{
	"id": "97a4db3e-fc94-4305-8470-7992e516379e",
	"created_at": "2026-04-06T00:09:12.455249Z",
	"updated_at": "2026-04-10T03:25:23.408557Z",
	"deleted_at": null,
	"sha1_hash": "f6f13c15526c419da382fd803320e84e143ad4cb",
	"title": "GeckoSpy: Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2932074,
	"plain_text": "GeckoSpy: Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement - The Citizen Lab\r\nArchived: 2026-04-05 17:29:58 UTC\r\nKey Findings\r\nWe discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists\r\ncalling for reforms to the monarchy.\r\nWe forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus spyware.\r\nThe observed infections took place between October 2020 and November 2021.\r\nThe ongoing investigation was triggered by notifications sent by Apple to Thai civil society members in\r\nNovember 2021. Following the notification, multiple recipients made contact with civil society groups,\r\nincluding the Citizen Lab.\r\nThe report describes the results of an ensuing collaborative investigation by the Citizen Lab, and Thai\r\nNGOs iLaw, and DigitalReach.\r\nA sample of the victims was independently analyzed by Amnesty International’s Security Lab which\r\nconfirms the methodology used to determine Pegasus infections.\r\nThis report is a companion to a report with detailed contextual analysis by iLaw and DigitalReach.\r\nIntroduction: Surveillance and Repression in Thailand\r\nThe Kingdom of Thailand is a constitutional monarchy with a parliamentary-style government divided into\r\nexecutive, legislative, and judiciary branches. The country has been beset by intense political conflict since 2005,\r\nduring the government of former Prime Minister Thaksin Shinawatra. Corruption allegations against the regime\r\nculminated in a military coup on September 19, 2006 that ousted Thaksin. The military launched another coup on\r\nMay 22, 2014 and seized power following mass protests against the civilian government led by Thaksin’s sister,\r\nYingluck Shinawatra. The junta claimed that the 2014 coup was needed to restore order and called itself the\r\nNational Council for Peace and Order (NCPO).\r\nContemporary Political Contests\r\nThailand has had at least twelve successful coups, in addition to at least seven unsuccessful coup attempts, since\r\nthe end of its absolute monarchy in 1932. Thailand’s 2019 elections, the first elections following the 2014 coup,\r\ndid not restore parliamentary democracy, but instead returned the coup leaders to power and further\r\ninstitutionalized the military in government. One year later, Maha Vajiralongkorn, the son of the widely-popular\r\nKing Bhumibol Adulyadej who died in 2016 after a seven decade reign, ascended the throne.\r\nDissatisfaction with the government and the monarchy led to mass protests and social media campaigns (e.g.,\r\n“#WhyDoWeNeedAKing” and “#FreeYouth,” representing the Free Youth Movement of students) that have\r\ndemanded a return to democracy and reforms of the monarchy. Inspired by the pro-democracy movements in\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 1 of 23\n\nHong Kong and Taiwan, activists in Thailand joined the “Milk Tea Alliance” in 2020, named after a drink that is\r\npopular in the region. Activists including Arnon Nampa also organized a “Harry Potter vs. He Who Must Not Be\r\nNamed”-themed protest, and protesters adopted the three-finger salute from the bestselling book and movie series\r\nThe Hunger Games to demonstrate their defiance. Additionally, groups such as the Ratsadon, We Volunteer\r\n(WeVo), and Thalufah organized a rally in June 2022 to commemorate the anniversary of the 1932 revolution.\r\nThe government responded to the protests by launching a wave of arrests, citing Section 112 of Thailand’s\r\nCriminal Code (also known as the lèse-majesté law), which criminalizes insults and defamation against the Thai\r\nroyal family and carries lengthy prison sentences, as well as other laws (e.g., Article 215 of the Criminal Code on\r\nillegal assemblies). United Nations (UN) human rights experts have expressed “grave concerns” over the use of\r\nlèse-majesté law against those who criticize the government and the monarchy, and protesters have mobilized\r\nagainst what they deem to be an arbitrary application of such laws.\r\nAmong those targeted with the lèse-majesté law was lawyer Arnon Nampa, who was arrested multiple times and\r\nfaced multiple lèse-majesté charges, with a prison term of up to 150 years. Activists like Jatupat Boonpattararaksa\r\n(also known as “Pai Dao Din”), who already served prison sentences for lèse-majesté, were targeted repeatedly.\r\nMeanwhile, women activists and their family members have reported frequent physical harassment, intimidation,\r\nand surveillance, in addition to online harassment and attacks, resulting from their involvement in protests. Thai\r\nactivists who have left the country also continue to face threats to their security. At least nine exiled activists have\r\ndisappeared since 2014 in neighboring countries, such as Cambodia, the Lao People’s Democratic Republic, and\r\nVietnam.\r\nInformation Controls in Thailand\r\nGenerally, Thai authorities have permitted greater freedom of expression on the Internet than other forms of state-controlled mass media. However, the 2006 and 2014 coups resulted in new laws and policies that transformed the\r\nInternet’s role as a platform for political exchanges and debates. For example, the Computer-Related Crime Act\r\nB.E 2550 (2007) (also known as the 2007 Computer Crime Act (CCA))—the very first legislation passed by the\r\nmilitary-appointed legislature after the 2006 coup—is often applied in conjunction with the lèse-majesté law. In\r\nJanuary 2021, a former civil servant pleaded guilty to 29 counts of lèse-majesté for uploading clips on social\r\nmedia that allegedly contained defamatory comments against the monarchy. The former civil servant received an\r\n87 year prison sentence, which was later reduced to 43 years on appeal.