The emergence of Pegasus and Predator spyware over the past several years has transformed the landscape of mobile device security.
These advanced malware strains—deployed by sophisticated threat actors for surveillance and espionage—have repeatedly demonstrated their ability to exploit zero-click vulnerabilities, leaving high-profile individuals and at-risk communities exposed.
Critical forensic analysis has long relied on remnants within iOS system logs, particularly the shutdown.log file, to discern traces of such infections even after the malware attempts to erase itself.
With the release of iOS 26, forensic methodologies face an unprecedented setback. iVerify analysts identified that Apple’s latest OS version now overwrites the shutdown.log file upon each device reboot, instead of appending new log entries.
This seemingly innocuous change—whether intentional or inadvertent—has significant consequences for digital evidence preservation.
Any device updated to iOS 26 that is subsequently restarted will see all prior shutdown.log content erased, destroying potential indicators of compromise linked to Pegasus, Predator, or similar threats.
Previously, sophisticated spyware like Pegasus would attempt to purge or tamper with shutdown.log as part of its anti-forensics tactics, a process that still left behind subtle indicators for vigilant analysts.
iVerify researchers have detailed that this “double erasure”—malware deletion followed by OS-level overwriting—now fully sanitizes this critical artifact, hampering investigations and masking successful compromises far more effectively than previous tactics.
Infection Mechanism and Evidence Erasure in iOS 26
Inspection of historic shutdown.log entries revealed unique markers left by Pegasus in past infections, such as references to processes like com.apple.xpc.roleaccountd.stagingcom.apple.WebKit.Networking.
Since iOS 26, such forensic signals are not merely buried—they are irretrievably deleted on the next boot.
.webp "iOS 26 Deletes Pegasus and Predator Spyware Infection Evidence by Overwriting The ‘shutdown.log’ file on Reboot 3")
Boot and reboot events (Source – iVerify)
The log’s prior structure, which appended each shutdown entry, offered investigators a chronological view vital for tracing infection timelines.
The technical transition to full overwriting shows a before-and-after comparison of the shutdown.log behavior after reboot.
This system-level change, reported by iVerify as the foremost group uncovering this development, alters the balance between attackers and defenders, raising urgent questions about digital evidence, user protection, and malware accountability.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
