{
	"id": "ca5316cf-a577-4620-88e2-5b1bc6d0c426",
	"created_at": "2026-04-06T00:11:01.360248Z",
	"updated_at": "2026-04-10T13:12:36.534553Z",
	"deleted_at": null,
	"sha1_hash": "ed7d57500d14b7fbb7444a6713ed4db938581d99",
	"title": "Forensic Methodology Report: How to catch NSO Group’s Pegasus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 241789,
	"plain_text": "Forensic Methodology Report: How to catch NSO Group’s Pegasus\r\nPublished: 2021-07-18 · Archived: 2026-04-05 14:25:43 UTC\r\nA copy of this report is available for download here.\r\nIntroduction\r\nNSO Group claims that its Pegasus spyware is only used to “investigate terrorism and crime”  and “leaves no traces\r\nwhatsoever”. This Forensic Methodology Report shows that neither of these statements are true. This report accompanies\r\nthe release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media\r\norganizations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security\r\nLab.[1]\r\nAmnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human\r\nrights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing\r\nunlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.\r\nAs laid out in the UN Guiding Principles on Business and Human Rights, NSO Group should urgently take pro-active steps\r\nto ensure that it does not cause or contribute to human rights abuses within its global operations, and to respond to any\r\nhuman rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out adequate human\r\nrights due diligence and take steps to ensure that HRDs and journalists do not continue to become targets of unlawful\r\nsurveillance.\r\nIn this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source\r\nmobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society\r\nwith detecting and responding to these serious threats.\r\nThis report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware.\r\nThis includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD\r\nAhmed Mansoor.\r\nThe Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021.\r\nThese also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks\r\nhave been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been\r\nobserved exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.\r\nSections 1 to 8 of this report outline the forensic traces left on mobile devices following a Pegasus infection. This evidence\r\nhas been collected from the phones of HRDs and journalists in multiple countries.\r\nFinally, in section 9 the report documents the evolution of the Pegasus network infrastructure since 2016. NSO Group has\r\nredesigned their attack infrastructure by employing multiple layers of domains and servers. Repeated operational security\r\nmistakes have allowed the Amnesty International Security Lab to maintain continued visibility into this infrastructure. We\r\nare publishing a set of 700 Pegasus-related domains.\r\nNames of several of the civil society targets in the report have been anonymized for safety and security reasons. Individuals\r\nwho have been anonymized have been assigned an alphanumeric code name in this report. \r\n1. Discovering Pegasus network injection attacks\r\nAmnesty International’s technical investigation into NSO Group’s Pegasus intensified following our discovery of the\r\ntargeting of an Amnesty International staffer and a Saudi activist, Yahya Assiri, in 2018. Amnesty International’s Security\r\nLab began refining its forensics methodology through the discovery of attacks against HRDs in Morocco in 2019, which\r\nwere further corroborated by attacks we discovered against a Moroccan journalist in 2020. In this first section we detail the\r\nprocess which led to the discovery of these compromises.\r\nNumerous public reports had identified NSO Group’s customers using SMS messages with Pegasus exploit domains over\r\nthe years. As a result, similar messages emerged from our analysis of the phone of Moroccan activist Maati Monjib, who\r\nwas one of the activists targeted as documented in Amnesty International’s 2019 report.\r\nHowever, on further analysis we also noticed suspicious redirects recorded in Safari’s browsing history. For example, in one\r\ncase we noticed a redirect to an odd-looking URL after Maati Monjib attempted to visit Yahoo:\r\nVisit\r\nID\r\nDate (UTC) URL\r\nRedirect\r\nSource\r\nRedirect\r\nDestination\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 1 of 27\n\n16119\r\n2019-07-22\r\n17:42:32.475\r\nhttps://yahoo.fr/ null 16120\r\n16120\r\n2019-07-22\r\n17:42:32.478\r\nhttps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz 16119 null\r\n(Please note: throughout this document we escaped malicious domains with the marking [.] to prevent accidental clicks and\r\nvisits.)\r\nThe URL https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz immediately appeared suspicious,\r\nparticularly because of the presence of a 4th level subdomain, a non-standard high port number, and a random URI similar to\r\nlinks contained in SMS messages previously documented in connection to NSO Group’s Pegasus. As you can see in the\r\ntable above, the visit to Yahoo was immediately redirected to this suspicious URL with database ID 16120.\r\nIn our October 2019 report, we detail how we determined these redirections to be the result of network injection attacks\r\nperformed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile\r\noperator. When months later we analysed the iPhone of Moroccan independent journalist Omar Radi, who as documented in\r\nour 2020 report was targeted, we found similar records involving the free247downloads[.]com domain as well.\r\nIn November 2019, after Amnesty International’s initial report, a new domain urlpush[.]net was registered. We found it\r\nsubsequently involved in similar redirects to the URL https://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj.\r\nAlthough Safari history records are typically short lived and are lost after a few months (as well as potentially intentionally\r\npurged by malware), we have been able to nevertheless find NSO Group’s infection domains in other databases of Omar\r\nRadi’s phone that did not appear in Safari’s History. For example, we could identify visits through Safari’s Favicon.db\r\ndatabase, which was left intact by Pegasus:\r\nDate\r\n(UTC)   \r\nURL\r\n2019-\r\n02-11\r\n14:45:53\r\nhttps://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/rdEN5YP\r\n2019-\r\n09-13\r\n17:01:38\r\nhttps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#011356570257117296834845704022338973133022433397\r\n2019-\r\n09-13\r\n17:01:56\r\nhttps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#06809956161462627851992535863878916157242783364\r\n2020-\r\n01-17\r\n11:06:32\r\nhttps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946%2324\r\n2020-\r\n01-27\r\n11:06:24\r\nhttps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946\r\nAs explained in the Technical Appendix of our 2020 report on Pegasus attacks in Morocco, these redirects do not only\r\nhappen when the target is navigating the Internet with the browser app, but also when using other apps. For example, in one\r\ncase Amnesty International identified a network injection while Omar Radi was using the Twitter app. When previewing a\r\nlink shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView, and a redirect\r\noccurred.\r\nBecause of this, we can find additional records involving the domains free247downloads[.]com and urlpush[.]net in app-specific WebKit local storage, IndexedDB folders, and more. In multiple cases IndexedDB files were created by Safari\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 2 of 27\n\nshortly after the network injection redirect to the Pegasus Installation Server.\r\nIn addition, Safari’s Session Resource logs provide additional traces that do not consistently appear in Safari’s browsing\r\nhistory. It appears Safari does not record full redirect chains, and might only keep history records showing the final page that\r\nwas loaded. Session Resource logs recovered from the analysed phones demonstrate that additional staging domains are\r\nused as trampolines eventually leading to the infection servers. In fact, these logs reveal that the very first network injection\r\nagainst Maati Monjib we describe at the beginning of this post also involved the domain documentpro[.]org:\r\nRedirect Source Origin Redirect Destination\r\nyahoo.fr documentpro[.]org free247downloads[.]com\r\nMaati Monjib visited https://yahoo.fr, and a network injection forcefully redirected the browser to documentpro[.]org before\r\nfurther redirecting to free247downloads[.]com and proceed with the exploitation.\r\nSimilarly, on a different occasion Omar Radi visited the website of French newspaper Le Parisien, and a network injection\r\nredirected him through the staging domain tahmilmilafate[.]com and then eventually to free247downloads[.]com as well.