\r\nThe political polarization that emerged from the protests and counter protests between the broadly populist-democratic “Red Shirts” supporters of Thaksin and the broadly conservative-royalist “Yellow Shirts,” consisting\r\nof middle class Thais, has also given rise to vigilantes that monitor the Internet and social media for potential lèse-majesté violations. The Ministry of Information and Communication Technology (MICT) runs the “Cyber Scouts”\r\nprogram, while groups such as the Garbage Collecting Organization have reported individuals to the police for\r\nalleged lèse-majesté crimes.\r\nThe 2006 and 2014 coups have been regarded as “twin coups,” as both were carried out by the same group of\r\npeople in the military and both share a similar aim of eliminating Thaksin’s influence in Thai politics. The May\r\n2014 coup, however, is distinct from previous coups, due to the military junta’s declaration of martial law before\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 2 of 23\n\nthe coup and immediate efforts to restrict free speech online and offline. Furthermore, unlike the 2006 coup, the\r\njunta did not hold elections soon after seizing power, and instead established a military-dominated government.\r\nThe Citizen Lab previously tested website accessibility in Thailand between May 22, 2014 and June 26, 2014,\r\nwhich identified a total of 56 URLs blocked in the country, including “domestic independent news media websites\r\nand international media coverage that are critical of the coup, social media accounts sharing anti-coup material, as\r\nwell as circumvention tools, gambling websites and pornography.” The military also engaged in information\r\noperations online, such as by creating several military-related official Facebook Pages following the coup.\r\nThe junta’s policies have contributed to more stringent controls on information and the silencing of dissent,\r\nincluding on the Internet. For example, in 2015 it announced the intention to merge all gateways to the global\r\nInternet from Thailand into a single entity to help control “inappropriate” websites and information flows from\r\noverseas. Although this single Internet gateway plan was dropped after widespread criticism and fears that it\r\nwould be used to restrict access to online content, the Digital Economy and Society Minister Chaiwut\r\nThanakhamanusorn suggested in February 2022 that a single Internet gateway remains necessary to protect\r\nnational security and prevent cyber crimes.\r\nThe junta-appointed National Legislative Assembly amended the CCA in 2017, adding provisions that allow the\r\ngovernment to prosecute what it designates as “false” or “distorted” information. Prime Minister Prayuth Chan-ocha, a former military chief who led the 2014 coup, defended the amendment as necessary to control\r\n“inappropriate” online content, especially those that defame the monarchy. Section 26 of the amended CCA\r\nrequires Internet service providers (ISPs) to “retain the necessary information of the service user in order to be\r\nable to identify the service user from the beginning of the service provision.” This section is concerning given the\r\ncountry’s history of prosecuting Internet users and publishers for their free expression. For example, Thantawut\r\nThaweewarodomkul, a web designer for a “Red Shirt”-affiliated website called Nor Por Chor USA, was sentenced\r\nin 2011 to 13 years in prison due to comments posted on the website that violated the lèse-majesté law and failure\r\nto remove these comments. The Thai news site Prachatai reported that a Thai ISP, Triple T Broadband Company,\r\nhad revealed an IP address to the authorities allegedly belonging to Thantawut that was connected to the website.\r\nThe junta established a new Constitution in 2017 that, among other things, introduced new structures for the\r\nmilitary to intervene in politics (e.g., a new Internal Security Operations Command (ISOC) with local commands\r\nin every province). The military-appointed parliament further extended the government’s powers in February 2019\r\nby passing both the Cybersecurity Act and the National Intelligence Act. Both Acts have been criticized for giving\r\nthe authorities virtually unaccountable power to monitor Internet users and collect user data, given their overly\r\nbroad and vague language, including regarding what is considered as “national security,” and allowing the use of\r\n“any methods” by the government to obtain information (Section 6 of the 2019 National Intelligence Act).\r\nAlthough Thailand passed the Personal Data Protection Act in May 2019, concerns over unchecked surveillance\r\nand the misuse of government-collected personal data remain, as the Act contains many exemptions to\r\nenforcement, including exempting government agencies responsible for “state security” (Section 4).\r\nThai authorities have routinely pressured social media companies to remove posts considered offensive or a threat\r\nto the junta. A 2020 Amnesty International report claimed that “Thai authorities are prosecuting social media users\r\nwho criticize the government and monarchy in a systematic campaign to crush dissent.” This approach is\r\nexemplified in the blocking of a Facebook group with more than a million followers, called the Royalist\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 3 of 23\n\nMarketplace, founded by Thai academic and critic in exile, Pavin Chachavalpongpun, following a request from\r\nThai officials. Although Facebook complied with the request, it noted that ‘[r]equests like this are severe,\r\ncontravene international human rights law, and have a chilling effect on people’s ability to express themselves,”\r\nand that the company would undertake a legal challenge in Thai courts.\r\nTargeted and Mass Surveillance in Thailand\r\nAs pro-democracy protests have become more widespread, activists and protesters are increasingly concerned\r\nover surveillance conducted by the Thai authorities. Outside of the capital city of Bangkok, where most of the\r\nprotests take place, mobile service providers have required their users to submit biometric data (e.g., in the restive\r\nSouthern Border Provinces, which are populated by minority ethnic Malay Muslims). A system of over 8,000\r\nartificial intelligence (AI)-enabled surveillance cameras has also been planned for the region and Thai authorities\r\nhave reportedly started collecting involuntary DNA samples from the local population.