Home/Threat Actor/NSO Group / Pegasus
Threat Actor

NSO Group / Pegasus

nso_group_pegasus · israel_commercial_cyber_mercenary · active since 2011

NSO Group / Pegasus (canonical company name "NSO Group Technologies Limited", NSO derived from founders Niv Karmi + Shalev Hulio + Omri Lavie initials.

parent company Q Cyber Technologies.

primary spyware product "Pegasus") is an Israeli cyber-arms company (private offensive cyber operations contractor / commercial spyware vendor) headquartered in Herzliya, Israel, operating since 2010 with first Pegasus spyware version finalized 2011, operates as cyber-mercenary entity selling Pegasus mobile spyware capability to government clients globally under Israeli Ministry of Defense export licensing regime (Pegasus classified as weapon by Israel.

all exports require Israeli government approval) with ~700 personnel predominantly drawn from Israeli Military Intelligence Directorate (notably Unit 8200 signals-intelligence alumni)

signature operational specialization is mobile zero-click exploitation (cluster-defining capability via successive iMessage + WhatsApp + WebKit zero-click exploit chains) including Trident 2016 (CVE-2016-4655 + CVE-2016- 4656 + CVE-2016-4657 1-click WebKit Ahmed Mansoor UAE first publicly documented case via Citizen Lab + Lookout Security) + WhatsApp zero-click call vector 2019 (CVE-2019-3568 1,400 users 20 countries targeted) + KISMET 2020 iMessage zero-click silently patched by BlastDoor + FORCEDENTRY 2021 (CVE-2021-30860 iMessage zero-click bypassing BlastDoor sandbox via JBIG2 / CoreGraphics PDF parser exploitation, per Google Project Zero "one of the most technically sophisticated exploits ever seen in the wild" creating "a weapon against which there is no defense") + 2022 trio of LATENTIMAGE + FINDMYPWN + PWNYOURHOME zero-click chains documented by Citizen Lab April 2023 Triple Threat report (used against Mexico Centro PRODH human rights defenders) + BLASTPASS September 2023 (CVE-2023-41064 + CVE-2023-41061 iOS 16.6 zero-click)

multi-platform implant capability (iOS + Android + Windows + macOS Pegasus variants) with comprehensive mobile surveillance (device microphone + camera activation + location tracking + messages + emails + social media + keylogging + screen capture + file harvesting)

forensic-evasion tradecraft (shutdown.log delay artifacts + iMessage attachment directory cleanup cleaning only one of two database tables creating distinctive discrepancy detection signal + process name mimicry with subtle one-letter variations + crash log flushing)

network injection vector + ISP-level traffic injection capability.

per-client operator infrastructure (multi-tenant architecture with operator codenames including LULU Bahrain documented by Citizen Lab); documented government clients include Bahrain (LULU operator) + Saudi Arabia (Khashoggi case) + UAE (Mansoor case + Princess Haya targeting by ex-husband Dubai ruler Sheikh Mohammed bin Rashid Al Maktoum per UK High Court) + Mexico (Peña Nieto + post-AMLO eras) + Panama (Martinelli administration) + Hungary + India + Spain (Catalangate) + France (Macron documented per Pegasus Project) + Azerbaijan + Morocco + Rwanda + Togo + others across 45+ countries cluster of detected infections; Pegasus Project July 2021 leaked 50,000 phone numbers documents widespread government-client abuse pattern with 80 confirmed infections from 100 forensically analyzed devices.

US Department of Commerce Entity List sanctions November 2021 + Apple lawsuit November 2021 + WhatsApp lawsuit October 2019 (December 2024 NSO found liable, $168M jury verdict May 2025 reduced to $4M, October 2025 US court mandate to cease WhatsApp use); fills the cyber-mercenary / private-offensive-actor cell in the curated corpus as 1st cyber-mercenary cluster, operationally distinct from nation-state-aligned clusters through commercial model and Israeli export-licensing regime.

israel_commercial_cyber_mercenary confidence: high 14 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited7

Profile

NSO Group / Pegasus (canonical company name "NSO Group Technologies Limited", NSO derived from founders Niv Karmi + Shalev Hulio + Omri Lavie initials.

parent company Q Cyber Technologies.

primary spyware product "Pegasus") is an Israeli cyber-arms company (private offensive cyber operations contractor / commercial spyware vendor) headquartered in Herzliya, Israel, operating since 2010 with first Pegasus spyware version finalized 2011. Operates as a cyber-mercenary entity selling Pegasus mobile spyware capability to government clients globally under Israeli Ministry of Defense export licensing regime (Pegasus classified as weapon by Israel.