\r\nWe also saw tahmilmilafate[.]info used in the same way:\r\nRedirect Source Origin Redirect Destination\r\nleparisien.fr tahmilmilafate[.]com free247downloads[.]com\r\nIn the most recent attempts Amnesty International observed against Omar Radi in January 2020, his phone was redirected to\r\nan exploitation page at gnyjv1xltx.info8fvhgl3.urlpush[.]net passing through the domain baramije[.]net. The domain\r\nbaramije[.]net was registered one day before urlpush[.]net, and a decoy website was set up using the open source\r\nTextpattern CMS.\r\nTraces of network activity were not the only available indicators of compromise, and further inspection of the iPhones\r\nrevealed executed processes which eventually led to the establishment of a consistent pattern unique to all subsequent\r\niPhones that Amnesty International analysed and found to be infected.\r\n2. Pegasus’ BridgeHead and other malicious processes appear\r\nAmnesty International, Citizen Lab, and others have primarily attributed Pegasus spyware attacks based on the domain\r\nnames and other network infrastructure used to deliver the attacks. However, forensic evidence left behind by the Pegasus\r\nspyware provides another independent way to attribute these attacks to NSO Group’s technology.\r\niOS maintains records of process executions and their respective network usage in two SQLite database files called\r\n“DataUsage.sqlite” and “netusage.sqlite” which are stored on the device. It is worth noting that while the former is available\r\nin iTunes backup, the latter is not. Additionally, it should be noted that only processes that performed network activity will\r\nappear in these databases.\r\nBoth Maati Monjib’s and Omar Radi’s network usage databases contained records of a suspicious process called “bh”. This\r\n“bh” process was observed on multiple occasions immediately following visits to Pegasus Installation domains.\r\nMaati Monjib’s phone has records of execution of “bh” from April 2018 until March 2019:\r\nFist date (UTC) Last date (UTC)\r\nProcess\r\nName\r\nWWAN\r\nIN\r\nWWAN\r\nOUT\r\nProcess\r\nID\r\n2018-04-29\r\n00:25:12\r\n2019-03-27\r\n22:45:10\r\nbh 3319875.0 144443.0 59472\r\nAmnesty International found similar records on Omar Radi’s phone between February and September 2019:\r\nFist date (UTC) Last date (UTC)\r\nProcess\r\nName\r\nWWAN\r\nIN\r\nWWAN\r\nOUT\r\nProcess\r\nID\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 3 of 27\n\n2019-02-11\r\n14:45:56\r\n2019-09-13\r\n17:02:11\r\nbh 3019409.0 147684.0 50465\r\nThe last recorded execution of “bh” occurred a few seconds after a successful network injection (as seen in the favicon\r\nrecords listed earlier at 2019-09-13 17:01:56).\r\nCrucially, we find references to “bh” in the Pegasus iOS sample recovered from the 2016 attacks against UAE human rights\r\ndefender Ahmed Mansoor, discovered by Citizen Lab and analysed in depth by cybersecurity firm Lookout.\r\nAs described in Lookout’s analysis, in 2016 NSO Group leveraged a vulnerability in the iOS JavaScriptCore Binary (jsc) to\r\nachieve code execution on the device. This same vulnerability was also used to maintain persistence on the device after\r\nreboot. We find references to “bh” throughout the exploit code:\r\nvar compressed_bh_addr =  shellcode_addr_aligned + shellcode32.byteLength;\r\nreplacePEMagics(shellcode32, dlsym_addr, compressed_bh_addr, bundle.bhCompressedByteLength);\r\nstoreU32Array(shellcode32, shellcode_addr);\r\nstoreU32Array(bundle.bhCompressed32, compressed_bh_addr);\r\nThis module is described in Lookout’s analysis as follows:\r\n“bh.c – Loads API functions that relate to the decompression of next stage payloads and their proper placement on the\r\nvictim’s iPhone by using functions such as BZ2_bzDecompress, chmod, and malloc”\r\nLookout further explains that a configuration file located at /var/tmp/jb_cfg is dropped alongside the binary. Interestingly,\r\nwe find the path to this file exported as _kBridgeHeadConfigurationFilePath in the libaudio.dylib file part of the Pegasus\r\nbundle:\r\n__const:0001AFCC                 EXPORT _kBridgeHeadConfigurationFilePath\r\n__const:0001AFCC _kBridgeHeadConfigurationFilePath DCD cfstr_VarTmpJb_cfg ; “/var/tmp/jb_cfg”\r\nTherefore, we suspect that “bh” might stand for “BridgeHead”, which is likely the internal name assigned by NSO Group\r\nto this component of their toolkit. \r\nThe appearance of the “bh” process right after the successful network injection of Omar Radi’s phone is consistent with the\r\nevident purpose of the BridgeHead module. It completes the browser exploitation, roots the device and prepares for its\r\ninfection with the full Pegasus suite.\r\n2.1 Additional suspicious processes following BridgeHead\r\nThe bh process first appeared on Omar Radi’s phone on 11 February 2019. This occurred 10 seconds after an IndexedDB\r\nfile was created by the Pegasus Installation Server and a favicon entry was recorded by Safari. At around the same time the\r\nfile com.apple.CrashReporter.plist file was written in /private/var/root/Library/Preferences/, likely to disable reporting of\r\ncrash logs back to Apple. The exploit chain had obtained root permission at this stage.\r\nLess than a minute later a “roleaboutd” process first appears.\r\nDate (UTC) Event\r\n2019-02-11\r\n14:45:45\r\nIndexedDB record for URL\r\nhttps_d9z3sz93x5ueidq3.get1tn0w.free247downloads.com_30897/\r\n2019-02-11\r\n14:45:53\r\nSafari Favicon record for URL \r\nhxxps//d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/rdEN5YP\r\n2019-02-11\r\n14:45:54\r\nCrash reporter disabled by writing com.apple.CrashReporter.plist\r\n2019-02-11\r\n14:45:56\r\nProcess: bh\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 4 of 27\n\n2019-02-11\r\n14:46:23\r\nProcess: roleaboutd first\r\n2019-02-11\r\n17:05:24\r\nProcess: roleaboutd last\r\nOmar Radi’s device was exploited again on the 13 September 2019. Again a “bh” process started shortly afterwards. Around\r\nthis time the com.apple.softwareupdateservicesd.plist file was modified. A “msgacntd” process was also launched.\r\nDate (UTC) Event\r\n2019-09-13\r\n17:01:38\r\nSafari Favicon record for URL\r\nhxxps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse\r\n2019-09-13\r\n17:02:11\r\nProcess: bh\r\n2019-09-13\r\n17:02:33\r\nProcess: msgacntd first\r\n2019-09-13\r\n17:02:35\r\nFile modified: com.apple.softwareupdateservicesd.plist\r\n2019-09-14\r\n20:51:54\r\nProcess: msgacntd last\r\n Based on the timing and context of exploitation, Amnesty International believes the roleaboutd and msgacntd processes\r\nare a later stage of the Pegasus spyware which was loaded after a successful exploitation and privilege escalation with the\r\nBridgeHead payload.\r\nSimilarly, the forensic analysis of Maati Monjib’s phone revealed the execution of more suspicious processes in addition to\r\nbh. A process named pcsd and one named fmld appeared in 2018:\r\nFist date Last date\r\nProcess\r\nName\r\nWWAN\r\nIN\r\nWWAN\r\nOUT\r\nProcess\r\nID\r\n2018-05-04\r\n23:30:45\r\n2018-05-04\r\n23:30:45\r\npcsd 12305.0 10173.0 14946\r\n2018-05-21\r\n23:46:06\r\n2018-06-4\r\n13:05:43\r\nfmld 0.0 188326.0 21207\r\nAmnesty International verified that no legitimate binaries of the same names were distributed in recent versions of\r\niOS.\r\nThe discovery of these processes on Omar Radi’s and Maati Monjib’s phones later became instrumental for Amnesty\r\nInternational’s continued investigations, as we found processes with the same names on devices of targeted individuals from\r\naround the world.\r\n3. Pegasus processes following potential Apple Photos exploitation\r\nDuring Amnesty International’s investigations as part of The Pegasus Project we discovered additional cases where the\r\nabove mentioned “bh” process was recorded on devices compromised through different attack vectors.\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 5 of 27\n\nIn one instance, the phone of a French human rights lawyer (CODE: FRHRL1) was compromised and the “bh” process was\r\nexecuted seconds after network traffic for the iOS Photos app (com.apple.mobileslideshow) was recorded for the first time.\r\nAgain, after a successful exploitation, crash reporting was disabled by writing a com.apple.CrashReporter.plist file to the\r\ndevice.\r\n2019-10-29 09:04:32 Process: mobileslideshow/com.apple.mobileslideshow first\r\n2019-10-29 09:04:58 Process: bh\r\n2019-10-29 09:05:08 com.apple.CrashReporter.plist dropped\r\n2019-10-29 09:05:53 Process: mptbd\r\nThe next and last time network activity for the iOS Photos app was recorded was on 18 December 2019, again preceding the\r\nexecution of malicious processes on the device.\r\n2019-12-18 08:13:33 Process: mobileslideshow/com.apple.mobileslideshow last\r\n2019-12-18 08:13:47 Process: bh\r\n2019-12-18 11:50:15 Process: ckeblld\r\nIn a separate case, we identified a similar pattern with the “mobileslideshow” and “bh” processes on the iPhone of a French\r\njournalist (CODE: FRJRN1) in May 2020:\r\n2020-05-24 15:44:21 Process: mobileslideshow/com.apple.mobileslideshow first\r\n2020-05-24 15:44:39 Process: bh\r\n2020-05-24 15:46:51 Process: fservernetd\r\n  …\r\n2020-05-27 16:58:31 Process: mobileslideshow/com.apple.mobileslideshow last\r\n2020-05-27 16:58:52 Process: bh\r\n2020-05-27 18:00:50 Process: ckkeyrollfd\r\nAmnesty International was not able to capture payloads related this exploitation but suspects that the iOS Photos app or the\r\nPhotostream service were used as part of an exploit chain to deploy Pegasus. The apps themselves may have been exploited\r\nor their functionality misused to deliver a more traditional JavaScript or browser exploit to the device.