\r\nNational legislation in Thailand has thus far failed to introduce checks and balances against the government’s\r\nbroad and continuously evolving surveillance powers, while mechanisms to hold the government accountable are\r\nbeing weakened and attacks against civil society continue. In 2013 and 2015, the government allegedly purchased\r\nsurveillance technologies made by the Italian company Hacking Team. Previous research published by the Citizen\r\nLab in 2020 indicates that at least three Thai government agencies had contracted with Circles, which offers a\r\ncomplementary product to Pegasus that allows for the interception of phone calls and SMS, as well as tracking of\r\na phone’s location, without hacking the device. The three Thai customers of Circles that the Citizen Lab identified\r\nwere the Narcotics Suppression Bureau (NSB), the Thai Army’s ISOC (กองอำ นวยการรักษาความมั่นคง\r\nภายใน), and the “Military Intelligence Battalion” (MIBn) (กองพันข่าวกรองทางทหาร).\r\nConcerns over the use of Pegasus spyware against pro-democracy protesters in Thailand stem from the Citizen\r\nLab’s previous reporting of a potential Pegasus spyware operator within the country in 2018. Furthermore, in\r\nNovember 2021, Reuters reported that six activists and researchers received “state-sponsored attacker”\r\nnotifications from Apple. These notifications triggered this report’s investigation on the use of Pegasus in\r\nThailand.\r\nFindings: Pegasus Infections in Thailand\r\nOn November 23, 2021, Apple began sending notifications to iPhone users targeted by state-backed attacks with\r\nmercenary spyware. The recipients included individuals that Apple believes were targeted with NSO Group’s\r\nFORCEDENTRY exploit. Many Thai civil society members received this warning. Shortly thereafter, multiple\r\nrecipients of the notification made contact with the Citizen Lab and regional groups.\r\nIn collaboration with Thai organizations iLaw1 and DigitalReach, forensic evidence was obtained from\r\nnotification recipients, and other suspected victims, who consented to participate in a research study with the\r\nCitizen Lab. We then performed a technical analysis of forensic artifacts to determine whether these individuals\r\nwere infected with Pegasus or other spyware. Victims publicly named in this report consented to be identified as\r\nsuch, while others chose to remain anonymous, or have their cases described with limited detail.\r\nCivil Society Pegasus Infections\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 4 of 23\n\nWe have identified at least 30 Pegasus victims among key civil society groups in Thailand, including activists,\r\nacademics, lawyers, and NGO workers. The infections occurred from October 2020 to November 2021,\r\ncoinciding with a period of widespread pro-democracy protests, and predominantly targeted key figures in the pro-democracy movement. In numerous cases, multiple members of movements or organizations were infected.\r\nMany of the victims included in this report have been repeatedly detained, arrested, and imprisoned for their\r\npolitical activities or criticism of the government. Many of the victims have also been the subject of lèse-majesté\r\nprosecutions by the Thai government.\r\nWhile many of the infections were detected on the devices of prominent figures, hacking was also observed\r\nagainst individuals who are not publicly involved in the protests. Speculatively, this may reflect the attackers’\r\nintent to uncover details about how opposition movements were organized, and may have been prompted by\r\nspecific financial transactions that would have been known to Thai financial institutions and the government, but\r\nnot the public.\r\nThe following section outlines a selection of these cases.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 5 of 23\n\nA more detailed discussion of these cases and more by iLaw and Digital Reach Asia can be found here.\r\nMembers of Movements or Organizations\r\nMembers of the anti-government protest movement, including individuals associated with FreeYOUTH, United\r\nFront of Thammasat and Demonstration (UFTD), and We Volunteer (WEVO), were infected with Pegasus, often\r\nduring periods of political activity. For example, some of the hacking took place shortly before, during, or after\r\nprotests, suggesting that the attackers may have been seeking information about their activities.\r\nTarget: FreeYOUTH\r\nJutatip Sirikhan is a key member of the FreeYOUTH movement who was the President of the Student Union of\r\nThailand at the time of the protests. Jutatip was arrested on September 1, 2020 for having participated in a pro-democracy protest. The Citizen Lab observed evidence of an infection of her phone on or around October 21,\r\n2020, one of the first infection dates found in this investigation. She was again hacked on March 18, 2021, just\r\ntwo days before a planned protest calling for reforms to the monarchy was scheduled on March 20, 2021 in\r\nBangkok. We determined her device was infected a total of six times.\r\nOther FreeYOUTH members and close affiliates who were also infected with Pegasus include Poramin\r\nRassameesawas,2 Katekanok Wongsapakdee, Pansiree Jirathakoone, and Chatrapee Artsomboon. Another member\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 6 of 23\n\nof the group, Ratchasak Komgris, received a notification from Apple, but no conclusive evidence of infection was\r\nfound at the time of forensic analysis.