Pegasus spyware, once considered a tool for targeting journalists and activists—is now being deployed against executives in the private sector, including finance, real estate, and logistics.
In a December 2024 investigation, 11 new Pegasus infections were detected among 18,000 devices scanned globally, signaling a shift in espionage tactics toward corporate espionage.
The findings, detailed in iVerify’s latest report, highlight the spyware’s ability to bypass traditional safeguards and evade detection by Apple’s Threat Notifications in nearly 50% of cases.
Zero-Click Exploits and Persistent Compromise
Pegasus, developed by Israel’s NSO Group, employs zero-click exploits that infiltrate devices without user interaction, often exploiting vulnerabilities in iMessage or WhatsApp.
Once installed, the spyware gains root access to iOS and Android systems, enabling attackers to exfiltrate encrypted messages, financial documents, and even activate microphones remotely.
Analysis revealed that some devices had been compromised since 2021, with multiple Pegasus variants (e.g., v3.8.2 and v4.1.0) persisting through operating system updates.
Rocky Cole, iVerify’s COO and former NSA analyst “The age of assuming that iPhones and Android phones are safe out of the box is over. The sorts of capabilities to know if your phone has spyware on it were not widespread.”
“There were technical barriers and it was leaving a lot of people behind. Now you have the ability to know if your phone is infected with commercial spyware.”
Democratizing Detection
iVerify’s Mobile Threat Hunting feature, priced at $1 per scan, combines signature-based detection, heuristic analysis, and machine learning to identify Pegasus artifacts.
The tool analyzes iOS sysdiagnose archives, particularly the Shutdown.log file, which records anomalous processes during reboots—a telltale sign of spyware.
For example, “sticky” processes linked to Pegasus were flagged using YARA rules (e.g., rule pegasus_shutdown { strings: $s1 = “com.apple.apsd” nocase condition: $s1 }).
Kaspersky’s complementary iShutdown tool, hosted on GitHub, automates log parsing to detect infections.
The Python-based script (iShutdown.py) scans for indicators like unexpected daemon activity or unauthorized cryptographic keys, generating SHA-256 hashes of suspicious files for cross-referencing with threat databases.
Despite these advancements, Apple’s Lockdown Mode—a feature designed to block known exploit vectors—failed to prevent infections in 5 of the 11 cases, underscoring the spyware’s adaptability.
iVerify’s data indicates a global infection rate of 1.5 per 1,000 devices, suggesting thousands of undetected compromises.
Notably, 55% of infected users received no alerts from Apple’s Threat Notifications, leaving them unaware until using third-party tools.
Mitigations
To mitigate risks, iVerify recommends:
- Daily reboots: Disrupts non-persistent Pegasus instances by clearing RAM.
- Disabling iMessage/FaceTime: Reduces attack surfaces for zero-click vectors.
- Frequent iOS updates: Patches kernel-level vulnerabilities like CVE-2024-3596, exploited in recent Pegasus campaigns.
As Pegasus operators pivot to the private sector, the need for accessible detection tools grows. iVerify’s open-sourced methodologies and Kaspersky’s GitHub resources mark progress, but systemic collaboration with tech giants remains critical.
For now, businesses must implement proactive monitoring as ignorance is the biggest weakness in the era of industrial spyware.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here