\r\nAs you can see from the tables above, additional process names such as mptbd, ckeblld, fservernetd, and ckkeyrollfd\r\nappear right after bh. As with fmld and pcsd, Amnesty International believes these to be additional payloads downloaded\r\nand executed after a successful compromise. As our investigations progressed, we identified dozens of malicious process\r\nnames involved in Pegasus infections.\r\nAdditionally, Amnesty International found the same iCloud account bogaardlisa803[@]gmail.com recorded as linked to the\r\n“com.apple.private.alloy.photostream” service on both devices. Purposefully created iCloud accounts seem to be central to\r\nthe delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty\r\nInternational.\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 6 of 27\n\n4. An iMessage zero-click 0day used widely in 2019\r\nWhile SMS messages carrying malicious links were the tactic of choice for NSO Group’s customers between 2016 and\r\n2018, in more recent years they appear to have become increasingly rare. The discovery of network injection attacks in\r\nMorocco signalled that the attackers’ tactics were indeed changing. Network injection is an effective and cost-efficient\r\nattack vector for domestic use especially in countries with leverage over mobile operators. However, while it is only\r\neffective on domestic networks, the targeting of foreign targets or of individuals in diaspora communities also changed. \r\nFrom 2019 an increasing amount of vulnerabilities in iOS, especially iMessage and FaceTime, started getting patched thanks\r\nto their discoveries by vulnerability researchers, or to cybersecurity vendors reporting exploits discovered in-the-wild.\r\nIn response, Amnesty International extended its forensic methodology to collect any relevant traces by iMessage and\r\nFaceTime. iOS keeps a record of Apple IDs seen by each installed application in a plist file located at\r\n/private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in\r\na regular iTunes backup, so it can be easily extracted without the need of a jailbreak.\r\nThese records played critical role in later investigations. In many cases we discovered suspected Pegasus processes executed\r\non devices immediately following suspicious iMessage account lookups. For example, the following records were extracted\r\nfrom the phone of a French journalist (CODE FRJRN2):\r\n2019-08-16\r\n12:08:44\r\nLookup of bergers.o79@gmail.com by com.apple.madrid (iMessage)\r\n2019-08-16\r\n12:33:52\r\nLookup of bergers.o79@gmail\\x00\\x00om by com.apple.madrid (iMessage)\r\n2019-08-16\r\n12:37:55\r\nThe file Library/Preferences/com.apple.CrashReporter.plist is created within\r\nRootDomain\r\n2019-08-16\r\n12:41:25\r\nThe file Library/Preferences/roleaccountd.plist is created within RootDomain\r\n2019-08-16\r\n12:41:36\r\nProcess: roleaccountd\r\n2019-08-16\r\n12:41:52\r\nProcess: stagingd                    \r\n2019-08-16\r\n12:49:21\r\nProcess: aggregatenotd\r\n*The date of the first entry for FRJRN2 was updated on 11 Jan 2023 to correct a typo.\r\nAmnesty International’s forensic analysis of multiple devices found similar records. In many cases the same iMessage\r\naccount reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same\r\noperator. Additionally, the processes roleaccountd and stagingd occur consistently, along with others.\r\nFor example, the iPhone of a Hungarian journalist (CODE HUJRN1) instead showed the following records:\r\n2019-09-24 13:26:15 Lookup of jessicadavies1345@outlook.com by com.apple.madrid (iMessage)\r\n2019-09-24 13:26:51 Lookup of emmadavies8266@gmail.com by com.apple.madrid (iMessage)\r\n2019-09-24 13:32:10 Process: roleaccountd\r\n2019-09-24 13:32:13 Process: stagingd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 7 of 27\n\nIn this case, the first suspicious processes performing some network activity were recorded 5 minutes after the first lookup.\r\nThe com.apple.CrashReporter.plist file was already present on this device after a previous successful infection and was not\r\nwritten again. \r\nThe iPhone of yet another Hungarian journalist (CODE HUJRN2) show lookups for the same iMessage accounts along with\r\nnumerous other processes along with roleaccountd and stagingd:\r\n2019-07-15\r\n12:01:37\r\nLookup of mailto:e\\x00\\x00adavies8266@gmail.com by com.apple.madrid\r\n(iMessage)\r\n2019-07-15\r\n14:21:40\r\nProcess: accountpfd\r\n2019-08-29\r\n10:57:43\r\nProcess: roleaccountd\r\n2019-08-29\r\n10:57:44\r\nProcess: stagingd\r\n2019-08-29\r\n10:58:35\r\nProcess: launchrexd\r\n2019-09-03\r\n07:54:26\r\nProcess: roleaccountd\r\n2019-09-03\r\n07:54:28\r\nProcess: stagingd\r\n2019-09-03\r\n07:54:51\r\nProcess: seraccountd\r\n2019-09-05\r\n13:26:38\r\nProcess: seraccountd\r\n2019-09-05\r\n13:26:55\r\nProcess: misbrigd\r\n2019-09-10\r\n06:09:04\r\nLookup of emmadavies8266@gmail.com by com.apple.madrid (iMessage)\r\n2019-09-10\r\n06:09:47\r\nLookup of jessicadavies1345@outlook.com by com.apple.madrid (iMessage)\r\n2019-10-30\r\n14:09:51\r\nProcess: nehelprd\r\nIt is interesting to note that in the traces Amnesty International recovered from 2019, the iMessage lookups that immediately\r\npreceded the execution of suspicious processes often contained two-bytes 0x00 padding in the email address recorded by the\r\nID Status Cache file.\r\n5. Apple Music leveraged to deliver Pegasus in 2020\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 8 of 27\n\nIn mid-2021 Amnesty International identified yet another case of a prominent investigative journalist from Azerbaijan\r\n(CODE AZJRN1) who was repeatedly targeted using Pegasus zero-click attacks from 2019 until mid-2021.\r\nYet again, we found a similar pattern of forensic traces on the device following the first recorded successful exploitation:\r\n2019-03-28 07:43:14 File: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-03-28 07:44:03 File: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-03-28 07:44:14 Process: roleaccountd\r\n2019-03-28 07:44:14 Process: stagingd\r\nInterestingly we found signs of a new iOS infection technique being used to compromise this device. A successful infection\r\noccurred on 10th July 2020:\r\n2020-\r\n07-06\r\n05:22:21\r\nLookup of f\\x00\\x00ip.bl82@gmail.com by iMessage (com.apple.madrid)\r\n2020-\r\n07-10\r\n14:12:09\r\nPegasus request by Apple Music app:\r\nhttps://x1znqjo0x8b8j.php78mp9v.opposedarrangement[.]net:37271/afAVt89Wq/stadium/pop2.html?\r\nkey=501_4\u0026n=7\r\n2020-\r\n07-10\r\n14:12:21\r\nProcess: roleaccountd\r\n2020-\r\n07-10\r\n14:12:53\r\nProcess: stagingd\r\n2020-\r\n07-13\r\n05:05:17\r\nPegasus request by Apple Music app:\r\nhttps://4n3d9ca2st.\r\nphp78mp9v.opposedarrangement[.]net:37891/w58Xp5Z/stadium/pop2.html?key=501_4\u0026n=7\r\nShortly before Pegasus was launched on the device, we saw network traffic recorded for the Apple Music service. These\r\nHTTP requests were recovered from a network cache file located at\r\n/private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db which we retrieved by jailbreaking the device.\r\nAmnesty International cannot determine from forensics if Apple Music was itself exploited to deliver the initial infection or\r\nif instead, the app was abused as part of a sandbox escape and privilege escalation chain. Recent research has shown that\r\nbuilt-in apps such as the iTunes Store app can be abused to run a browser exploit while escaping the restrictive Safari\r\napplication sandbox.\r\nMost importantly however, the HTTP request performed by the Apple Music app points to the domain\r\nopposedarrangement[.]net, which we had previously identified as belonging to NSO Group’s Pegasus network\r\ninfrastructure. This domain matched a distinctive fingerprint we devised while conducting Internet-wide scans following our\r\ndiscovery of the network injection attacks in Morocco (see section 9).\r\nIn addition, these URLs show peculiar characteristics typical of other URLs we found involved in Pegasus attacks through\r\nthe years, as explained in the next section.\r\n6. Megalodon: iMessage zero-click 0-days return in 2021\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 9 of 27\n\nThe analysis Amnesty International conducted of several devices reveal traces of attacks similar to those we observed in\r\n2019. These attacks have been observed as recently as July 2021. Amnesty International believes Pegasus is currently being\r\ndelivered through zero-click exploits which remain functional through the latest available version of iOS at the time of\r\nwriting (July 2021).