\r\nTarget: WE Volunteer\r\nMembers of We Volunteer (WEVO) were also infected with Pegasus. The group is often referred to as “Guard\r\nWEVO,” as they provide support to other protest groups. Piyarat Chongthep, the group’s former president, was\r\ninfected with Pegasus, according to forensic indicators present on the device, although the exact date of the\r\ninfection could not be determined at the time of analysis. At least three additional WEVO members were also\r\ninfected with Pegasus: Rattapoom Lertpaijit, Wichapat Srigasipun, and Individual #2 were infected between\r\nAugust and September 2021.3 According to the group’s official Facebook page, at the time of infection, at least 66\r\nWEVO members were charged with multiple offenses, including violations of the Emergency Decree, and illegal\r\nassociation. Piyarat was also charged for committing a lèse-majesté offense.\r\nTarget: United Front of Thammasat and Demonstration\r\nAt least four members of the United Front of Thammasat and Demonstration (UFTD), a prominent youth\r\nmovement from Thammasat University in Bangkok, were infected with Pegasus: Panusaya “Rung”\r\nSithijirawattanakul, Niraphorn Onnkhaow, Nutchanon Pairoj, and Chonlatit Chottsawas. Benja Apan, a former\r\nUFTD member, was also infected. Panusaya, who is also a spokesperson for the Student Union of Thailand, is\r\nglobally known for publicly reading a document challenging the role of the monarchy in Thailand. Her activism\r\nled to her being named among the BBC’s 100 Women in 2020.\r\nIn December 2020, Panusaya wore a crop top shirt on a trip to a shopping mall in Bangkok, with the message “I\r\nhave only one father” written on her skin. Thai authorities interpreted this as mocking King Vajiralongkorn.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 7 of 23\n\nPanusaya was charged under Thailand’s lèse-majesté law. In November 2021, a Thai court also ruled that demands\r\nvoiced by protest leaders Panusaya, Arnon Nampa, and Panupong “Mike” Jadnok to reform the monarchy during\r\nmass protests in 2020 were unconstitutional. In total, Panusaya has been charged with at least 10 lèse-majesté\r\noffenses, and was detained for a total of 85 days between 2020 and 2021. The charges drew widespread\r\ncondemnation by human rights groups and legal scholars.\r\nOur analysis revealed that Panusaya was repeatedly hacked with Pegasus throughout June (15, 20, and 23), and\r\nagain on or around September 24, 2021. The hacking coincided with renewed pro-democracy protests in Thailand.\r\nDuring the periods when Panusaya was jailed, Nutchanon and Benja assisted in the UFTD’s leadership. Benja, for\r\nexample, publicly read the group’s second declaration. Nutchanon and Benja were sentenced to prison on a\r\n“contempt of court charge” due to a protest at the Ratchadaphisek Criminal Court on April 29, 2021, which\r\ndemanded the release of detained activists. Nutchanon and Benja had also organized another protest in front of the\r\nRatchadaphisek Criminal Court on April 30, 2021.\r\nIn November 2021, Nutchanon and Benja were sentenced to contempt of court. Both were infected with Pegasus\r\nin November 2021. Benja’s phone was infected on November 17, 2021. Nutchanon’s phone, meanwhile, was\r\ninfected on November 18, 2021. Benja’s device was infected with Pegasus while she was in detention after being\r\narrested on October 7, 2021. She spent 99 days in prison after being repeatedly denied bail for lèse-majesté and\r\nother offenses. The phone was not in her custody during this period.\r\nNiraphorn, meanwhile, was infected with Pegasus at least 12 times between February and June 2021. This hacking\r\nis especially interesting given that she played a support role in protest organizing, rather than serving as a protest\r\nleader. For example, Niraphorn is known as a co-registrant of the UFTD’s bank account that is used to accept\r\ndonations. Some of the infections took place shortly before protests, such as an infection on March 19, 2021, just\r\ndays before a Bangkok protest that demanded political reforms and the release of protest leaders. It is possible that\r\nthe attackers were seeking information about the groups’ organization and fundraising efforts. Niraphorn was\r\narrested and charged in September 2021 for administering the UFTD’s Facebook page.\r\nProminent Individuals\r\nTarget: Jatupat Boonpattararaksa\r\nJatupat Boonpattararaksa (also known as “Pai Dao Din”) is a prominent pro-democracy activist who has been\r\nactive since 2014. Jatupat led the “Thalufah” (“Through the Sky”) pro-democracy group, which takes its name\r\nfrom a 200 km-long protest march from Nakhon Ratchasima to Bangkok’s Democracy Monument from February\r\n16 to March 7, 2021. The march called for a democratic constitution, the release of political activists, and repeal\r\nof the lèse-majesté law. Subsequent rallies by Thalufah were met with a violent police response, including rubber\r\nbullets and tear gas. Jatupat’s activism has led to multiple lèse-majesté and other charges. In 2017, for example, he\r\nwas tried in a secret proceeding and sentenced to two years in prison. Jatupat was detained at least three times in\r\n2020, 2021, and 2022, and spent an estimated total of 243 days in prison, due to lèse-majesté and other charges.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 8 of 23\n\nJatupat was repeatedly infected with Pegasus in 2021, in June and July (on or around June 23, 28, and July 9,\r\n2021), a period during which pro-democracy protests had resumed. Jatupat had also organized a pro-democracy\r\nprotest in Khon Kaen on July 1, 2021.\r\nTarget: Arnon Nampa\r\nArnon Nampa is a leading human rights lawyer and protest leader. His work has included defending activists\r\naccused of lèse-majesté, and publicly calling for the repeal of the law. He was charged with at least 14 lèse-majesté charges and was detained for a total of 339 days between 2020-2022.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 9 of 23\n\nArnon was infected with Pegasus multiple times throughout 2020 and 2021. The first detected infection occurred\r\non or around December 3, 2020, just days after he was charged alongside other activists with insulting the\r\nmonarchy. A second infection took place less than two weeks later on December 15, 2020. He was subsequently\r\narrested. After spending 113 days in jail, Nampa was infected with COVID-19. He was released on bail on June 1,\r\n2021.