GBHackers

Pegasus Spyware Hacked European Parliament Member Investigating Spyware Abuse


A newly disclosed forensic investigation has revealed that Pegasus spyware was used to hack a sitting Member of the European Parliament (MEP) who was actively investigating spyware abuses across the European Union. This raises serious concerns about surveillance targeting democratic institutions.

According to a report by Citizen Lab dated July 3, 2026, former Greek MEP Stelios Kouloglou was repeatedly infected with NSO Group’s Pegasus spyware while serving on the European Parliament’s Committee of Inquiry into the use of Pegasus and similar surveillance spyware (the PEGA Committee).

The findings suggest that the compromise occurred during crucial phases of the committee’s work, potentially exposing confidential deliberations and sensitive policy discussions.

Forensic analysis of Kouloglou’s iPhone identified successful Pegasus infections on October 21, 2022, and again on March 6–7, 2023. Researchers linked the initial compromise to the “PWNYOURHOME” zero-click exploit chain, which exploited Apple’s HomeKit and iMessage infrastructure.

Logs indicated a suspicious HomeKit lookup associated with the email address rauharepo888[@]gmail.com, shortly followed by Pegasus activity over mobile data, strong indicators of a silent, userless compromise. At the time of infection, the device was running iOS 15.5.

The attack required no user interaction, highlighting the sophistication of modern mercenary spyware. The exploit chain reportedly leveraged a malicious NSKeyedArchive payload delivered via HomeKit, followed by further exploitation within Apple’s MessagesBlastDoorService. Apple has since patched these vulnerabilities in later iOS versions, although the attacks occurred before these fixes were implemented.

Notably, the infection timeline closely aligns with key PEGA Committee activities, including hearings on spyware regulation, internal drafting of investigative reports, and cross-border parliamentary missions.

The first compromise occurred just days before significant committee hearings and during the preparation of its draft report, suggesting that attackers may have aimed to access internal communications, documents, and strategic discussions.

The second infection in March 2023 coincided with intense final deliberations on the committee’s report and Kouloglou’s presence in Brussels. Researchers warn that such access could have allowed adversaries to monitor legislative processes in real time.

Additional evidence of targeted surveillance includes multiple Apple threat notifications sent to Kouloglou between 2023 and 2024, warning of mercenary spyware activity. However, these alerts were reportedly not noticed by the victim, underscoring usability challenges within threat notification systems.

While the Citizen Lab confirmed high confidence in Pegasus’s involvement, attribution remains unresolved. Investigators found no evidence linking the attacks to the Greek government.

Instead, infrastructure overlap, particularly the reuse of the rauharepo888[@]gmail.com identifier, suggests a Pegasus operator previously associated with targeting Russian and Belarusian exiled journalists and activists in Europe. This points to a customer with operational authorization across multiple EU jurisdictions.

This case marks the first confirmed instance of a PEGA Committee member being infected while actively investigating spyware abuses. However, previous incidents have involved other MEPs targeted with Pegasus and similar tools.

Security experts warn that this demonstrates a systemic risk to democratic oversight mechanisms posed by unregulated commercial surveillance technologies.

Citizen Lab has urged immediate action, recommending comprehensive forensic screening of devices used by MEPs and staff, increased cybersecurity protections such as mobile lockdown modes, and formal investigations by EU institutions. The report also calls for improved threat detection reporting and coordinated defensive measures across European governmental bodies.

This incident highlights the growing threat posed by mercenary spyware not only to journalists and activists, but also to lawmakers themselves, potentially undermining the integrity of democratic processes at the highest levels.

Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN



Source link