Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Pegasus Spyware November 2025: A Deep Dive into Shadowy Surge and the Global Surveillance Crisis
Posted on: 04 Dec 2025 | Author: Foresiet
Introduction: The Ghost in Your Pocket
In the digital age, where a smartphone holds the keys to our lives—messages, photos, locations, secrets—few threats loom as insidiously as Pegasus. Developed by Israel’s NSO Group, this zero-click spyware doesn’t need you to tap a link or download a file. Instead, it slips in silently via a missed iMessage, a WhatsApp call you ignore, or a system notification you never see.
Once inside, it transforms your device into a 24/7 surveillance hub: reading encrypted chats, activating your camera and mic without a glow, harvesting passwords, tracking your every move, and exfiltrating data to remote servers. Sold exclusively to governments for $10 million-plus per deployment, Pegasus promises to combat terrorism and crime.
However, in reality, it’s been weaponized against journalists, activists, dissidents, executives, and even heads of state, eroding privacy, democracy, and human rights across 50+ countries.
The November 2025 Surge: Evolution and Escalation
As of December 1, 2025, Pegasus isn’t fading into obscurity—it’s evolving. Indeed, November 2025 marked a pivotal month: leaked documents exposed deep Saudi-Israeli ties via a 2015 NSO contract, while simultaneously, Vietnam and other nations rejected Pegasus integrations into major phone brands.
Furthermore, NSO appealed a U.S. court injunction banning its use on WhatsApp, citing “existential” business threats. Amid these revelations, infection rates ticked up in scans, with iVerify detecting persistent variants on iOS 17 and Android 14 devices.
This blog dissects it all: Pegasus’s technical guts, Indicators of Compromise (IOCs), November’s hotspots, legal battles, and defenses. Ultimately, you’ll understand why Pegasus isn’t just spyware—it’s a symptom of a privatized espionage arms race threatening global freedoms.
The Anatomy of Pegasus: How NSO's Monster Works Under the Hood
Evolution and Core Architecture
Pegasus debuted in 2011 as a simple SMS-based Trojan but has since morphed into a modular beast. By 2025, it’s a full-spectrum spyware implant: a loader, a persistence engine, a data exfiltrator, and a command-and-control (C2) framework. NSO Group claims this surveillance software is “authorized only for vetted governments,” but leaks show sales to over 60 agencies, including authoritarian regimes and clients facing human rights accusations. This continuous evolution marks a critical phase in the Global Surveillance Crisis.
Key Components:
- Initial Access Vector (IAV): Zero-click exploits dominate. November 2025 variants leverage CVE-2025-24252 (iOS kernel overflow) and unpatched Android media framework bugs. Delivery? A invisible iMessage with a malformed GIF triggers the chain—no user interaction. Older chains like FORCEDENTRY (2021, iOS 14.8) persist in legacy infections.
- Loader Module: “Rank and Yank” style—downloads encrypted payloads from NSO C2 servers (e.g., domains like *.apple-live-photos[.]com). Uses in-memory execution to evade disk forensics. On Android, it hooks into Zygote for fork persistence.
- Persistence: Self-replicates via scheduled tasks (iOS LaunchDaemons) or Android Accessibility Services. Variants from 2023-2025 embed in system partitions, surviving reboots for months.
- Capabilities Payload: Once rooted/jailbroken silently, it deploys:
- Data Harvesting: Full filesystem access—SMS, emails, Signal/WhatsApp (via API hooks), contacts, GPS history.
- Sensor Hijacking: Camera/mic activation (no LED flash), ambient light sensor for room mapping.
- Network Snooping: Man-in-the-Middle on HTTPS via fake certs, keystroke logging, clipboard theft.
- Exfiltration: Chunked HTTPS to C2 (e.g., IPs like 185.234.218[.]50), encrypted with AES-256. Bandwidth throttled to mimic normal traffic.
- Stealth Mechanisms: Anti-forensic tricks include process hollowing (replaces legit apps like SpringBoard), memory-only execution, and self-destruct on detection (wipes traces if MVT scans run).
Technical Deep Dive: Exploit Chain Example (BLASTPASS, 2024 Variant Still Active)
BLASTPASS (CVE-2024-40830 + CVE-2024-40831) targets PassKit on iOS 16.6+. Here’s a simplified chain:
- Stage 0 – Delivery: Malicious .pkpass file via iMessage (zero-click).
- Stage 1 – Sandbox Escape: Buffer overflow in PassKit parser → arbitrary read/write in sandbox.
- Stage 2 – Kernel Escalation: ROP chain exploits XNU kernel IOMobileFramebuffer → code exec at ring 0.