\r\nArnon was again infected with Pegasus on or around July 14, 2021, shortly before a large-scale protest, and on the\r\nsame day that he was quoted in a Bloomberg article which outlined how protest leaders were pushing for\r\nexpansion of the Thai government’s struggling COVID-19 vaccination program. After participating in a Harry\r\nPotter-themed protest on August 3, 2021, Arnon was summoned and detained on August 9, 2021 and he was once\r\nmore charged with lèse-majesté offenses. He was subject to a widely-criticized detention that lasted until he was\r\nreleased on bail on February 28, 2022. While he was in custody, his phone, which he did not have in his\r\npossession at time of his arrest, but remained active, was hacked with Pegasus on or around August 31, 2021.\r\nTarget: Inthira Charoenpura\r\nAnti-government protest organizers, high profile protesters, and spokespeople were not the only ones infected.\r\nThai actress, Inthira Charoenpura, who spoke out publicly in support of protests and donated water and other\r\nsupplies, was repeatedly infected with Pegasus throughout April and June 2021 (April 9 and 26; June 4, 2021).\r\nSpeculatively, her role as a fundraiser for anti-government protests may have triggered the targeting, as she used\r\nher social media account to call for public donations and used a bank account under her own name. Inthira has\r\nreportedly faced charges of lèse-majesté and sedition.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 10 of 23\n\nTarget: “The Mad Hatter”\r\nThree members from an anonymous group of individuals that contributed funds to help support the protests, which\r\nwe refer to as “the Mad Hatter” as a pseudonym in this report, were also infected with Pegasus. These individuals\r\nstated that they have often joined the protests as participants, but have never served as organizers or speakers.\r\nTarget: Dechathorn Bamrungmuang\r\nDechathorn Bamrungmuang, a popular rapper known by the stage name “Hockhacker,” was arrested and charged\r\nwith sedition and other offenses after performing at a pro-democracy protest.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 11 of 23\n\nAs a founder of the “Rap Against Dictatorship” (RAD) group, Dechathorn writes lyrics that are critical of the\r\ngovernment and detail political problems in the country. RAD’s single, “My Country Has” became viral in 2018,\r\nreceiving more than 100 million views on YouTube. In January 2021, YouTube blocked the music video of their\r\nsong, entitled “Reform,” in Thailand following the government’s request. Dechatorn’s device was hacked with\r\nPegasus on or around August 18, 2021, almost one year after his 2020 arrest.\r\nFull List of Civil Society Victims\r\nNo. Name Affiliations\r\nApproximate Dates\r\nof Infection\r\n(year-month-date)\r\n1\r\nPoramin\r\nRassameesawas\r\nFreeYOUTH\r\n– On or around 2021-\r\n09-12\r\n2\r\nKatekanok\r\nWongsapakdee\r\nFreeYOUTH\r\n– On or around 2021-\r\n09-05\r\n3 Jutatip Sirikhan FreeYOUTH – On or around 2020-\r\n10-21\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 12 of 23\n\nNo. Name Affiliations\r\nApproximate Dates\r\nof Infection\r\n(year-month-date)\r\n– On or around 2020-\r\n10-26\r\n– On or around 2021-\r\n02-15\r\n– On or around 2021-\r\n02-20\r\n– On or around 2021-\r\n03-18\r\n– On or around 2021-\r\n09-06\r\n4\r\nJatupat\r\nBoonpattararaksa\r\nThalufah\r\n– On or around 2021-\r\n06-23\r\n– On or around 2021-\r\n06-28\r\n– On or around 2021-\r\n07-09\r\n5 Arnon Nampa\r\nIndependent Activist/Human\r\nRights Lawyer at TLHR\r\n– On or around 2020-\r\n12-03\r\n– On or around 2020-\r\n12-15\r\n– On or around 2021-\r\n07-10\r\n– On or around 2021-\r\n07-14\r\n– On or around 2021-\r\n08-31\r\n6 Pansiree Jirathakoone Salaya for Democracy\r\n– On or around 2021-\r\n08-17\r\n7 Chatrapee Artsomboon Salaya for Democracy\r\n– On or around 2021-\r\n08-30\r\n– On or around 2021-\r\n09-09\r\n8 Panusaya\r\nSithijirawattanakul\r\nUnited Front of Thammasat and\r\nDemonstration\r\n– On or around 2021-\r\n06-15\r\n– On or around 2021-\r\n06-20\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 13 of 23\n\nNo. Name Affiliations\r\nApproximate Dates\r\nof Infection\r\n(year-month-date)\r\n– On or around 2021-\r\n06-23\r\n– On or around 2021-\r\n09-24\r\n9 Niraphorn Onnkhaow\r\nUnited Front of Thammasat and\r\nDemonstration\r\n– On or around 2021-\r\n02-16\r\n– On or around 2021-\r\n03-16\r\n– On or around 2021-\r\n04-26\r\n– On or around 2021-\r\n04-30\r\n– On or around 2021-\r\n05-11\r\n– On or around 2021-\r\n05-14\r\n– On or around 2021-\r\n05-20\r\n– On or around 2021-\r\n05-31\r\n– On or around 2021-\r\n06-08\r\n– On or around 2021-\r\n06-15\r\n– On or around 2021-\r\n06-20\r\n– On or around 2021-\r\n06-23\r\n– On or around 2021-\r\n07-01\r\n– On or around 2021-\r\n07-07\r\n10 Nutchanon Pairoj\r\nUnited Front of Thammasat and\r\nDemonstration\r\n– On or around 2021-\r\n11-18\r\n11 Chonlatit Chottsawas\r\nUnited Front of Thammasat and\r\nDemonstration\r\n– On or around 2021-\r\n09-23\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 14 of 23\n\nNo. Name Affiliations\r\nApproximate Dates\r\nof Infection\r\n(year-month-date)\r\n12 Benja Apan\r\nIndependent Activist/United Front\r\nof Thammasat and Demonstration\r\n(Former)\r\n– On or around 2021-\r\n11-17\r\n13 Individual #1 Independent Activist\r\n– On or around 2021-\r\n11-19\r\n14 Rattapoom Lertpaijit WEVO\r\n– On or around 2021-\r\n08-21\r\n– On or around 2021-\r\n11-04\r\n15 Wichapat Srigasipun WEVO\r\n– On or around 2021-\r\n08-30\r\n– On or around 2021-\r\n09-13\r\n16 Piyarat Chongthep WEVO\r\nInfection confirmed,\r\nbut no dates known.