Forensic Methodology Report: How to Catch NSO Group’s Pegasus


Amnesty International - TRANSCEND Media Service


18 Jul 2021 – NSO Group claims that its Pegasus spyware is only used to “investigate terrorism and crime”  and “leaves no traces whatsoever”. This Forensic Methodology Report shows that neither of these statements are true. This report accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.[1]

Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.

As laid out in the UN Guiding Principles on Business and Human Rights, NSO Group should urgently take pro-active steps to ensure that it does not cause or contribute to human rights abuses within its global operations, and to respond to any human rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out adequate human rights due diligence and take steps to ensure that HRDs and journalists do not continue to become targets of unlawful surveillance.

In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats.

This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware. This includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD Ahmed Mansoor.

The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.

Sections 1 to 8 of this report outline the forensic traces left on mobile devices following a Pegasus infection. This evidence has been collected from the phones of HRDs and journalists in multiple countries.

Finally, in section 9 the report documents the evolution of the Pegasus network infrastructure since 2016. NSO Group has redesigned their attack infrastructure by employing multiple layers of domains and servers. Repeated operational security mistakes have allowed the Amnesty International Security Lab to maintain continued visibility into this infrastructure. We are publishing a set of 700 Pegasus-related domains.

Names of several of the civil society targets in the report have been anonymized for safety and security reasons. Individuals who have been anonymized have been assigned an alphanumeric code name in this report.

1. Discovering Pegasus network injection attacks

Amnesty International’s technical investigation into NSO Group’s Pegasus intensified following our discovery of the targeting of an Amnesty International staffer and a Saudi activist, Yahya Assiri, in 2018. Amnesty International’s Security Lab began refining its forensics methodology through the discovery of attacks against HRDs in Morocco in 2019, which were further corroborated by attacks we discovered against a Moroccan journalist in 2020. In this first section we detail the process which led to the discovery of these compromises.

Numerous public reports had identified NSO Group’s customers using SMS messages with Pegasus exploit domains over the years. As a result, similar messages emerged from our analysis of the phone of Moroccan activist Maati Monjib, who was one of the activists targeted as documented in Amnesty International’s 2019 report.

However, on further analysis we also noticed suspicious redirects recorded in Safari’s browsing history. For example, in one case we noticed a redirect to an odd-looking URL after Maati Monjib attempted to visit Yahoo:

Visit ID Date (UTC) URL Redirect Source Redirect Destination
16119 2019-07-22 17:42:32.475 null 16120
16120 2019-07-22 17:42:32.478 https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz 16119 null

(Please note: throughout this document we escaped malicious domains with the marking [.] to prevent accidental clicks and visits.)

The URL https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz immediately appeared suspicious, particularly because of the presence of a 4th level subdomain, a non-standard high port number, and a random URI similar to links contained in SMS messages previously documented in connection to NSO Group’s Pegasus. As you can see in the table above, the visit to Yahoo was immediately redirected to this suspicious URL with database ID 16120.

In our October 2019 report, we detail how we determined these redirections to be the result of network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator. When months later we analysed the iPhone of Moroccan independent journalist Omar Radi, who as documented in our 2020 report was targeted, we found similar records involving the free247downloads[.]com domain as well.

In November 2019, after Amnesty International’s initial report, a new domain urlpush[.]net was registered. We found it subsequently involved in similar redirects to the URL https://gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj.

Although Safari history records are typically short lived and are lost after a few months (as well as potentially intentionally purged by malware), we have been able to nevertheless find NSO Group’s infection domains in other databases of Omar Radi’s phone that did not appear in Safari’s History. For example, we could identify visits through Safari’s Favicon.db database, which was left intact by Pegasus:



Tags: , , , , , , , , , , , , , ,


Share this article:

DISCLAIMER: The statements, views and opinions expressed in pieces republished here are solely those of the authors and do not necessarily represent those of TMS. In accordance with title 17 U.S.C. section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. TMS has no affiliation whatsoever with the originator of this article nor is TMS endorsed or sponsored by the originator. “GO TO ORIGINAL” links are provided as a convenience to our readers and allow for verification of authenticity. However, as originating pages are often updated by their originating host sites, the versions posted may not match the versions our readers view when clicking the “GO TO ORIGINAL” links. This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a ‘fair use’ of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: If you wish to use copyrighted material from this site for purposes of your own that go beyond ‘fair use’, you must obtain permission from the copyright owner.

Comments are closed.