Cybercriminals are exploiting the notoriety of NSO Group’s Pegasus spyware to dupe victims on the dark web, according to cybersecurity firm CloudSEK. This revelation comes just weeks after Apple warned users in 92 countries about a “mercenary spyware” attack.
CloudSEK’s investigation, based on months of research on dark web sources, exposes a systematic effort to leverage the Pegasus name for financial gain. The report details how threat actors are bombarding platforms such as Telegram with posts claiming to sell genuine Pegasus source code.
“Over the years, CloudSEK researchers have been triaging and investigating incidents occurring in dark and deep web sources, providing visibility into the global threat landscape,” CloudSEK said in a statement highlighting the report. “We have frequently encountered mentions of Pegasus and NSO Group and observed various activities revolving around them. However, after Apple’s recent advisory regarding threat notifications, our researchers began working on this article to delve into different incidents associated with these entities.”
Following Apple’s recent advisory, the cybersecurity firm “intensified its efforts to deep dive into different incidents associated with these entities.”
“The misuse of Pegasus’s name, logo, and identity by underground sources has led to significant misinformation about the tool, confusing both experts and the public about its true capabilities and origin,” said the lead investigator of the report, Anuj Sharma, who is a security researcher at CloudSEK. “The deliberate misrepresentation complicates the attribution of cyberattacks, making it harder to determine the actual source and nature of the spyware being used.”
A query to the NSO Group has remained unanswered.
Fake code, inflated prices
Researchers at CloudSEK analyzed approximately 25,000 posts on Telegram, many of which claimed to sell authentic Pegasus code, the statement added. These posts often followed a common template offering illicit services, with frequent mention of Pegasus and NSO tools.
CloudSEK researchers went a step further, engaging with over 150 potential sellers.
By interacting with over 150 potential sellers, CloudSEK gained insights into various samples and indicators shared by these actors. “This included purported Pegasus source code, live demonstrations, file structures, and snapshots,” CloudSEK report said.
The report also identified six instances of fake Pegasus HVNC (Hidden Virtual Network Computing) samples distributed on the dark web between May 2022 and January 2024.
The same misuse was also observed on surface web code-sharing platforms, where scammers were disseminating their own randomly generated source codes, falsely associating them with the Pegasus Spyware, the cybersecurity firm said in the report.
“After analyzing 15 samples and over 30 indicators from human intelligence (HUMINT), deep, and dark web sources, CloudSEK discovered that nearly all samples were fraudulent and ineffective,” the statement said outlining the outcome of the investigation. “Threat actors created their own tools and scripts, distributing them under Pegasus’ name to capitalize on its notoriety for financial gain.”
On April 5, a group named Deanon ClubV7 announced that they had obtained legitimate access to Pegasus and were offering permanent access for a fee of $1.5 million, CloudSEK said in the statement. “The group has proudly claimed to be the first to secure access to Pegasus, and have managed to sell four accesses, bringing in a total of $6,000,000, within just two days. Interestingly, the group internally shared and took pride in the same official advisory released by Apple.”
Combating the Pegasus scam
ClloudSEK pointed out that employee awareness would be key to avoiding the Pegasus scam.
“Ensure all employees are aware of the risks associated with downloading software from the dark web and IRC platforms, especially tools falsely branded as Pegasus,” Sharma said. “Provide regular updates and alerts about the latest scam tactics and trends involving Pegasus and similar high-profile names.”
Network monitoring should be implemented to identify unusual activity that might indicate employees accessing the dark web or IRC platforms, added Sharma. Implement strict access controls to limit and monitor employees’ ability to visit potentially dangerous sites or download unauthorized software, Sharma added.