\r\n17 Individual #2 WEVO\r\n– On or around 2021-\r\n08-18\r\n18 Elia Fofi Free Arts\r\n– On or around 2021-\r\n08-17\r\n19\r\nDechathorn “Hockey”\r\nBamrungmuang\r\nRap Against Dictatorship\r\n– On or around 2021-\r\n08-18\r\n20 Inthira Charoenpura Independent Activist\r\n– On or around 2021-\r\n04-09\r\n– On or around 2021-\r\n04-26\r\n– On or around 2021-\r\n06-04\r\n21 Nuttaa Mahattana Independent Activist\r\n– On or around 2021-\r\n09-23\r\n22 Individual #3 The Mad Hatter* – On or around 2021-\r\n05-15\r\n– On or around 2021-\r\n05-31\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 15 of 23\n\nNo. Name Affiliations\r\nApproximate Dates\r\nof Infection\r\n(year-month-date)\r\n– On or around 2021-\r\n06-07\r\n– On or around 2021-\r\n06-16\r\n– On or around 2021-\r\n06-19\r\n– On or around 2021-\r\n06-23\r\n– On or around 2021-\r\n06-27\r\n– On or around 2021-\r\n07-02\r\n– On or around 2021-\r\n07-05\r\n23 Individual #4 The Mad Hatter*\r\n– On or around 2021-\r\n05-14\r\n24 Individual #5 The Mad Hatter*\r\n– On or around 2021-\r\n05-14\r\n– On or around 2021-\r\n05-19\r\n– On or around 2021-\r\n06-05\r\n25 Yingcheep Atchanont iLaw – On or around 2020-\r\n11-28\r\n– On or around 2020-\r\n12-01\r\n– On or around 2020-\r\n12-08\r\n– On or around 2021-\r\n02-10\r\n– On or around 2021-\r\n02-16\r\n– On or around 2021-\r\n03-04\r\n– On or around 2021-\r\n03-16\r\n– On or around 2021-\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 16 of 23\n\nNo. Name Affiliations\r\nApproximate Dates\r\nof Infection\r\n(year-month-date)\r\n04-23\r\n– On or around 2021-\r\n06-20\r\n– On or around 2021-\r\n11-12\r\n26 Bussarin Paenaeh iLaw\r\n– On or around 2021-\r\n02-17\r\n27\r\nPornpen\r\nKhongkachonkiet\r\nCross Cultural Foundation\r\n– On or around 2021-\r\n11-16\r\n28 Puangthong Pawakapan Academic\r\n– On or around 2021-\r\n05-31\r\n– On or around 2021-\r\n06-10\r\n– On or around 2021-\r\n06-25\r\n– On or around 2021-\r\n06-30\r\n– On or around 2021-\r\n07-02\r\n29 Sarinee Achavanuntakul Academic\r\n– On or around 2021-\r\n09-15\r\n30 Prajak Kongkirati Academic\r\n– On or around 2021-\r\n06-14\r\n– On or around 2021-\r\n07-02\r\nTable 1\r\nFull list of civil society targets in Thailand.\r\n*pseudonym\r\nResearch Methodology\r\nThe investigation collected4 forensic evidence from iPhones using a snowball-sampling method in which we ask\r\nknown victims to assist us and our partners to identify other potential victims. First, we checked forensic artifacts\r\nshared by individuals who received a notification from Apple. Then, with the support of Thai NGOs iLaw and\r\nDigitalReach, we worked with victims to solicit forensic artifacts from their contacts, and then checked those.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 17 of 23\n\nForensic Analysis\r\nIn general, we perform forensics by identifying evidence of Pegasus-linked binaries, processes, and artifacts in\r\nphone logs. We use indicators gleaned from our six years of tracking Pegasus spyware infections, including\r\nsamples of Pegasus code we obtained from infected devices. In some cases, the forensic evidence we identify has\r\nan associated timestamp, allowing us to determine dates associated with the infection of a device. In other cases,\r\nwe can bound the introduction of certain artifacts onto the device by a range of dates.\r\nA positive finding for Pegasus indicates that we have assessed with high confidence that a phone has been\r\nsuccessfully hacked with Pegasus spyware and that we do not believe there is any plausible alternative\r\nexplanation for the indicators.\r\nIndependent Forensic Validation\r\nIn the context of ongoing targeted threats investigations, we typically reserve some indicators from publication in\r\norder to maintain visibility into the threat actor’s activities going forward. To provide independent validation of\r\nour assessments of Pegasus infection, we shared a sample of forensic artifacts from five Pegasus victims with\r\nAmnesty International’s Security Lab. Amnesty International’s Security Lab has independently developed their\r\nown methodology for detecting Pegasus that includes their Mobile Verification Toolkit (MVT) tool.\r\nWe shared the sample with Amnesty International’s Security Lab with victims’ consent, but without providing\r\ndetails of our findings. Amnesty examined the cases of:\r\nPuangthong Pawakapan\r\nElia Fofi\r\nYingcheep Atchanont\r\nJatupat Boonpattararaksa\r\nPanusaya Sithijirawattanakul\r\nAmnesty Security Lab’s assessment confirming Pegasus infections for these cases matches our own findings.\r\nZero-click Exploits\r\nForensic evidence from the examined devices indicates that two zero-click exploits were used against the phones\r\nwe examined: the KISMET and FORCEDENTRY exploits. We saw no evidence of one-click exploits used.\r\nKISMET Exploit\r\nThe earliest cases of infections we identify in this report were carried out with the KISMET exploit, starting in\r\nOctober 2020. KISMET was a zero-click iOS exploit that appears to have been deployed by NSO Group\r\ncustomers between July and December 2020. While all compromises of Thai victims with KISMET that were\r\nidentified occurred on out-of-date phones, other NSO Group customers deployed KISMET as a zero-day against\r\niOS 13.5.1 and iOS 13.7.\r\nWhile the precise nature of the KISMET exploit is unknown, it appears that malicious image files were sent to\r\nphones and hijacked control of IMTranscoderAgent to launch a WebKit instance for further exploitation. The\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 18 of 23\n\nKISMET exploit did not appear to work against iOS14, perhaps because of a mitigation introduced in that version,\r\nsuch as Apple’s BlastDoor feature.\r\nFORCEDENTRY Exploit\r\nThe FORCEDENTRY exploit was deployed against Thai iPhones starting in February 2021. FORCEDENTRY was\r\na zero-click iOS exploit delivered via iMessage. The FORCEDENTRY exploit5 involved the delivery of malicious\r\nPDF files with JBIG2 streams named using the “.gif” extension. The “.gif” extension caused IMTranscoderAgent\r\nto automatically parse the PDF files without user intervention. The PDF files hijacked control of the JBIG2 parser,\r\nescaped the IMTranscoderAgent sandbox, and downloaded a subsequent payload to enable further exploitation.\r\nThe FORCEDENTRY exploit appears to have been deployed against Thai phones between February and\r\nNovember 2021, including as a zero-day against several versions of iOS 14, including iOS 14.4, 14.6, and 14.7.1.\r\nApple fixed FORCEDENTRY in iOS 14.8.