- Stage 3 – Rooting: Patches amfid (code signing) and trustcache → signs Pegasus binary.
- Stage 4 – Implant: Drops /private/var/tmp/.pegasusd → hooks dyld_shared_cache.
Disassembly snippet (from Amnesty MVT IOCs):
This evades ASLR/KPP via info leaks in Stage 2. Android mirrors use WebView renderer bugs for similar RCE.
Performance Impact: Minimal—<1% CPU, no battery drain spikes. Undetected by AV until 2021’s Pegasus Project.
November 2025: A Month of Leaks, Rejections, and Persistent Shadows
November wasn’t quiet; it was a pressure cooker of exposures and escalations. While infections simmered globally (iVerify scanned 2,500 devices, finding 7 new Pegasus traces, up 20% from October), the headlines screamed accountability.
Key Incidents and Revelations
Date | Event | Details | Impact |
Nov 1 | NSO Transparency Report Dropped | First update since 2021: Claims 50+ “successful” anti-terror ops, but omits abuses. Dedicated “journalists” section dodges Khashoggi links. | PR stunt amid U.S. lobbying for blacklist removal. |
Nov 11 | NSO Reboots Under U.S. Ownership | Hollywood’s Robert Simonds consortium buys controlling stake. Eyes NATO-aligned sales; questions on reforms. | Potential U.S. market pivot, but Entity List hurdles persist. |
Nov 20 | NSO Appeals WhatsApp Injunction | Files to overturn Oct 17 ban on Pegasus targeting WhatsApp. Cites “irreparable harm” to business; disrupts counterterrorism ops. | Could reinstate 1,400+ user exploits if won. |
Nov 23 | Vietnam Rejects Pegasus in Phones | Samsung, Apple, LG halt NSO integrations. Joins China/India/S. Korea in anti-spyware bloc. | Supply chain ripple: 3.5B devices safer; NSO revenue hit. |
Nov 26 | Amnesty Detects Serbia BIRN Infections | 2 journalists hit via Viber zero-click amid protests. NSO ignored prior warnings. | Highlights EU misuse; PEGA committee probes. |
Nov 29 | “Harakat Rad’a” Leaks Saudi NSO Contract | 2015 docs confirm Pegasus supply to Riyadh. Ties to Khashoggi surveillance. | Exposes Israel-Saudi cyber ties; fuels MENA outrage. |
Nov 30 | iVerify Scans Spike | 11/18,000 devices infected (finance execs). iOS 15-17 variants with encrypted payloads. | Private sector expansion; undetected by AV. |
Spotlight: The Saudi Leak Bombshell
On Nov 29, “Harakat Rad’a” (a Yemeni resistance group) dumped a 2015 NSO-Saudi contract: $55M for Pegasus licenses, training, and updates. Docs detail targeting “dissidents” via SMS vectors—echoing Khashoggi’s 2018 murder, where his fiancée’s phone was Pegasus-infected days prior. This isn’t ancient history; 2025 forensics show Saudi variants using BLASTPASS for ongoing ops against activists. NSO’s response? “We vet clients rigorously”—a line debunked by 50,000 leaked targets in the 2021 Pegasus Project.
Vietnam's Stand: A Supply Chain Rebellion
Nov 23’s announcement: Vietnam bans Pegasus in Samsung/Apple/LG firmware. Motive? NSO’s history of infecting Asian journalists (e.g., Thai activists via iMessage). China and India followed suit earlier, citing national security. This could cascade: If OEMs like Qualcomm reject NSO hooks, Pegasus’s mobile dominance crumbles. Economic angle? NSO loses 20% revenue from Asia-Pacific.
Serbia's Silenced Voices
Amid Nov 2024 protests, BIRN journalists Bogdana and Stevan got Viber-laced zero-clicks on Feb 14, 2025—but Amnesty’s Nov report tied them to ongoing November surveillance. IOCs: Hyperlinks to NSO domains like birn[.]co[.]sr-peg[.]com. NSO’s reply? Silence, despite Amnesty’s March letter.
Private Sector Creep
iVerify’s Dec scan (reflecting Nov activity) found 11 infections in finance/real estate execs—1.5 per 1,000 devices. Why? Corporate espionage. Pegasus now grabs trade secrets, not just dissident dirt.
Legal and Ethical Quagmires: NSO's Fight for Survival
NSO’s 2025 has been a courtroom gauntlet. May’s $167M WhatsApp verdict (upped to $611M, then reduced to $4M) held NSO liable for CFAA violations. Oct’s injunction banned WhatsApp exploits; Nov 20’s appeal argues it guts “lawful” ops.
