwart iMessage Exploitation after NSO abused it. In theory, that should have\r\nresulted in every iMessage attachment being rendered and parsed safely inside of BlastDoor. However, we saw a\r\nlarge number of MessagesBlastDoor crashes happening within a short period, starting approximately 30 minutes\r\nafter the last crash of homed.\r\nCould all of this be just a coincidence – a combined series of homed and MessagesBlastDoorService crashes\r\noccurring so close together? \r\nNot likely. To understand why, let’s go back to details found in the crash logs. \r\nNot only do we eventually find more severe crash types, we also see MessagesBlastDoorService trying to\r\nunarchive a very large or very repetitive NSKeyedArchiver. The CallStack of the crashing stack screams\r\nsuspicious and other MessagesBlastDoorService crashes follow the same pattern. \r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 2 of 8\n\nUltimately, our analysis of the crash logs revealed the following:\r\n25 crashes of the homed process in under 19 minutes\r\nFollowed by a 30-minute break\r\n35 crashes of the MessagesBlastDoorService in less than 28 Minutes\r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 3 of 8\n\nDoes this mean the exploit attempt was successful? Is it Pegasus or something else trying to copy NSO’s exploits?\r\nTo answer these questions, we next looked at the iTunes backup. For step-by-step instructions on how to create\r\nforensic artifacts using iTunes, check out my talk from Objective by the Sea v6.0. \r\nWe started looking at the timestamps in the iTunes backup that correlated to the suspicious cash logs. However,\r\nwithout a good strategy, backup analysis can be very time-consuming due to the overwhelming volume of data.\r\nGoing through all of the messaging data, thousands of pictures, and other databases in the backup can easily add\r\nup to thousands of lines of text for inspection. \r\nIn this blog post, we’re not going to go through all of the strategies we use, but we are sharing one that leads to the\r\nsame outcome as taking the reference point from the crash logs.\r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 4 of 8\n\nTo Find a Needle in a Haystack, Remove the Hay\r\nThis strategy requires an understanding of certain processes involved in the transfer of data on the device, such as\r\nIMTransferAgent, which downloads iMessage Attachments from the Apple Server. This process often occurs\r\nbefore attachments are stored on disk and was highlighted in Kaspersky’s analysis of Operation Triangulation. \r\nLooking for instances of this process is a good place to start, but be mindful that iTunes backups include two\r\nsources of network behavior associated with this process: DataUsage.sqlite and OSAnalyticsADDaily. The former\r\nonly stores network usage for cellular data and the latter stores the last time the process used network data on wifi\r\nor cellular. If the device does not use cellular data or is often on wifi, there won’t be much to find through this\r\napproach. \r\nFortunately, in this case, our search for IMTransferAgent found multiple results and one of them correlates\r\nprecisely to when the MessagesBlastDoorService crashes appeared.\r\nBecause IMTransferAgent is used to transport data to and from iMessage servers, it makes sense to check if there\r\nis any file activity around the same time. The iTunes backup shows that 8 files were received shortly after the\r\nmoment IMTransferAgent was used and MessagesBlastDoorService crashed. Moreover, those files did not have\r\nan identified sender; they were “Sent from None.”\r\nThe received items were all named “sample.pkpass” and they have a combined size of approximately 175 KB. As\r\na reminder, pkpass is the file extension for PassKit Passes. There’s a nice write-up about it from Apple here.\r\nAdditionally, CitizenLabs’ report also mentions that the BLASTPASS exploit chain contained a PassKit file that\r\nwas sent over iMessage. \r\nThe plot thickens! \r\nInside the PassKit File: Findings and Conclusions \r\nNext, let’s look inside the file. We located the sample in the iTunes backup – a possible indication that the exploit\r\nchain was unsuccessful or it was not NSO because they typically try to clean up the iMessage Attachment folder\r\nafter a successful exploitation.\r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 5 of 8\n\nWe started by asking file what the sample.pkpass is: \r\nDecompressing the 175KB file expands it to a 5.9MB archive containing the following files:\r\nRunning file on all of those yields this: \r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 6 of 8\n\nPass.json is not very interesting; it merely indicates this is a PKpass file. Yes, thank you. \r\nSignature contains the signature of the file and manifest contains a list of the files included in the archive as well\r\nas their SHA1 hash. background.png is essentially an empty picture and not interesting for our investigation.\r\nBut logo.png is different. It's a large 5.8MB picture which is not a png, but a WebP picture, another reference to\r\nthe BLASTPASS exploit chain. \r\nLooking at the raw hex bytes with xxd confirms that we indeed have a WebP file:\r\nThe file also includes the starting header for an Apple binary plist format: bplist\r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 7 of 8\n\nThat’s interesting! \r\nBinary Plist are usually PropertyList documents based on a NSKeyedArchiver, which gives us another link\r\nbetween the sample.pkpass file and the MessagesBlastDoorService crashes because many of the functions in the\r\nbacktrace were functions related to unarchiving NSKeyedArchiver objects!\r\nOur analysis continued beyond this point. At this stage we suspected that NSO (or someone impersonating their\r\nplaybook) first tried to use the PWNYOURHOME exploit and when that failed, shifted to BLASTPASS. \r\nIf you are interested in more details about our BLASTPASS analysis or our Threat Hunter tool, please check out\r\nmy briefing at Black Hat Asia in April. We will also share more about it here on the blog!\r\nSource: https://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nhttps://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample" ], "report_names": [ "clipping-wings-our-analysis-of-a-pegasus-spyware-sample" ], "threat_actors": [ { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434286, "ts_updated_at": 1775791507, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d79b4ac0ee20cae2e21cfaa8abce79a9e4f60e8c.pdf", "text": "https://archive.orkl.eu/d79b4ac0ee20cae2e21cfaa8abce79a9e4f60e8c.txt", "img": "https://archive.orkl.eu/d79b4ac0ee20cae2e21cfaa8abce79a9e4f60e8c.jpg" } }