As iOS 26 is being rolled out, a critical forensic challenge has emerged: the operating system now automatically overwrites the shutdown.log file on every reboot, effectively erasing crucial evidence of Pegasus and Predator spyware infections.
This development represents a significant setback for forensic investigators and users seeking to determine whether their devices have been compromised—particularly troubling given the escalating prevalence of sophisticated spyware attacks targeting executives, celebrities, and civil society figures alike.
For nearly a decade, the shutdown.log file has served as an invaluable forensic artifact in detecting iOS malware, despite remaining largely overlooked by mainstream security discussions.
Stored within the Sysdiagnoses in the Unified Logs section (Sysdiagnose Folder → system_logs.logarchive → Extra → shutdown.log), this file has documented crucial activity during device shutdown sequences.
In 2021, researchers discovered that the publicly known version of Pegasus spyware left discernible traces within the shutdown.log, providing security researchers with a critical indicator of compromise.
This discovery transformed the shutdown.log from a mundane system file into a powerful detection tool, enabling investigators to identify infected devices with reasonable confidence.
However, the developers behind Pegasus—the Israeli surveillance firm NSO Group—were quick to recognize and adapt to this detection method. By 2022, NSO Group had already evolved their approach, implementing more sophisticated evasion tactics while still inadvertently leaving evidence behind.
Pegasus’s Sophisticated Evolution
The Pegasus developers’ response to shutdown.log detection demonstrates the cat-and-mouse game inherent in malware forensics. Rather than merely leaving obvious entries, they began wiping the shutdown.log file entirely.
Yet even these attempted erasures created their own forensic signatures. A seemingly clean shutdown.log that began with evidence of a Pegasus sample became, paradoxically, an indicator of compromise in itself.
Security researchers documented multiple cases of this behavior throughout 2022, revealing the continuous adaptation of these sophisticated threat actors.
Following 2022, evidence suggests that Pegasus developers implemented even more robust wiping mechanisms, likely monitoring device shutdown procedures to ensure thorough eradication of their presence from the shutdown.log.
Researchers observed instances where devices known to be actively compromised had their shutdown.log completely cleared, alongside other indicators of compromise for Pegasus infections.
This pattern led to a new forensic hypothesis: a deliberately cleared shutdown.log could serve as a valuable heuristic for identifying potentially compromised devices.
A particularly notable indicator emerged from Pegasus 2022 samples: the presence of /private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.WebKit.Networking entries within the shutdown.log.
This IOC also revealed a critical shift in NSO Group operational tactics—they had begun masquerading as legitimate system processes rather than using easily identifiable similarly-named processes, significantly complicating detection efforts.
Predator Follows the Pattern
The sophisticated Predator spyware, first observed in 2023, appears to have learned from Pegasus’s past mistakes.
Given evidence that Predator actively monitored the shutdown.log and demonstrated similar behavioral patterns to earlier Pegasus samples, security researchers assess that Predator likely left comparable traces within this critical forensic artifact.
Apple iOS 26 introduces a significant change to shutdown.log handling—whether by intentional design or unforeseen consequence.
Rather than appending new entries while preserving previous snapshots, the operating system now overwrites the shutdown.log on every device reboot.
Any user updating to iOS 26 who subsequently restarts their device will inadvertently erase all historical evidence of older Pegasus and Predator detections that may have existed in their shutdown.log.
While this automatic overwriting might reflect an intentional design decision regarding system hygiene or performance optimization, it effectively sanitizes the precise forensic artifact that has proven instrumental in identifying these sophisticated threats.
The timing could hardly be worse, arriving when spyware attacks dominate security headlines and high-profile targets—not just civil society—face unprecedented threat levels.
For devices running iOS 18 or earlier, investigators can employ a more comprehensive detection approach. Correlating containermanagerd log entries with shutdown.log events provides deeper insight into device compromise.
Containermanagerd logs retain boot event data for several weeks, allowing investigators to identify suspicious discrepancies.
For example, numerous boot events preceding shutdown.log entries may indicate hidden malicious activity, suggesting device compromise that threat actors are actively concealing from standard forensic examination.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
