Back to Intelligence

Pegasus Spyware Targets EU Official: Mobile Threat Detection and Hardening Strategies

SA
Security Arsenal Team
July 5, 2026
6 min read

In a stark reminder of the relentless persistence of nation-state surveillance, Citizen Lab has confirmed that former Member of the European Parliament (MEP) Stelios Kouloglou was repeatedly infected with NSO Group’s Pegasus spyware while actively investigating its use. This represents a significant escalation in targeting high-value individuals (HVIs), demonstrating that threat actors are not deterred by the subject's awareness or security posture. The infection occurred despite the victim's focus on the very threat vector used against him.

For security practitioners, this incident reinforces a critical reality: zero-click exploits and commercial spyware remain an active, severe threat to executives, legal teams, and political figures. The “it won’t happen to us because we are savvy” mindset is a vulnerability. This post details the mechanics of this campaign and provides actionable detection and hardening guidance for your mobile fleet.

Technical Analysis

Threat Overview

  • Threat Actor: NSO Group Clients (State-sponsored)
  • Target: High-profile individuals (Politicians, Journalists, Activists)
  • Platforms: iOS (iPhone), Android
  • Vector: Zero-click exploits delivered via iMessage (Apple) or WhatsApp (Android). The user does not need to click a link; simply receiving a crafted message triggers the buffer overflow or logic flaw.

Attack Chain and Mechanism

While the specific zero-day vulnerability (CVE) utilized in this specific 2026 campaign against MEP Kouloglou has not been publicly disclosed by Citizen Lab to prevent widespread exploitation, the attack chain follows the established Pegasus pattern:

  1. Initial Infection: A maliciously crafted message is sent to the target device. The payload exploits a memory corruption vulnerability in the messaging app's processing logic (e.g., image parsing or font rendering).
  2. Remote Code Execution (RCE): The exploit bypasses sandboxing mechanisms (e.g., PAC on iOS) to gain arbitrary code execution with kernel privileges or user-level rights sufficient for persistence.
  3. Persistence and Payload Deployment: The exploit downloads the main Pegasus spyware payload. It establishes persistence using obfuscated techniques, often mimicking legitimate system processes to evade detection by standard mobile antivirus.
  4. Data Exfiltration: The agent exfiltrates messages (WhatsApp, Signal, iMessage), GPS location, microphone recordings, camera captures, and keylogs to Command & Control (C2) servers.

Exploitation Status

  • Status: Confirmed Active Exploitation (Citizen Lab Report)
  • Zero-Day Status: Likely involves a zero-day or a recently patched n-day vulnerability that the target had not yet applied.

Detection & Response

Detecting Pegasus on a mobile device is notoriously difficult due to the advanced obfuscation and rootkit capabilities used by NSO Group. However, defenders can leverage Mobile Device Management (MDM) telemetry and network proxies to identify potential compromise indicators. Below are detection rules focused on anomalous behaviors associated with mobile spyware in a corporate environment.

SIGMA Rules

YAML
---
title: Potential Mobile Spyware Process Anomaly (iOS)
id: 8c4d2f10-9a3b-4e1c-8f2d-1a2b3c4d5e6f
status: experimental
description: Detects suspicious process spawning behavior on iOS devices indicative of exploit chains (e.g., messaging apps spawning shell). Requires Microsoft Defender for Endpoint on iOS or similar MDM telemetry.
references:
 - https://citizenlab.ca/2026/04/pegasus-mep-kouloglou/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.execution
 - attack.t1059.004
logsource:
 category: process_creation
 product: ios
detection:
 selection:
   ParentImage|endswith:
     - '/IMessageAgent'
     - '/WhatsApp'
   Image|contains:
     - '/bin/sh'
     - '/usr/bin/python'
   - '/usr/libexec/taskgated'
 condition: selection
falsepositives:
 - Legitimate debugging by users (rare)
level: critical
---
title: High Entropy Domain Connection from Mobile Device
id: 9d5e3f21-0b4c-5f2d-9g3e-2b3c4d5e6f7a
status: experimental
description: Identifies mobile devices connecting to domains with high entropy, a common characteristic of C2 infrastructure used by spyware like Pegasus.
references:
 - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.command_and_control
 - attack.t1071.004
logsource:
 category: network_connection
 product: firewall
detection:
 selection:
   DeviceOS:
     - 'iOS'
     - 'Android'
   DestinationHostname|re: '^[a-z0-9]{32,}\..*'
 condition: selection
falsepositives:
 - Legitimate ad-tech or CDNs with hash-like URLs
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for mobile devices exhibiting signs of compromise
// Requires Microsoft Defender for Endpoint (MDE) mobile logs or Syslog from MDM
DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceType in ('iOS', 'Android')
| where InitiatingProcessFileName in ('IMessageAgent', 'WhatsApp', 'com.apple.MobileSMS')
| where FileName !in ('IMessageAgent', 'WhatsApp', 'com.apple.MobileSMS')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, CommandLine, SHA256
| extend entropy_score = filename_entropy(FileName)
| where entropy_score > 4 // High entropy often indicates packed/malicious payloads