\r\nThe first evidence of a Pegasus operator in Thailand we observed dates to May 2014. We observed a cluster of\r\nPegasus servers in Rapid7’s sonar-http data, active starting in May 2014, which we assessed were operated from\r\nthe GMT+7 timezone based on their HTTP headers. The GMT+7 time zone is used by Thailand, among other\r\ncountries. The servers were also pointed to by Thai-themed domain names. We were not able to identify the\r\nspecific agency behind this operator.\r\nIP Domain First Match\r\n69.28.93[.]191 siamha[.]info 27-05-2014\r\n54.187.156[.]128 thtube[.]video 27-05-2014\r\n54.187.191[.]4 thainews[.]asia 25-11-2014\r\n69.28.93[.]2 – 25-11-2014\r\nTable 2\r\nPegasus servers we assessed were operated from the GMT+7 time zone.\r\nWhile conducting Internet scanning for our 2016 Million Dollar Dissident report, we identified a cluster of\r\nPegasus servers pointed to by domains registered to an individual in Thailand with two email addresses, including\r\n[redacted].nsb18@gmail.com. The other email address was used to register a Facebook page under the name of\r\n“Nsbtest Nsbtest.” In the context of Thailand, “NSB” might refer to the Narcotics Suppression Bureau. We are\r\nunsure whether this operator overlaps with the 2014 activity we discovered, or whether it is separate. We are\r\nredacting these domain names as we continue to investigate this case.\r\nIn our 2018 Hide and Seek report, we identified a single Pegasus operator active in Thailand that we named\r\nCHANG. We are unsure whether this operator overlaps with the 2014 or 2016 clusters. We clustered domain\r\nnames we found in our Hide and Seek report using the Athena method, and then conducted DNS cache probing to\r\nidentify in which countries the operator was active. CHANG was active exclusively in Thailand.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 19 of 23\n\nIP Domain\r\n211.104.160[.]205 1place-togo[.]com\r\n103.212.223[.]182 accounts-unread[.]com\r\n200.7.111[.]156 breakingnewsasia[.]com\r\n200.7.111[.]155 funnytvclips[.]com\r\n103.199.16[.]12 normal-brain[.]com\r\n200.7.111[.]154 paywithcrytpo[.]com\r\n45.32.105[.]249 sexxclip[.]com\r\n159.89.193[.]231 so-this-is[.]com\r\n185.128.24[.]118 stayallalone[.]com\r\nTable 3\r\nCHANG Pegasus servers. DNS Cache probing showed victims exclusively in Thailand.\r\nAs of the date of publication of this report, we assess that there is currently at least one Pegasus operator active in\r\nThailand, though we cannot establish which specific agency this represents, or whether this operator overlaps with\r\nthe 2018, 2016, or 2014 activity.\r\nAttribution\r\nWe do not conclusively attribute the Pegasus hacking operation to a specific governmental operator. NSO Group\r\nconsistently claims that their technology is sold exclusively to governments, which appears to be broadly true\r\nbased on past research and revelations by journalists, the Citizen Lab, and other groups. Thus, it is reasonable to\r\nconclude that the discovery of Pegasus spyware indicates the presence of a government operator.\r\nThe forensic evidence collected from infected devices, taken by itself, does not provide strong evidence pointing\r\nto a specific NSO Group customer. However, numerous elements of the case, when taken together, provide\r\ncircumstantial evidence suggesting one or more Thai government Pegasus operators is responsible for the\r\noperation:\r\nThe victims were of intense interest to the Thai government.\r\nThe hacking points to a sophisticated understanding of non-public elements of the Thai activist community,\r\nincluding funding and roles of specific individuals.\r\nThe timing of the infections is highly relevant to specific political events in Thailand, as well as specific\r\nactions by the Thai justice system. In many cases, for example, infections occurred slightly before protests\r\nand other political activities by the victims.\r\nThere is longstanding evidence showing Pegasus presence in Thailand, indicating that the government\r\nwould likely have had access to Pegasus during the period in question.\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 20 of 23\n\nWe have examined other possible explanations for these findings, such as a different governmental Pegasus\r\ncustomer from a country outside Thailand. While this scenario is possible, a number of elements makes it unlikely.\r\nConducting such an extensive hacking campaign against high profile individuals in another country is risky and\r\nruns the possibility of discovery, especially given the well-known previous cases where Pegasus infections were\r\npublicly discovered and publicly disclosed.\r\nIn addition, the victimology, and in some cases the timing of the infections, reflects information that would be\r\neasily available to the Thai authorities, such as non-public relationships and financial activity, but substantially\r\nmore challenging for other governments to obtain.\r\nSoutheast Asian governments and some high profile individuals are known to be targeted by well-resourced state-sponsored hacking groups from abroad. It is quite possible that other states would have taken an interest in the\r\noutcome of protest activities in Thailand; however, Pegasus spyware is distinct from the techniques and tools used\r\nby regionally-focused and well-documented Advanced Persistent Threat (APT) groups.\r\nConclusion: Spyware and Political Repression in Thailand\r\nThe human rights situation in Thailand has continued to deteriorate since the 2014 coup. Rights activists have\r\ncriticized the Thai government for conducting judicial harassment and arbitrary detentions, particularly against\r\nthose who call for reforms of the monarchy and the restoration of democracy. Advocacy groups such as Amnesty\r\nInternational and Human Rights Watch have also condemned the government for their excessive use of force,\r\nincluding “beating demonstrators and firing chemicals from water cannons,” using tear gas against sitting\r\nprotesters, and detaining “at least 226 children” for their involvement in the protests.