\r\nOn the iPhone of a French human rights lawyer (CODE FRHRL2), we observed a lookup of a suspicious iMessage account\r\nunknown to the victim, followed by an HTTP request performed by the com.apple.coretelephony process. This is a\r\ncomponent of iOS involved in all telephony-related tasks and likely among those exploited in this attack. We found traces of\r\nthis HTTP request in a cache file stored on disk at /private/var/wireless/Library/Caches/com.apple.coretelephony/Cache.db\r\ncontaining metadata on the request and the response. The phone sent information on the device including the model 9,1\r\n(iPhone 7) and iOS build number 18C66 (version 14.3) to a service fronted by Amazon CloudFront, suggesting NSO Group\r\nhas switched to using AWS services in recent months. At the time of this attack, the newer iOS version 14.4 had only been\r\nreleased for a couple of weeks.\r\nDate\r\n(UTC)\r\nEvent\r\n2021-02-\r\n08\r\n10:42:40\r\nLookup of linakeller2203@gmail.com by iMessage (com.apple.madrid)\r\n2021-02-\r\n08\r\n11:27:10\r\ncom.apple.coretelephony performs an HTTP request to\r\nhttps://d38j2563clgblt.cloudfront[.]net/fV2GsPXgW//stadium/megalodon?\r\nm=iPhone9,1\u0026v=18C66\r\n2021-02-\r\n08\r\n11:27:21\r\nProcess: gatekeeperd\r\n2021-02-\r\n08\r\n11:27:22\r\ngatekeeperd performs an HTTP request to\r\nhttps://d38j2563clgblt.cloudfront.net/fV2GsPXgW//stadium/wizard/01-00000000\r\n2021-02-\r\n08\r\n11:27:23\r\nProcess: gatekeeperd\r\nThe Cache.db file for com.apple.coretelephony contains details about the HTTP response which appeared to have been a\r\ndownload of ~250kb of binary data. Indeed, we found the downloaded binary in the fsCachedData sub-folder, but it was\r\nunfortunately encrypted. Amnesty International believes this to be the payload launched as gatekeeperd.\r\nAmnesty International subsequently analysed the iPhone of a journalist (CODE MOJRN1), which contained very similar\r\nrecords. This device was exploited repeatedly on numerous times between February and April 2021 and across iOS releases.\r\nThe most recent attempt showed the following indicators of compromise:\r\nDate\r\n(UTC)             \r\n             \r\nEvent\r\n2021-04-02\r\n10:15:38\r\nLookup of linakeller2203@gmail.com by iMessage (com.apple.madrid)\r\n2021-04-02\r\n10:36:00\r\ncom.apple.coretelephony performs an HTTP request to\r\nhttps://d38j2563clgblt.cloudfront[.]net/dMx1hpK//stadium/megalodon?\r\nm=iPhone8,1\u0026v=18D52\u0026u=[REDACTED]\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 10 of 27\n\n2021-04-02\r\n10:36:08\r\nProcess PDPDialogs performs an HTTP request to\r\nhttps://d38j2563clgblt.cloudfront[.]net/dMx1hpK//stadium/wizard/ttjuk\r\n2021-04-02\r\n10:36:16\r\nProcess PDPDialogs performs an HTTP request to\r\nhttps://d38j2563clgblt.cloudfront[.]net/dMx1hpK//stadium/wizard/01-00000000\r\n2021-04-02\r\n10:36:16\r\ncom.apple.coretelephony performs an HTTP request to\r\nhttps://d38j2563clgblt.cloudfront[.]net/dMx1hpK//stadium/wizard/cszjcft=frzaslm\r\n2021-04-02\r\n10:36:35\r\nProcess: gatekeeperd\r\n2021-04-02\r\n10:36:45\r\nProcess: rolexd\r\nAs is evident, the same iMessage account observed in the previous separate case was involved in this exploitation and\r\ncompromise months later. The same CloudFront website was contacted by com.apple.coretelephony and the additional\r\nprocesses executed, downloaded and launched additional malicious components.\r\nThe initial check-in indicates the compromised iPhone 6s was running iOS 14.4 (build number 18D52) at the time of the\r\nattack. Although versions 14.4.1 and 14.4.2 were already available then, they only addressed vulnerabilities in WebKit, so it\r\nis safe to assume the vulnerability leveraged in these iMessage attacks was exploited as a 0-day.\r\nIt is worth noting that among the many other malicious process names observed executed on this phone we see msgacntd,\r\nwhich we also found running on Omar Radi’s phone in 2019, as documented earlier.\r\nIn addition, it should be noted that the URLs we have observed used in attacks throughout the last three years show a\r\nconsistent set of patterns. This supports Amnesty International’s analysis that all three URLs are in fact components of\r\nPegasus customer attack infrastructure. The Apple Music attack from 2020 shows the same 4th level domain structure and\r\nnon-standard high port number as the 2019 network injection attack. Both the free247downloads[.]com and\r\nopposedarrangements[.]net domains matched our Pegasus V4 domain fingerprint.\r\nAdditionally, the Apple Music attack URL and the 2021 Megalodon attack URLs share a distinctive pattern. Both URL paths\r\nstart with a random identifier tied to the attack attempt followed by the word “stadium”.\r\nAttack    URL\r\nNetwork\r\ninjection\r\n(2019)\r\nhttps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse\r\nApple\r\nMusic\r\nattack\r\n(2020)\r\nhttps://4n3d9ca2st.php78mp9v.opposedarrangement[.]net:37891/w58Xp5Z/stadium/pop2.html?\r\nkey=501_4\u0026n=7                                                    \r\niMessage\r\nzero-click\r\n(2021)\r\nhttps://d38j2563clgblt.cloudfront[.]net/dMx1hpK//stadium/wizard/ttjuk\r\nAmnesty International reported this information to Amazon, who informed us they “acted quickly to shut down the\r\nimplicated infrastructure and accounts”.[2]\r\nThe iPhone 11 of a French human rights activist (CODE FRHRD1) also showed an iMessage look-up for the account\r\nlinakeller2203[@]gmail.com on June 11th 2021 and malicious processes afterwards. The phone was running iOS 14.4.2\r\nand was upgraded to 14.6 the following day.\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 11 of 27\n\nMost recently, Amnesty International has observed evidence of compromise of the iPhone XR of an Indian journalist\r\n(CODE INJRN1) running iOS 14.6 (latest available at the time of writing) as recently as 16th June 2021. Lastly, Amnesty\r\nInternational has confirmed an active infection of the iPhone X of an activist (CODE RWHRD1) on June 24th 2021, also\r\nrunning iOS 14.6. While we have not been able to extract records from Cache.db databases due to the inability to jailbreak\r\nthese two devices, additional diagnostic data extracted from these iPhones show numerous iMessage push notifications\r\nimmediately preceding the execution of Pegasus processes.\r\nThe device of a Rwandan activist (CODE RWHRD1) shows evidence of multiple successful zero-click infections in May\r\nand June 2021. We can see one example of this on 17 May 2021. An unfamiliar iMessage account is recorded and in the\r\nfollowing minutes at least 20 iMessage attachment chunks are created on disk.\r\nDate\r\n(UTC)  \r\nEvent\r\n2021-05-17\r\n13:39:16\r\nLookup for iCloud account benjiburns8[@]gmail.com (iMessage)\r\n2021-05-17\r\n13:40:12\r\nFile: /private/var/mobile/Library/SMS/Attachments/dc/12/DEAE6789-0AC4-41A9-\r\nA91C-5A9086E406A5/.eBDOuIN1wq.gif-2hN9\r\n2021-05-17\r\n13:40:21\r\nFile: /private/var/mobile/Library/SMS/Attachments/41/01/D146B32E-CA53-41C5-\r\nBF61-55E0FA6F5FF3/.TJi3fIbHYN.gif-bMJq\r\n… …\r\n2021-05-17\r\n13:44:19\r\nFile: /private/var/mobile/Library/SMS/Attachments/42/02/45F922B7-E819-4B88-B79A-0FEE289701EE/.v74ViRNkCG.gif-V678\r\nAmnesty International found no evidence that the 17 May attack was successful. Later attacks on the 18 June and 23 June\r\nwere successful and led to Pegasus payloads being deployed on the device.\r\nInitially, many iMessage (com.apple.madrid) push notifications were received, and attachment chunks were written to disk.\r\nThe following table show a sample of the 48 attachment files found on the filesystem.\r\nDate\r\n(UTC)  \r\nEvent    \r\n2021-06-23\r\n20:45:00\r\n8 push notifications for topic com.apple.madrid (iMessage)\r\n2021-06-23\r\n20:46:00\r\n46 push notifications for topic com.apple.madrid (iMessage)\r\n2021-06-23\r\n20:46:19\r\nFile: /private/var/tmp/com.apple.messages/F803EEC3-AB3A-4DC2-A5F1-\r\n9E39D7A509BB/.cs/ChunkStoreDatabase\r\n2021-06-23\r\n20:46:20\r\nFile: /private/var/mobile/Library/SMS/Attachments/77/07/4DFA8939-EE64-4CB5-\r\nA111-B75733F603A2/.8HfhwBP5qJ.gif-u0zD\r\n… …\r\n2021-06-23\r\n20:53:00\r\n17 push notifications for topic com.apple.madrid (iMessage)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 12 of 27\n\n2021-06-23\r\n20:53:54\r\nFile: /private/var/tmp/com.apple.messages/50439EF9-750C-4449-B7FC-851F28BD3BD3/.cs/ChunkStoreDatabase\r\n2021-06-23\r\n20:53:54\r\nFile: /private/var/mobile/Library/SMS/Attachments/36/06/AA10C840-1776-4A51-A547-\r\nBE78A3754773/.7bb9OMWUa8.gif-UAPo\r\n2021-06-23\r\n20:54:00\r\n54 push notifications for topic com.apple.madrid (iMessage)\r\nA process crash occurred at 20:48:56 which resulted in the ReportCrash process starting followed by restarts of multiple\r\nprocesses related to iMessage processing:\r\nDate (UTC)   Event    \r\n2021-06-23 20:48:56 Process with PID 1192 and name ReportCrash\r\n2021-06-23 20:48:56 Process with PID 1190 and name IMTransferAgent\r\n2021-06-23 20:48:56 Process with PID 1153 and name SCHelper\r\n2021-06-23 20:48:56 Process with PID 1151 and name CategoriesService\r\n2021-06-23 20:48:56 Process with PID 1147 and name MessagesBlastDoorService\r\n2021-06-23 20:48:56 Process with PID 1145 and name NotificationService\r\nA second set of crashes and restarts happened five minutes later. TheReportCrash process was started along with processes\r\nrelated to parsing of iMessage content and iMessage custom avatars.