Velociraptor VQL

VQL — Velociraptor
// Hunt for iOS Backup Artifacts on paired workstations
// Attackers often steal backups to harvest data if they cannot maintain device persistence
SELECT 
  FullPath,
  Size,
  Mtime,
  Btime
FROM glob(globs='/Users/*/Library/Application Support/MobileSync/Backup/**/*.mdb',
           globs='/Users/*/Library/Application Support/MobileSync/Backup/*/Manifest.plist')
WHERE Mtime > now() - 7d
ORDER BY Mtime DESC

Remediation Script (PowerShell)

PowerShell
# Script to audit corporate workstations for unauthorized iOS backups
# and verify iOS device compliance via registry checks (iTunes/Apple Configurator)

$RegPath = 'HKCU:\Software\Apple Computer\Mobile Devices'
$BackupPath = "$env:USERPROFILE\Apple\MobileSync\Backup"

Write-Host "[+] Auditing local machine for iOS device artifacts..." -ForegroundColor Cyan

# Check for paired devices registry keys
if (Test-Path $RegPath) {
    $Devices = Get-ChildItem $RegPath -Recurse -ErrorAction SilentlyContinue
    if ($Devices) {
        Write-Host "[!] Found paired device records in Registry. Possible data exposure risk." -ForegroundColor Yellow
        $Devices | ForEach-Object { Write-Host "    - Key: $($_.Name)" }
    }
}

# Check for recent backups
if (Test-Path $BackupPath) {
    $RecentBackups = Get-ChildItem $BackupPath -Recurse -File | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
    if ($RecentBackups) {
        Write-Host "[!] Found recent iOS backups in $BackupPath." -ForegroundColor Yellow
        Write-Host "[ Recommendation ] Move sensitive backups to secure, encrypted storage." -ForegroundColor Cyan
    } else {
        Write-Host "[-] No recent local backups found." -ForegroundColor Green
    }
} else {
    Write-Host "[-] No local backup directory found." -ForegroundColor Green
}

Remediation

Immediate containment and remediation are required for any device suspected of Pegasus infection. Standard antivirus will not detect this threat.

  1. Isolate the Device: Immediately disconnect the device from corporate Wi-Fi and Bluetooth. Do not turn off the device, as this may trigger a wipe or lockout mechanism controlled by the attacker; instead, enable Airplane Mode.

  2. Device Hygiene and Patching:

    • For iOS: Ensure all devices are updated to the absolute latest version of iOS (current as of 2026). NSO exploits frequently target kernel and messaging components patched in recent updates.
    • For Android: Apply the latest Android Security Patch Level immediately.
  3. Enable Lockdown Mode (iOS): For high-risk users (C-Suite, Legal, Political figures), enforce Lockdown Mode. This feature severely restricts the attack surface by disabling link previews in iMessage, blocking wired connections when locked, and simplifying web browsing complexity. This is the single most effective defensive control against Pegasus-style zero-click exploits.

  4. Forensic Acquisition: Do not attempt to clean the device yourself. Pegasus uses anti-forensic techniques. The device requires a forensic acquisition (checkm8/non-checkm8) by a specialized lab (like Citizen Lab or Mandiant) to analyze the filesystem and memory for IOCs.

  5. Account Reset: Assume all credentials on the device are compromised. Force a password reset for all corporate accounts accessed from the device and revoke all active session tokens.

  6. Mobile Threat Defense (MTD): Deploy a dedicated Mobile Threat Defense solution (e.g., Microsoft Defender for Endpoint, Zimperium, or Lookout) that uses on-device behavioral analysis to detect exploit attempts, not just malware signatures.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionpegasusnso-groupmobile-securityspywareios

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.