The once-shadowy realm of Pegasus spyware has breached new frontiers, with forensic analyses revealing a stark pivot from targeting journalists and activists to infiltrating the private sector.
In December 2024, mobile security firm iVerify detected 11 new Pegasus infections among 18,000 scanned devices—a 1.5 per 1,000 incidence rate—exposing finance, real estate, and logistics executives to unprecedented surveillance risks.
These findings underscore a systemic shift in cyber-espionage tactics, leveraging zero-click exploits and advanced persistence mechanisms to compromise high-value corporate targets.
Pegasus’s Technical Evolution and Corporate Targeting
Developed by Israel’s NSO Group, Pegasus employs zero-click infiltration methods, exploiting vulnerabilities in iMessage, WhatsApp, and other apps to gain root access without user interaction.
Once installed, it exfiltrates emails, encrypted messages, and sensitive documents while activating microphones and cameras for real-time monitoring.
Recent variants exhibit multi-year persistence, evidenced by forensic artifacts in iOS sys diagnose archives and Android crash logs.
The spyware’s expanded targeting aligns with its ability to bypass traditional defenses.
iVerify’s December 2024 scans revealed infections dating to 2021, including iOS 15–17 devices and Android 12–14.
Unlike conventional malware, Pegasus avoids detection by encrypting payloads in memory and using ephemeral C2 servers, leaving minimal traces outside specialized forensic tools.
Detection Breakthroughs: From Shutdown Logs to Machine Learning
Kaspersky’s GReAT team pioneered a lightweight detection method analyzing iOS shutdown logs (Shutdown.log), which record reboot anomalies caused by Pegasus’s “sticky” processes.
Open-source tools like iShutdown.py parse these logs to identify path irregularities (e.g., /private/var/db/) linked to NSO Group’s frameworks.
Concurrently, Amnesty International’s Mobile Verification Toolkit (MVT) cross-references device backups with known Pegasus Indicators of Compromise (IOCs), such as domain names and process hashes.
iVerify’s Mobile Threat Hunting feature combines these approaches with machine learning, scanning 18,000 devices via heuristic analysis of network traffic, memory patterns, and behavioral anomalies.
The system flagged 11 infections missed by Apple’s Threat Notifications, highlighting gaps in commercial security models.
Financial and Operational Implications
The economic fallout extends beyond data theft.
Compromised devices in merger negotiations or regulatory discussions could leak insider information, destabilizing markets.
One European logistics firm reported a 12% stock dip post-infection, though causality remains unconfirmed.
Pegasus’s operators—often state-aligned actors—exploit such intelligence to manipulate commodity prices or sabotage competitors.
Mitigation Strategies for Enterprises
- Lockdown Mode: Enable iOS 16+ restrictions to block zero-click vectors.
- Sysdiagnose Analysis: Regularly inspect Shutdown.log using iShutdown.py or MVT.
- Network Segmentation: Isolate executive devices from critical infrastructure using VLANs and TLS 1.3 encryption.
- Threat Hunting: Deploy EDR solutions with Pegasus-specific IOCs and memory-scanning capabilities.
A Call for Transparency
As Pegasus reshapes corporate risk landscapes, the cybersecurity community urges NSO Group to disclose client lists and infection patterns.
Until then, tools like iVerify and MVT remain vital for democratizing threat detection—one scan at a time.
The age of passive mobile security is over. For businesses, the question is no longer if but when Pegasus will strike—and whether their defenses can outpace an adversary that thrives in silence.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here