\r\nLegal, Physical, and Digital Attacks\r\nSimultaneously, as arrests and physical attacks against protesters and rights defenders have escalated, the\r\ngovernment has faced accusations of using sophisticated spyware against anti-government critics. In November\r\n2021, a number of individuals in Thailand received notifications from Apple regarding state-sponsored attacks.\r\nSeveral journalists and activists subsequently pressed on the government’s deployment of surveillance\r\ntechnologies against civil society. In that same month, government spokesman Thanakorn Wangboonkongchana\r\nargued that the report of state-sponsored attacks “is untrue,” as “the government respects individual liberties,”\r\nwhile Digital Economy and Society Minister Chaiwut Thanakamanusorn stated in December 2021 that he “can\r\nguarantee there are no attacks on anyone’s information.”\r\nDespite these denials from Thai authorities, this report shows that numerous Thai activists and their lawyers’\r\nphones were hacked with Pegasus spyware. Furthermore, the timeline of the infections suggests that these attacks\r\nwere conducted as part of efforts to crack down on individuals that call for democratic reform. Circumstantial\r\nevidence also indicates that one or more elements of the Thai government may be responsible for this espionage\r\ncampaign.\r\nDubious Denials Enable Human Rights Abuses\r\nNSO Group argues that its software is to be used against criminals and terrorists and is sold only to governments.\r\nHowever, we have documented the abuse of Pegasus against numerous victims in multiple countries, including\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 21 of 23\n\nscientists, journalists, and lawyers. In Thailand, our previous research indicates that at least three government\r\nagencies had contracted with Circles, a complementary product to Pegasus that allows for interception of phone\r\ncalls and SMS. This finding is part of a broader trend seen in Thailand where the government has been engaged in\r\nincreased efforts to monitor or control information since the 2014 coup.\r\nWhen Free Speech is Illegal\r\nNSO Group has denied any wrongdoing and maintains that its products are to be used “in a legal manner and\r\naccording to court orders and the local law of each country.” This justification is problematic, given the presence\r\nof local laws that infringe on international human rights standards and the lack of judicial oversight, transparency,\r\nand accountability in governmental surveillance, which could result in abuses of power. In Thailand, for example,\r\nSection 112 of the Criminal Code (also known as the lèse-majesté law), which criminalizes defamation, insults,\r\nand threats to the Thai royal family, has been criticized for being “fundamentally incompatible with the right to\r\nfreedom of expression,” while the amended Computer Crime Act opens the door to potential rights violations, as it\r\n“gives overly broad powers to the government to restrict free speech [and] enforce surveillance and censorship.”\r\nBoth laws have been used in concert to prosecute lawyers and activists, some of whom were targeted with\r\nPegasus.\r\nNSO’s Dubious “Internal Investigations”\r\nNSO Group regularly responds to reports of abuse by stating that they have an ‘internal’ investigations process,\r\nand that without reports via those channels, they are limited in their ability to investigate cases. To evaluate the\r\nseriousness of this claim, Human Rights Watch followed NSO’s process and submitted a case for investigation\r\nalong with supporting documentation. After five months had elapsed, NSO provided a two-sentence response:\r\n“This issue has been investigated to the best of our ability based on the information provided to us. We\r\nhave not seen evidence that Ms. Fakih’s number, provided below had been targeted using the Pegasus\r\nsystem by our existing customer’s. [sic]”\r\nAs Human Rights Watch points out, this highly limited response underlines the obvious deficiencies in NSO’s\r\napproach. No mention, for example, is made of the possibility that (a) the responsible party was no longer a\r\ncustomer at the time the reply was written (b) the evidence analyzed or supplied by NSO’s customers and used for\r\nthe ‘investigation’ was incomplete.\r\nOngoing Failure to Protect Human Rights\r\nThis report thus underscores NSO Group’s failure to respect human rights abroad, despite the internationally-recognized responsibility of private sector actors not only “to respect and protect human rights,” but also to\r\n“provide remedy for rights violations, regardless of whether governments are able or willing to protect these\r\nrights.” Additionally, it highlights the Thai government’s use of Pegasus as being entirely out of step with states’\r\nobligations under international human rights law, such as the principles of legality, necessity, proportionality, and\r\nlegitimate aim.\r\nAcknowledgements\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 22 of 23\n\nWe are especially grateful for the consent and participation of all victims, and suspected targets, in this\r\ninvestigation. Without their willingness to share materials for analysis, and tell their story, this report would not\r\nhave been possible.\r\nWe are grateful to Siena Anstis, Miles Kenyon, Celine Bauwens, Jeff Knockel, and Adam Senft of the Citizen Lab\r\nfor review and copy editing, and to Mari Zhou for the report image.\r\nSpecial thanks to Amnesty International’s Security Lab for independent validation of a selection of victim devices\r\nfor this report.\r\nSpecial thanks to iLaw and DigitalReach, as well as other civil society organizations who choose not to be named,\r\nfor their invaluable assistance in this investigation.\r\nSpecial thanks to TNG.\r\nSource: https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nhttps://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/"
	],
	"report_names": [
		"geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434152,
	"ts_updated_at": 1775791523,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6f13c15526c419da382fd803320e84e143ad4cb.pdf",
		"text": "https://archive.orkl.eu/f6f13c15526c419da382fd803320e84e143ad4cb.txt",
		"img": "https://archive.orkl.eu/f6f13c15526c419da382fd803320e84e143ad4cb.jpg"
	}
}