\r\nDate (UTC)   Event    \r\n2021-06-23 20:54:16 Process with PID 1280 and name ReportCrash\r\n2021-06-23 20:54:16 Process with PID 1278 and name IMTransferAgent\r\n2021-06-23 20:54:16 Process with PID 1266 and name com.apple.WebKit.WebContent\r\n2021-06-23 20:54:16 Process with PID 1263 and name com.apple.accessibility.mediaac\r\n2021-06-23 20:54:16 Process with PID 1262 and name CategoriesService\r\n2021-06-23 20:54:16 Process with PID 1261 and name com.apple.WebKit.Networking\r\n2021-06-23 20:54:16 Process with PID 1239 and name avatarsd\r\nShortly afterwards at 20:54 the exploitation succeeded, and we observe that a network request was made by the\r\ncom.apple.coretelephony process causing the Cache.db file to be modified. This matches the behaviour Amnesty\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 13 of 27\n\nInternational hasseen in the other Pegasus zero-click attacks in 2021. \r\nDate\r\n(UTC)   \r\nEvent    \r\n2021-06-\r\n23\r\n20:54:35\r\nFile: /private/var/wireless/Library/Caches/com.apple.coretelephony/Cache.db-shm\r\n2021-06-\r\n23\r\n20:54:35\r\nFile:\r\n/private/var/wireless/Library/Caches/com.apple.coretelephony/fsCachedData/3C73213F-73E5-4429-AAD9-0D7AD9AE83D1\r\n2021-06-\r\n23\r\n20:54:47\r\nFile: /private/var/root/Library/Caches/appccntd/Cache.db\r\n2021-06-\r\n23\r\n20:54:53\r\nFile: /private/var/tmp/XtYaXXY\r\n2021-06-\r\n23\r\n20:55:08\r\nFile: /private/var/tmp/CFNetworkDownload_JQeZFF.tmp\r\n2021-06-\r\n23\r\n20:55:09\r\nFile: /private/var/tmp/PWg6ueAldsvV8vZ8CYpkp53D\r\n2021-06-\r\n23\r\n20:55:10\r\nFile: /private/var/db/com.apple.xpc.roleaccountd.staging/otpgrefd\r\n2021-06-\r\n23\r\n20:55:10\r\nFile: /private/var/tmp/vditcfwheovjf/kk\r\n2021-06-\r\n23\r\n20:59:35\r\nProcess: appccntd\r\n2021-06-\r\n23\r\n20:59:35\r\nProcess: otpgrefd\r\nLastly, the analysis of a fully patched iPhone 12 running iOS 14.6 of an Indian journalist (CODE INJRN2) also revealed\r\nsigns of successful compromise. These most recent discoveries indicate NSO Group’s customers are currently able to\r\nremotely compromise all recent iPhone models and versions of iOS.\r\nWe have reported this information to Apple, who informed us they are investigating the matter.[3]\r\n7. Incomplete attempts to hide evidence of compromise\r\nSeveral iPhones Amnesty International has inspected indicate that Pegasus has recently started to manipulate system\r\ndatabases and records on infected devices to hide its traces and and impede the research efforts of Amnesty International and\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 14 of 27\n\nother investigators.\r\nInterestingly, this manipulation becomes evident when verifying the consistency of leftover records in the DataUsage.sqlite\r\nand netusage.sqlite SQLite databases. Pegasus has deleted the names of malicious processes from the ZPROCESS table in\r\nDataUsage database but not the corresponding entries from the ZLIVEUSAGE table. The ZPROCESS table stores rows\r\ncontaining a process ID and the process name. The ZLIVEUSAGE table contains a row for each running process including\r\ndata transfer volume and the process ID corresponding to the ZPROCESS entry. These inconsistencies can be useful in\r\nidentifying times when infections may have occurred. Additional Pegasus indicators of compromise were observed on all\r\ndevices where this anomaly was observed.  No similar inconsistencies were found on any clean iPhones analysed by\r\nAmnesty International.\r\nAlthough most recent records are now being deleted from these databases, traces of recent process executions can also be\r\nrecovered also from additional diagnostic logs from the system.                                                                               \r\nFor example, the following records were recovered from the phone of an HRD (CODE RWHRD1):\r\nDate (UTC) Event\r\n2021-01-31 23:59:02 Process: libtouchregd (PID 7354)\r\n2021-02-21 23:10:09 Process: mptbd (PID 5663)\r\n2021-02-21 23:10:09 Process: launchrexd (PID 4634)\r\n2021-03-21 06:06:45 Process: roleaboutd (PID 12645)\r\n2021-03-28 00:36:43 Process: otpgrefd (PID 2786)\r\n2021-04-06 21:29:56 Process: locserviced (PID 5492)\r\n2021-04-23 01:48:56 Process: eventfssd (PID 4276)\r\n2021-04-23 23:01:44 Process: aggregatenotd (PID 1900)\r\n2021-04-28 16:08:40 Process: xpccfd (PID 1218)\r\n2021-06-14 00:17:12 Process: faskeepd (PID 4427)\r\n2021-06-14 00:17:12 Process: lobbrogd (PID 4426)\r\n2021-06-14 00:17:12 Process: neagentd (PID 4423)\r\n2021-06-14 00:17:12 Process: com.apple.rapports.events (PID 4421)\r\n2021-06-18 08:13:35 Process: faskeepd (PID 4427)\r\n2021-06-18 15:31:12 Process: launchrexd (PID 1169)\r\n2021-06-18 15:31:12 Process: frtipd (PID 1168)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 15 of 27\n\n2021-06-18 15:31:12 Process: ReminderIntentsUIExtension (PID 1165)\r\n2021-06-23 14:31:39 Process: launchrexd (PID 1169)\r\n2021-06-23 20:59:35 Process: otpgrefd (PID 1301)\r\n2021-06-23 20:59:35 Process: launchafd (PID 1300)\r\n2021-06-23 20:59:35 Process: vm_stats (PID 1294)\r\n2021-06-24 12:24:29 Process: otpgrefd (PID 1301)\r\nSystem log files also reveal the location of Pegasus binaries on disk. These file names match those we have consistently\r\nobserved in the process execution logs presented earlier. The binaries are located inside the folder\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/ which is consistent with the findings by Citizen Lab in a December\r\n2020 report.\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/launchrexd/EACA3532-7D15-32EE-A88A-96989F9F558A\r\nAmnesty International’s investigations, corroborated by secondary information we have received, seem to suggest that\r\nPegasus is no longer maintaining persistence on iOS devices. Therefore, binary payloads associated with these processes are\r\nnot recoverable from the non-volatile filesystem. Instead, one would need to be able to jailbreak the device without reboot,\r\nand attempt to extract payloads from memory.\r\n8. Pegasus processes disguised as iOS system services\r\nAcross the numerous forensic analyses conducted by Amnesty International on devices around the world, we found a\r\nconsistent set of malicious process names executed on compromised phones. While some processes, for example bh, seem\r\nto be unique to a particular attack vector, most Pegasus process names seem to be simply disguised to appear as legitimate\r\niOS system processes, perhaps to fool forensic investigators inspecting logs.\r\nSeveral of these process names spoof legitimate iOS binaries:\r\nThe list of process names we associate with Pegasus infections is available among all other indicators of compromise on our\r\nGitHub page.\r\nPegasus Process Name Spoofed iOS Binary\r\nABSCarryLog ASPCarryLog\r\naggregatenotd aggregated\r\nckkeyrollfd ckkeyrolld\r\ncom.apple.Mappit.SnapshotService com.apple.MapKit.SnapshotService\r\ncom.apple.rapports.events com.apple.rapport.events\r\nCommsCenterRootHelper CommCenterRootHelper\r\nDiagnostic-2543 Diagnostic-2532\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 16 of 27\n\nDiagnosticd Diagnostics\r\neventsfssd fseventsd\r\nfmld fmfd\r\nJarvisPluginMgr JarvisPlugin\r\nlaunchafd launchd\r\nMobileSMSd MobileSMS\r\nnehelprd nehelper\r\npcsd com.apple.pcs             \r\nPDPDialogs PPPDialogs\r\nReminderIntentsUIExtension RemindersIntentsUIExtension\r\nrlaccountd xpcroleaccountd\r\nroleaccountd xpcroleaccountd\r\n9. Unravelling the Pegasus attack infrastructure over the years\r\nThe set of domain names, servers and infrastructure used to deliver and collect data from NSO Group’s Pegasus spyware has\r\nevolved several times since first publicly disclosed by Citizen Lab in 2016.\r\nIn August 2018, Amnesty International published a report “Amnesty International Among Targets of NSO-powered\r\nCampaign“ which described the targeting of an Amnesty International staff member and a Saudi human rights defender. In\r\nthis report, Amnesty International presented an excerpt of more than 600 domain names tied to NSO Group’s attack\r\ninfrastructure. Amnesty International published the full list of domains in October 2018. In this report, we refer to these\r\ndomains as Pegasus network Version 3 (V3).\r\nThe Version 3 infrastructure used a network of VPS’s and dedicated servers. Each Pegasus Installation server or Command-and-Control (C\u0026C) server hosted a web server on port 443 with a unique domain and TLS certificate. These edge servers\r\nwould then proxy connections through a chain of servers, referred to by NSO Group as the “Pegasus Anonymizing\r\nTransmission Network” (PATN).