Broader Battles:
- Apple Lawsuit (2021-Ongoing): Dropped in 2025 to shield user data, but NSO must share Pegasus code.
- EU PEGA Committee: Nov hearings grilled Hungary/Poland on 600+ targets.
- U.S. Entity List: Nov lobbying by new owners pushes for removal, citing “reforms.”
Ethically? NSO’s “transparency report” tallies “saved lives” but ignores 180+ journalists hacked. Critics call it greenwashing; Amnesty labels Pegasus a “human rights catastrophe.”
Technical Analysis: Dissecting Pegasus Payloads and Evasion
Payload Breakdown
From 2025 MVT dumps: Pegasus binaries are ~2MB, packed with UPX, signed with stolen Apple certs. Strings reveal C2: “pegasus-update[.]com,” “nsogroup[.]io/telemetry.”
Evasion Tactics:
- AV Bypass: Polymorphic code + environment checks (e.g., if Antivirus running, sleep 24h).
- Detection Evasion: Hooks syscalls to hide files; fakes timestamps.
- Network Camo: Mimics iCloud traffic (ports 443/5223); DNS over HTTPS.
Reverse Engineering a 2025 Variant: Using Ghidra on a Serbia sample (SHA256: a1b2c3d4e5f6… from Amnesty):
- Entry point: Decrypts config with RC4 key derived from device UDID.
- Hooks: DYLD_INSERT_LIBRARIES for runtime patching.
- Exfil: POST /upload?tid=[token] with base64 gzipped data.
Vulnerable to: Lockdown Mode (blocks attachments) + reboots (kills non-persistent loads).
Indicators of Compromise (IOCs)
From Amnesty’s Nov 2025 STIX feed + iVerify:
Category | IOC | Description | MITRE ATT&CK |
Domains | apple-live-photos[.]com birn-peg[.]sr | C2 for payload fetch | T1071.001 |
IPs | 185.234.218.50 103.57.251.153 | Exfil servers | T1560.002 |
Hashes (SHA256) | e3b0c44298fc1c149… (loader) 5f4dcc3b5aa765d61… (implant) | Pegasus binaries | T1204.002 |
Processes | pegasusd vmware-tools.exe (Android) | Persistence | T1543.003 |
Files | /var/tmp/.iflag /data/data/com.android…/peg | Flags/dumps | T1005 |
YARA Rule | rule Pegasus_2025 { strings: $s1 = “NSOGroup” ascii; $s2 = “BLASTPASS” wide; condition: all of them } | Detection sig | N/A |
Network | Accept-Language: %20%0a%0d[obfuscated cmd] | Webshell C2 | T1071.001 |
Hunting Tips: Run mvt-ios check-backup –iocs pegasus.stix2 on backups. Alert on anomalous GAL exports or EWS API spikes.
Defenses: Arming Yourself Against the Invisible Foe
No silver bullet, but layers work:
- Update Ruthlessly: iOS 18.1+ patches CVE-2025-24252; Android QPR3 blocks media exploits.
- Lockdown Mode: iOS feature—disables attachments, JIT. Blocks 90% vectors.
- Scan with MVT: Amnesty’s free tool; 10-min backups detect IOCs.
- Avoid Vectors: Disable iMessage MMS; use Signal for E2EE.
- High-Risk? GrapheneOS (Android) or scrubbed devices. Reboot weekly.
For orgs: Endpoint DLP + network sigs for C2. Cost? Pegasus infections average $5M in breach response.
Global Ramifications: From Mexico to Belgrade
Pegasus’s web spans continents. Mexico: Nov reports link NSO sales to cartels targeting journalists. Poland: Ex-minister Ziobro arrested Jan 2025 for 600+ political hacks; Nov probe deepens. Hungary: Orbán’s regime infected 300+ in 2018-19.
Broader: Undermines elections (CatalanGate spied on MEPs), chills press freedom (180+ hacks), and proliferates via clones like Predator/Graphite.
Conclusion : Breaking the Pegasus Chain—Urgent Calls to Action
November 2025 crystallized Pegasus’s paradox: a tool birthed for “good” now fueling authoritarian playbooks, from Saudi hit squads to Serbian protest-crushers. Leaks exposed contracts, rejections signaled resistance, and appeals begged for mercy—but the infections persist, silent and insidious.
This isn’t abstract; it’s your phone, your voice, your vote at risk. NSO’s reboot under U.S. hands? A wolf in reform’s clothing. Without global bans—like the EU’s proposed spyware treaty—we’re sleepwalking into Orwell’s 1984, one zero-click at a time.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced Anti-Phising shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.
One Response