CloudSEK, a cybersecurity firm, investigated after Apple’s threat notifications were sent to iPhone users in 92 countries last month, and found that shortly after the advisory was issued, the deep and dark web saw a spike in fake Pegasus spyware. Namely, Apple did not name the threat actors in connection with its warning, but mentioned the Pegasus spyware from the NSO group as an example. CloudSEK believes this may have led to scammers selling fake malware as Pegasus source code.
Details of CloudSEK’s investigation
Following Apple’s warning in April, CloudSEK researchers began scouring the deep and dark web as well as the surface web to see if authentic Pegasus spyware was available for purchase or if scammers were using its name to scam potential customers. In a report titled “Behind the Tips: Decoding Apple’s Warning and Spyware Dilemma,” the cybersecurity firm said it frequented Internet Relay Chat (IRC) platforms. After analyzing approximately 25,000 posts on Telegram, researchers found that a large number of posts claimed to be selling authentic Pegasus source code.
CloudSEK Investigation in Telegram
Photo credit: CloudSEK
These sell alert posts followed the same pattern. He used words like NSO Tools and Pegasus to attract customers. Interacting with more than 150 potential sellers of such “Pegasus” spyware, the report found that the samples included source code, live video demonstrations of the malware’s use, and recordings of the source code. They were all made with names referring to Pegasus.
The researchers also found six unique patterns called Pegasus HNVC (Hidden Virtual Network Computing) published on the deep web between May 2022 and January 2024, indicating the spread of these patterns among threat actors. Similar examples have also been found on the surface web.
CloudSEK findings
The cybersecurity team ended up with 15 samples and more than 30 indicators from different sources. However, it was found that “almost all of them created their own fake, ineffective tools and scripts, trying to distribute them under Pegasus’ name in order to exploit the name of Pegasus and the NSO Group for substantial financial gain.”
Groups of bad actors are believed to have taken advantage of the sensationalism created by Apple’s advisory and multiple press reports mentioning the Pegasus name and used it to sell random samples of their own making bearing the Pegasus label. While these spywares can still be vicious and harm victims, they are likely unrelated to the NSO Group or Pegasus.
The report called for critical examination after a threat attack incident to properly pinpoint the threat actors as this can help cyber security companies identify and propose reinforcements and ensure that panic does not spread among people.
For the latest tech news and reviews, follow Gadgets 360 at x, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and technology, subscribe to our YouTube channel. If you want to know all about top influencers, follow our in-house Who’sThat360 on Instagram and YouTube.
Google Photos is reportedly getting a new feature that turns videos into cinematic clips
Sam Altman’s OpenAI signs content deal with News Corp