\r\nIt was possible to create a pair of fingerprints for the distinctive set of TLS cipher suites supported by these servers. The\r\nfingerprint technique is conceptually similar to the JA3S fingerprint technique published by Salesforce in 2019. With that\r\nfingerprint, Amnesty International’s Security Lab performed Internet-wide scans to identify Pegasus Installation/infection\r\nand C\u0026C servers active in the summer of 2018. \r\nNSO Group made critical operational security mistakes when setting up their Version 3 infrastructure. Two domains of the\r\nprevious Version 2 network were reused in their Version 3 network. These two Version 2 domains, pine-sales[.]com and\r\necommerce-ads[.]org had previously been identified by Citizen Lab. These mistakes allowed Amnesty International to link\r\nthe attempted attack on our colleague to NSO Group’s Pegasus product. These links were independently confirmed by\r\nCitizen Lab in a 2018 report.\r\nNSO Group rapidly shutdown many of their Version 3 servers shortly after the Amnesty International and Citizen Lab’s\r\npublications on 1 August 2018.\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 17 of 27\n\n9.1 Further attempts by NSO Group to hide their infrastructure\r\nIn August 2019, the Amnesty International identified another case of NSO Group’s tools being used to target a human rights\r\ndefender, this time in Morocco. Maati Monjib was targeted with SMS messages containing Version 3 Pegasus links.\r\nAmnesty performed a forensic analysis of his iPhone as described previously. This forensic analysis showed redirects to a\r\nnew domain name free247downloads.com. These links looked suspiciously similar to infection links previously used by\r\nNSO.\r\nAmnesty International confirmed this domain was tied to NSO Group by observing distinctive Pegasus artefacts created on\r\nthe device shortly after the infection URL was opened. With this new domain in hand, we were able to begin mapping the\r\nPegasus Version 4 (V4) infrastructure.\r\nNSO Group re-factored their infrastructure to introduce additional layers, which complicated discovery. Nevertheless, we\r\ncould now observe at least 4 servers used in each infection chain.\r\nValidation domain: https://baramije[.]net/[ALPHANUMERIC STRING]\r\nExploit domain:      https://[REDACTED].info8fvhgl3.urlpush[.]net:30827/[SAME ALPHANUMERIC\r\nSTRING]\r\n1. A validation server: The first step was a website which we have seen hosted on shared hosting providers. Frequently\r\nthis website was running a random and sometimes obscure PHP application or CMS. Amnesty International believes\r\nthis was an effort to make the domains look less distinguishable.\r\nThe validation server would check the incoming request. If a request had a valid and still active URL the validation\r\nserver would redirect the victim to the newly generated exploit server domain. If the URL or device was not valid it\r\nwould redirect to a legitimate decoy website. Any passer-by or Internet crawler would only see the decoy PHP CMS.\r\n2. Infection DNS server: NSO now appears to be using a unique subdomain for every exploit attempt. Each subdomain\r\nwas generated and only active for a short period of time. This prevented researchers from finding the location of the\r\nexploit server based on historic device logs.\r\nTo dynamically resolve these subdomains NSO Group ran a custom DNS server under a subdomain for every\r\ninfection domain. It also obtained a wildcard TLS certificate which would be valid for each generated subdomain\r\nsuch as *.info8fvhgl3.urlpush[.]net or *.get1tn0w.free247downloads[.]com.\r\n3. Pegasus Installation Server: To serve the actual infection payload NSO Group needs to run a web server\r\nsomewhere on the Internet. Again, NSO Group took steps to avoid internet scanning by running the web server on a\r\nrandom high port number.\r\nWe assume that each infection webserver is part of the new generation “Pegasus Anonymizing Transmission\r\nNetwork”. Connections to the infection server are likely proxied back to the customer’s Pegasus infrastructure.\r\n4. Command and Control server: In previous generations of the PATN, NSO Group used separate domains for the\r\ninitial infection and later communication with the spyware. The iPwn report from Citizen Lab provided evidence that\r\nPegasus is again using separate domains for command and control. To avoid network-based discovery, the Pegasus\r\nspyware made direct connections the Pegasus C\u0026C servers without first performing a DNS lookup or sending the\r\ndomain name in the TLS SNI field.\r\n9.2 Identifying other NSO attack domains\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 18 of 27\n\nAmnesty International began by analysing the configuration of the infection domains and DNS servers used in the attacks\r\nagainst Moroccan journalists and human rights defenders.\r\nBased on our knowledge of the domains used in Morocco we developed a fingerprint which identified 201 Pegasus\r\nInstallation domains which had infrastructure active at the time of the initial scan. This set of 201 domains included\r\nboth urlpush[.]net and free247downloads[.]com.\r\nAmnesty International identified an additional 500 domains with subsequent network scanning and by clustering patterns of\r\ndomain registration, TLS certificate issuance and domain composition which matched the initial set of 201 domains.\r\nAmnesty International believes that this represents a significant portion of the Version 4 NSO Group attack infrastructure.\r\nWe are publishing these 700 domains today. We recommend the civil society and media organisations check their network\r\ntelemetry and/or DNS logs for traces of these indicators of compromise.\r\n9.3 What can be learned from NSO Group’s infrastructure\r\nThe following chart shows the evolution of NSO Group Pegasus infrastructure over a 4-year period from 2016 until mid-2021. Much of the Version 3 infrastructure was abruptly shut down in August 2018 following our report on an Amnesty\r\nInternational staff member targeted with Pegasus. The Version 4 infrastructure was then gradually rolled out beginning in\r\nSeptember and October 2018.\r\nA significant number of new domains were registered in November 2019 shortly after WhatsApp notified their users about\r\nalleged targeting with Pegasus. This may reflect NSO rotating domains due to perceived risk of discovery, or because of\r\ndisruption to their existing hosting infrastructure.\r\nThe V4 DNS server infrastructure began going offline in early 2021 following the Citizen Lab iPwn report which disclosed\r\nmultiple Pegasus V4 domains.\r\nAmnesty International suspects the shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud\r\nservices such as Amazon CloudFront to deliver the earlier stages of their attacks. The use of cloud services protects NSO\r\nGroup from some Internet scanning techniques.\r\n9.4 Attack infrastructure hosted primarily in Europe and North America\r\nNSO Group’s Pegasus infrastructure primarily consists of servers hosted at datacentres located in European countries. The\r\ncountries hosting the most infection domain DNS servers included Germany, the United Kingdom, Switzerland, France, and\r\nthe United States (US).\r\nCountry Servers per country\r\nGermany 212\r\nUnited Kingdom 79\r\nSwitzerland 36\r\nFrance 35\r\nUnited States 28\r\nFinland 9\r\nNetherlands 5\r\nCanada 4\r\nUkraine 4\r\nSingapore 3\r\nIndia 3\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 19 of 27\n\nAustria 3\r\nJapan 1\r\nBulgaria 1\r\nLithuania 1\r\nBahrain 1\r\nThe following table shows the number of DNS servers hosted with each hosting provider. Most identified servers are\r\nassigned to the US-owned hosting companies Digital Ocean, Linode and Amazon Web Services (AWS).\r\nMany hosting providers offer server hosting in multiple physical locations. Based on these two tables it appears that NSO\r\nGroup is primarily using the European datacentres run by American hosting companies to run much of the attack\r\ninfrastructure for its customers.\r\nNetwork Servers per network\r\nDIGITALOCEAN-ASN 142\r\nLinode, LLC 114\r\nAMAZON-02 73\r\nAkenes SA 60\r\nUpCloud Ltd 9\r\nChoopa 7\r\nOVH SAS 6\r\nVirtual Systems LLC 2\r\nASN-QUADRANET-GLOBAL 1\r\ncombahton GmbH 1\r\nUAB Rakrejus 1\r\nHZ Hosting Ltd 1\r\nPE Brezhnev Daniil 1\r\nNeterra Ltd. 1\r\nKyiv Optic Networks Ltd 1\r\nAmnesty International’s research identified 28 DNS servers linked to the infection infrastructure which were hosted in the\r\nUS.\r\nDomain name DNS server IP Network\r\ndrp32k77.todoinfonet.com 104.223.76.216 ASN-QUADRANET-GLOBAL\r\nimgi64kf5so6k.transferlights.com 165.227.52.184 DIGITALOCEAN-ASN\r\npc43v65k.alignmentdisabled.net 167.172.215.114 DIGITALOCEAN-ASN\r\nimg54fsd3267h.prioritytrail.net 157.245.228.71 DIGITALOCEAN-ASN\r\njsfk3d43.netvisualizer.com 104.248.126.210 DIGITALOCEAN-ASN\r\ncdn42js666.manydnsnow.com 138.197.223.170 DIGITALOCEAN-ASN\r\ncss1833iv.handcraftedformat.com 134.209.172.164 DIGITALOCEAN-ASN\r\njs43fsf7v.opera-van.com 159.203.87.42 DIGITALOCEAN-ASN\r\npypip36z19.myfundsdns.com 167.99.105.68 DIGITALOCEAN-ASN\r\ncss912jy6.reception-desk.net 68.183.105.242 DIGITALOCEAN-ASN\r\nimgi64kf5so6k.transferlights.com 206.189.214.74 DIGITALOCEAN-ASN\r\njs85mail.preferenceviews.com 142.93.80.134 DIGITALOCEAN-ASN\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 20 of 27\n\ncss3218i.quota-reader.net 165.227.17.53 DIGITALOCEAN-ASN\r\nmongo87a.sweet-water.org 142.93.113.166 DIGITALOCEAN-ASN\r\nreact12x2.towebsite.net 3.13.132.96 AMAZON-02\r\njsb8dmc5z4.gettingurl.com 13.59.79.240 AMAZON-02\r\nreact12x2.towebsite.net 3.16.75.157 AMAZON-02\r\ncssgahs5j.redirigir.net 18.217.13.50 AMAZON-02\r\njsm3zsn5kewlmk9q.dns-analytics.com 18.225.12.72 AMAZON-02\r\nimgcss35d.domain-routing.com 13.58.85.100 AMAZON-02\r\njsb8dmc5z4.gettingurl.com 18.191.63.125 AMAZON-02\r\njs9dj1xzc8d.beanbounce.net 199.247.15.15 CHOOPA\r\njsid76api.buildyourdata.com 108.61.158.97 CHOOPA\r\ncdn19be2.reloadinput.com 95.179.177.18 CHOOPA\r\nsrva9awf.syncingprocess.com 66.175.211.107 Linode\r\njsfk3d43.netvisualizer.com 172.105.148.64 Linode\r\nimgdsg4f35.permalinking.com 23.239.16.143 Linode\r\nsrva9awf.syncingprocess.com 45.79.190.38 Linode\r\n9.5 Infection domain resolutions observed in Passive DNS database\r\nBased on forensic analysis of compromised devices, Amnesty International determined that NSO Group was using a unique\r\nand randomly generated subdomain for each attempt to deliver the Pegasus spyware.\r\nAmnesty International searched passive DNS datasets for each of the Pegasus Version 4 domains we have identified. Passive\r\nDNS databases record historic DNS resolution for a domain and often included subdomains and the corresponding historic\r\nIP address.\r\nA subdomain will only be recorded in passive DNS records if the subdomain was successfully resolved and the resolution\r\ntransited a network which was running a passive DNS probe.\r\nThis probe data is collected based on agreements between network operators and passive DNS data providers. Many\r\nnetworks will not be covered by such data collection agreements. For example, no passive DNS resolutions were recorded\r\nfor either Pegasus infection domains used in Morocco.\r\nAs such, these resolutions represent only a small subset of overall NSO Group Pegasus activity.\r\nInfection domain Unique infection subdomains\r\nmongo77usr.urlredirect.net 417\r\nstr1089.mailappzone.com 410\r\napiweb248.theappanalytics.com 391\r\ndist564.htmlstats.net 245\r\ncss235gr.apigraphs.net 147\r\nnodesj44s.unusualneighbor.com 38\r\njsonapi2.linksnew.info 30\r\nimg9fo658tlsuh.securisurf.com 19\r\npc25f01dw.loading-url.net 12\r\ndbm4kl5d3faqlk6.healthyguess.com 8\r\nimg359axw1z.reload-url.net 5\r\ncss2307.cssgraphics.net 5\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 21 of 27\n\ninfo2638dg43.newip-info.com 3\r\nimg87xp8m.catbrushcable.com 2\r\nimg108jkn42.av-scanner.com 2\r\nmongom5sxk8fr6.extractsight.com 2\r\nimg776cg3.webprotector.co 1\r\ntv54d2ml1.topadblocker.net 1\r\ndrp2j4sdi.safecrusade.com 1\r\napi1r3f4.redirectweburl.com 1\r\npc41g20bm.redirectconnection.net 1\r\njsj8sd9nf.randomlane.net 1\r\nphp78mp9v.opposedarrangement.net 1\r\nThe domain urlredirect.net had the highest number of observed unique subdomains. In total 417 resolutions were recorded\r\nbetween 4 October 2018, and 17 September 2019. The second highest was mailappzone.com which has 410 resolutions in a\r\n3-month period between 23 July  2020, and 15 October 2020.\r\nAmnesty International believes that each of these subdomain resolutions, 1748 in total, represent an attempt to compromise\r\na device with Pegasus. These 23 domains represent less than 7% of the 379 Pegasus Installation Server domains we have\r\nidentified. Based on this small subset, Pegasus may have been used in thousands of attacks over the past three years.\r\n10. Mobile devices, security and auditability\r\nMuch of the targeting outlined in this report involves Pegasus attacks targeting iOS devices. It is important to note that this\r\ndoes not necessarily reflect the relative security of iOS devices compared to Android devices, or other operating systems and\r\nphone manufacturers.\r\nIn Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS\r\ndevices than on stock Android devices, therefore our methodology is focused on the former. As a result, most recent cases of\r\nconfirmed Pegasus infections have involved iPhones.\r\nThis and all previous investigations demonstrate how attacks against mobile devices are a significant threat to civil society\r\nglobally. The difficulty to not only prevent, but posthumously detect attacks is the result of an unsustainable asymmetry\r\nbetween the capabilities readily available to attackers and the inadequate protections that individuals at risk enjoy.\r\nWhile iOS devices provide at least some useful diagnostics, historical records are scarce and easily tampered with. Other\r\ndevices provide little to no help conducting consensual forensics analysis. Although much can be done to improve the\r\nsecurity posture of mobile devices and mitigate the risks of attacks such as those documented in this report, even more could\r\nbe achieved by improving the ability for device owners and technical experts to perform regular checks of the system’s\r\nintegrity.\r\nTherefore, Amnesty International strongly encourages  device vendors to explore options to make their devices more\r\nauditable, without of course sacrificing any security and privacy protections already in place. Platform developers and phone\r\nmanufacturers should regularly engage in conversations with civil society to better understand the challenges faced by\r\nHRDs, who are often under-represented in cybersecurity debates.\r\n11. With our Methodology, we release our tools and indicators\r\nFor a long time, triaging the state of a suspected compromised mobile device has been considered a near-impossible task,\r\nparticularly within the human rights communities we work in. Through the work of Amnesty International’s Security Lab we\r\nhave built  important capabilities that may benefit our peers and colleagues supporting activists, journalists, and lawyers\r\nwho are at risk.\r\nTherefore, through this report, we are not only sharing the methodology we have built over years of research but also\r\nthe tools we created to facilitate this work, as well as the Pegasus indicators of compromise we have collected.\r\nAll indicators of compromise are available on our GitHub , including domain names of Pegasus infrastructure, email\r\naddresses recovered from iMessage account lookups involved in the attacks, and all process names Amnesty International\r\nhas identified as associated with Pegasus.\r\nAmnesty International is also releasing a tool we have created, called Mobile Verification Toolkit (MVT). MVT is a\r\nmodular tool that simplifies the process of acquiring and analysing data from Android devices, and the analysis of records\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 22 of 27\n\nfrom iOS backups and filesystem dumps, specifically to identify potential traces of compromise.\r\nMVT can be provided with indicators of compromise in STIX2 format and will identify any matching indicators found on\r\nthe device. In conjunction with Pegasus indicators,  MVT can help identify if an iPhone have been compromised.\r\nAmong others, some of the features MVT has include:\r\nDecrypt encrypted iOS backups.\r\nProcess and parse records from numerous iOS system and apps databases and system logs.\r\nExtract installed applications from Android devices.\r\nExtract diagnostic information from Android devices through the adb protocol.\r\nCompare extracted records to a provided list of malicious indicators in STIX2 format. Automatically identify\r\nmalicious SMS messages, visited websites, malicious processes, and more.\r\nGenerate JSON logs of extracted records, and separate JSON logs of all detected malicious traces.\r\nGenerate a unified chronological timeline of extracted records, along with a timeline all detected malicious traces.\r\nAcknowledgements\r\nThe Amnesty International Security Lab wishes to acknowledge all those who have supported this research. Tools released\r\nby the iOS security research community including libimobiledevice and checkra1n were used extensively as part of this\r\nresearch. We would also like to thank Censys and RiskIQ for providing access to their internet scan and passive DNS data.\r\n Amnesty International wishes to acknowledge Citizen Lab for its important and extensive research on NSO Group and\r\nother actors contributing to the unlawful surveillance of civil society. Amnesty International thanks Citizen Lab for its peer-review of this research report.           \r\nFinally Amnesty International wishes to thank the numerous journalists and human rights defenders who bravely\r\ncollaborated to make this research possible.\r\nAppendix A: Peer review of Methodology Report by Citizen Lab\r\nThe Citizen Lab at the University of Toronto has independently peer-reviewed a draft of the forensic methodology outlined\r\nin this report. Their review can be found here. \r\nAppendix B: Suspicious iCloud Account Lookups\r\nThis Appendix shows the overlap of iCloud accounts found looked-up on the mobile devices of different targets. This list\r\nwill be progressively updated.\r\niCloud Account Target\r\nemmaholm575[@]gmail.com •        AZJRN1 – Khadija Ismayilova\r\nfilip.bl82[@]gmail.com •        AZJRN1 – Khadija Ismayilova\r\nkleinleon1987[@]gmail.com •        AZJRN1 – Khadija Ismayilova\r\nbergers.o79[@]gmail.com\r\n•        Omar Radi\r\n•        FRHRL1 – Joseph Breham\r\n•        FRHRL2\r\n•        FRJRN1 – Lenaig Bredoux\r\n•        FRJRN2\r\n•        FRPOI1\r\n•        FRPOI2 – François de Rugy\r\nnaomiwerff772[@]gmail.com •        Omar Radi\r\n•        FRHRL1 – Joseph Breham\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 23 of 27\n\n•        FRPOI1\r\nbogaardlisa803[@]gmail.com\r\n•        FRHRL1 – Joseph Breham\r\n•        FRJRN1 – Lenaig Bredoux\r\n•        FRJRN2\r\nlinakeller2203[@]gmail.com\r\n•        FRHRD1 – Claude Mangin\r\n•        FRPOI3 – Philippe Bouyssou\r\n•        FRPOI4\r\n•        FRPOI5 – Oubi Buchraya Bachir\r\n•        MOJRN1 – Hicham Mansouri\r\njessicadavies1345[@]outlook.com\r\n•        HUJRN1 – András Szabó\r\n•        HUJRN2 – Szabolcs Panyi\r\nemmadavies8266[@]gmail.com\r\n•        HUJRN1 – András Szabó\r\n•        HUJRN2 – Szabolcs Panyi\r\nk.williams.enny74[@]gmail.com\r\n•        HUPOI1\r\n•        HUPOI2 – Adrien Beauduin\r\n•        HUPOI3\r\ntaylorjade0303[@]gmail.com\r\n•        INHRD1 – SAR Geelani\r\n•        INJRN6 – Smita Sharma\r\n•        INPOI1 – Prashant Kishor\r\nlee.85.holland[@]gmail.com\r\n•        INHRD1 – SAR Geelani\r\n•        INJRN6 – Smita Sharma\r\n•        INPOI1 – Prashant Kishor\r\nbekkerfredi[@]gmail.com\r\n•        INHRD1 – SAR Geelani\r\n•        INPOI2\r\nherbruud2[@]gmail.com\r\n•        INJRN1 – Mangalam Kesavan Venu\r\n•        INJRN2 – Sushant Singh\r\n•        INPOI1 – Prashant Kishor\r\nvincent.dahl76[@]gmail.com\r\n•        KASH01 – Hatice Cengiz\r\n•        KASH02 – Rodney Dixon\r\noskarschalcher[@]outlook.com •        KASH03 – Wadah Khanfar\r\nbenjiburns8[@]gmail.com •        RWHRD1 – Carine Kanimba\r\nAppendix C: Detailed Traces per Target\r\nThis Appendix contains detailed breakdowns of forensic traces recovered for each target. This Appendix will be\r\nprogressively updated.\r\nC.1 Forensic Traces Overview for Maati Monjib\r\nDate\r\n(UTC)\r\nEvent\r\n2017-\r\n11-02\r\n12:29:33\r\nPegasus SMS with link to hxxps://tinyurl[.]com/y73qr7mb redirecting to hxxps://revolution-news[.]co/ikXFZ34ca\r\n2017-\r\n11-02\r\n16:42:34\r\nPegasus SMS with link to hxxps://stopsms[.]biz/vi78ELI\r\n2017-\r\n11-02\r\n16:44:00\r\nPegasus SMS with link to hxxps://stopsms[.]biz/vi78ELI from +212766090491\r\n2017-\r\n11-02\r\n16:45:10\r\nPegasus SMS with link to Hxxps://stopsms[.]biz/bi78ELI from +212766090491\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 24 of 27\n\n2017-\r\n11-02\r\n16:57:00\r\nPegasus SMS with link to Hxxps://stopsms[.]biz/bi78ELI from +212766090491\r\n2017-\r\n11-02\r\n17:13:45\r\nPegasus SMS with link to Hxxps://stopsms[.]biz/bi78ELI from +212766090491\r\n2017-\r\n11-02\r\n17:21:57\r\nPegasus SMS with link to Hxxps://stopsms[.]biz/bi78ELI from +212766090491\r\n2017-\r\n11-02\r\n17:30:49\r\nPegasus SMS with link to Hxxps://stopsms[.]biz/bi78ELI from +212766090491\r\n2017-\r\n11-02\r\n17:40:46\r\nPegasus SMS with link to Hxxps://stopsms[.]biz/bi78ELI from +212766090491\r\n2017-\r\n11-15\r\n17:05:17\r\nPegasus SMS with link to hxxps://videosdownload[.]co/nBBJBIP\r\n2017-\r\n11-20\r\n18:22:03\r\nPegasus SMS with link to hxxps://infospress[.]com/LqoHgMCEE\r\n2017-\r\n11-24\r\n13:43:17\r\nPegasus SMS with link to hxxps://tinyurl[.]com/y9hbdqm5 redirecting to hxxps://hmizat[.]co/JaCTkfEp\r\n2017-\r\n11-24\r\n17:26:09\r\nPegasus SMS with link to hxxps://stopsms[.]biz/2Kj2ik6\r\n2017-\r\n11-27\r\n15:56:10\r\nPegasus SMS with link to hxxps://stopsms[.]biz/yTnWt1Ct\r\n2017-\r\n11-27\r\n17:32:37\r\nPegasus SMS with link to hxxps://hmizat[.]co/ronEKDVaf\r\n2017-\r\n12-07\r\n18:21:57\r\nPegasus SMS with link to hxxp://tinyurl[.]com/y7wdcd8z redirecting to hxxps://infospress[.]com/Ln3HYK4C\r\n2018-\r\n01-08\r\n12:58:14\r\nPegasus SMS with link to hxxp://tinyurl[.]com/y87hnl3o redirecting to hxxps://infospress[.]com/asjmXqiS\r\n2018-\r\n02-09\r\n21:12:49\r\nProcess: pcsd\r\n2018-\r\n03-16\r\n08:24:20\r\nProcess: pcsd\r\n2018-\r\n04-28\r\n22:25:12\r\nProcess: bh\r\n2018-\r\n05-04\r\n21:30:45\r\nProcess: pcsd\r\n2018-\r\n05-21\r\nProcess: fmld\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 25 of 27\n\n21:46:06\r\n2018-\r\n05-22\r\n17:36:51\r\nProcess: bh\r\n2018-\r\n06-04\r\n11:05:43\r\nProcess: fmld\r\n2019-\r\n03-27\r\n21:45:10\r\nProcess: bh\r\n2019-\r\n04-14\r\n23:02:41\r\nSafari favicon from URL hxxps://c7r8x8f6zecd8j.get1tn0w.free247downloads[.]com:30352/Ld3xuuW5\r\n2019-\r\n06-27\r\n20:13:10\r\nSafari favicon from URL\r\nhxxps://3hdxu4446c49s.get1tn0w.free247downloads[.]com:30497/pczrccr#052045871202826837337308184750023238630846883\r\n2019-\r\n07-22\r\n15:42:32\r\nSafari visit to hxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz\r\n2019-07\r\n22\r\n15:42:32\r\nSafari visit to\r\nhxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz#04863478734328748598247485301272499805471849442\r\n2019-\r\n07-22\r\n15:43:06\r\nSafari favicon from URL\r\nhxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz#04863478734328748598247485301272499805471849442\r\nn/a WebKit IndexedDB file for URL hxxps://c7r8x8f6zecd8j.get1tn0w.free247downloads[.]com\r\nn/a WebKit IndexedDB file for URL hxxps://bun54l2b67.get1tn0w.free247downloads[.]com\r\nn/a WebKit IndexedDB file for URL hxxps://keewrq9z.get1tn0w.free247downloads[.]com\r\nn/a WebKit IndexedDB file for URL hxxps://3hdxu4446c49s.get1tn0w.free247downloads[.]com\r\n C.2 Forensic Traces Overview for Omar Radi\r\nDate\r\n(UTC)\r\nEvent\r\n2019-\r\n02-11\r\n14:45:45\r\nWebkit IndexedDB file for URL hxxps://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com\r\n2019-\r\n02-11\r\n13:45:53\r\nSafari favicon from URL hxxps://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/rdEN5YP\r\n2019-\r\n02-11\r\n13:45:56\r\nProcess: bh\r\n2019-\r\n02-11\r\n13:46:16\r\nProcess: roleaboutd\r\n2019-\r\n02-11\r\n13:46:23\r\nProcess: roleaboutd\r\n2019-\r\n02-11\r\n16:05:24\r\nProcess: roleaboutd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 26 of 27\n\n2019-\r\n08-16\r\n17:41:06\r\niMessage lookup for account bergers.o79[@]gmail.com\r\n2019-\r\n09-13\r\n15:01:38\r\nSafari favicon for URL\r\nhxxps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#0113565702571172968348457040223389731330224333\r\n2019-\r\n09-13\r\n15:01:56\r\nSafari favicon for URL\r\nhxxps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#0680995616146262785199253586387891615724278336\r\n2019-\r\n09-13\r\n15:02:11\r\nProcess: bh\r\n2019-\r\n09-13\r\n15:02:20\r\nProcess: msgacntd\r\n2019-\r\n09-13\r\n15:02:33\r\nProcess: msgacntd\r\n2019-\r\n09-14\r\n15:02:57\r\nProcess: msgacntd\r\n2019-\r\n09-14\r\n18:51:54\r\nProcess: msgacntd\r\n2019-\r\n10-29\r\n12:21:18\r\niMessage lookup for account naomiwerff772[@]gmail.com\r\n2020-\r\n01-27\r\n10:06:24\r\nSafari favicon for URL\r\nhxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946\r\n2020-\r\n01-27\r\n10:06:26\r\nSafari visit to\r\nhxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946#2\r\n2020-\r\n01-27\r\n10:06:26\r\nSafari visit to\r\nhxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946#24\r\n2020-\r\n01-27\r\n10:06:32\r\nSafari favicon for URL\r\nhxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj#074196419827987919274001548622738919835556748325946%23\r\nAppendix D: Pegasus Forensic Traces per Target\r\nAppendix D can be found here. \r\n[1] The technical evidence provided in the report includes the forensic research carried out as part of the Pegasus Project as\r\nwell as additional Amnesty International Security Lab research carried out since the establishment of the Security Lab in\r\n2018. \r\n[2] Email to Amnesty International, May 2021\r\n[3] Email to Amnesty International, July 2021.\r\nUpdate history: On the 6th of September 2022, this document was updated to re-add a process name temporarily removed\r\nSource: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/\r\nPage 27 of 27\n\nIn addition, these URLs the years, as explained show peculiar characteristics in the next section. typical of other URLs we found involved in Pegasus attacks through\n6. Megalodon: iMessage zero-click 0-days return in 2021\n  Page 9 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/"
	],
	"report_names": [
		"forensic-methodology-report-how-to-catch-nso-groups-pegasus"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434261,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed7d57500d14b7fbb7444a6713ed4db938581d99.pdf",
		"text": "https://archive.orkl.eu/ed7d57500d14b7fbb7444a6713ed4db938581d99.txt",
		"img": "https://archive.orkl.eu/ed7d57500d14b7fbb7444a6713ed4db938581d99.jpg"
	}
}