all exports require Israeli government approval). Almost all of NSO's research team consists of former Israeli Military Intelligence Directorate personnel (notably Unit 8200 signals-intelligence alumni). Company employs ~700 personnel globally as of recent counts. Operational classification: cyber-mercenary / commercial spyware vendor, operationally distinct from nation-state- aligned clusters in this curated corpus through commercial business model and Israeli export-licensing regime, though operating with offensive cyber capability comparable to top-tier nation-state actors per Google Project Zero analysis of FORCEDENTRY. Operational phases: (1) CORPORATE EMERGENCE (2010-2011). Founded by Niv Karmi + Shalev Hulio + Omri Lavie. First Pegasus version 2011. (2) AHMED MANSOOR UAE CASE (August 2016). First publicly- documented Pegasus case via Citizen Lab + Lookout Security analysis. Trident exploit chain CVE-2016-4655/4656/4657 (1-click WebKit). Apple shipped emergency iOS 9.3.5 patch. (3) WHATSAPP ZERO-CLICK ERA (2019). CVE-2019-3568 enabled true zero-click via WhatsApp missed call. 1,400 users in 20 countries targeted in 2-week period. WhatsApp filed lawsuit October 2019. (4) KISMET ERA (2020). iMessage zero-click silently patched by BlastDoor introduction iOS 14. (5) FORCEDENTRY ERA (September 2021). CVE-2021-30860 iMessage zero-click bypassing BlastDoor sandbox via JBIG2/CoreGraphics PDF parser exploitation. Project Zero: "one of the most technically sophisticated exploits ever seen in the wild", "a weapon against which there is no defense." (6) PEGASUS PROJECT (July 2021). 50,000 phone numbers leaked list documents widespread government-client abuse pattern. Macron + Spain politicians + journalists + activists targeted. (7) US ENTITY LIST SANCTIONS (November 2021). US Department of Commerce sanctions NSO Group.

Apple files lawsuit. (8) MEXICO CENTRO PRODH ERA (2022). LATENTIMAGE + FINDMYPWN + PWNYOURHOME zero-click exploit chains used against Mexican human rights defenders. Truth commission timing. (9) BLASTPASS ERA (September 2023). CVE-2023-41064 + CVE-2023-41061 zero-click iOS 16.6 exploitation. (10) LITIGATION RESOLUTION (2024-2025). NSO found liable WhatsApp lawsuit December 2024. $168M jury verdict May 2025 reduced to $4M. US court mandates NSO cease WhatsApp use October 2025.

Signature operational tradecraft
  • Commercial spyware-as-a-service business model: Pegasus sold as licensed product to government clients under Israeli Ministry of Defense export regime.
  • Israeli Unit 8200 / Military Intelligence Directorate workforce: signature operator profile providing top-tier offensive cyber capability.
  • Signature mobile zero-click exploitation specialization: cluster-defining capability via successive iMessage + WhatsApp + WebKit zero-click exploit chains (Trident.
  • KISMET.
  • FORCEDENTRY.
  • HOMAGE.
  • LATENTIMAGE.
  • FINDMYPWN.
  • PWNYOURHOME.
  • BLASTPASS).
  • Multi-platform implant capability: iOS + Android + Windows + macOS Pegasus variants. iOS primary.
  • Comprehensive mobile surveillance: device microphone activation + camera activation + location tracking + message reading + email reading + social media reading + keylogging + screen capture + file harvesting.
  • Forensic-evasion tradecraft (Pegasus signature indicators): shutdown.log delay artifacts, iMessage attachment directory cleanup (cleans only one of two database tables, distinctive discrepancy detection signal), process name mimicry with subtle one-letter variations, crash log flushing.
  • Network injection vector capability: signature ISP- level / network-level traffic injection capability for target compromise.
  • Per-client operator infrastructure: signature multi-tenant operator architecture (operator codenames including LULU Bahrain documented by Citizen Lab). The cluster fills the cyber-mercenary / private-offensive- actor cell in this curated corpus, 1st cyber-mercenary cluster, operationally distinct from nation-state-aligned clusters through commercial model. Operationally adjacent to other cyber-mercenary vendors not yet curated (Candiru, Intellexa Predator, Paragon Solutions Graphite, DarkMatter UAE, QuaDream). Operationally significant for representing the commercial offensive cyber ecosystem and providing context for the broader commercial spyware proliferation landscape.

Aliases

14
nso_groupnso groupnsonso group technologiesnso group technologies limitedq_cyber_technologiesq cyber technologiespegasuspegasus spywarepegasus_spywarepegasus mercenary spywarenso_group_pegasusisraeli commercial spywarecyber-mercenary nso

Notable Campaigns

10
2024-2026Continued Operations Through 2024-2026
2024-2025WhatsApp Lawsuit Resolution + US Court Mandate (2024-2025)
2023BLASTPASS iOS 16.6 Zero-Click, CVE-2023-41064 + CVE-2023-41061 (September 2023)
2022PWNYOURHOME + FINDMYPWN, Mexico Centro PRODH Targeting (2022)
2021Pegasus Project, 50,000 Phone Numbers (July 2021)
2021FORCEDENTRY iMessage Zero-Click Exploit, CVE-2021-30860 (September 2021)
2021US Department of Commerce Entity List Sanctions (November 2021)
2019WhatsApp Zero-Click Call Vector, CVE-2019-3568 (2019)
2016Ahmed Mansoor UAE, First Publicly Documented Pegasus Case (August 2016)
2010NSO Group Corporate Emergence (2010)

Attribution & Reporting

Attributed by
Citizen Lab (University of Toronto / Munk School of Global Affairs, canonical tracking since 2016)Google Project Zero (FORCEDENTRY technical analysis)Google Threat Analysis Group (TAG)Apple Security ResearchMeta / Facebook (WhatsApp lawsuit October 2019)Amnesty International Security LabLookout Security (early 2016 Pegasus analysis)Microsoft Threat Intelligence CenterKaspersky GReATESETUS Department of Commerce (Entity List November 2021)US District Court Northern District of California (WhatsApp v NSO + Apple v NSO litigation)Pegasus Project (Amnesty International + Citizen Lab + 17 media organizations consortium 2021)Forbidden StoriesBill Marczak (Citizen Lab senior researcher)John Scott-Railton (Citizen Lab senior researcher)Bahr Abdul Razzak (Citizen Lab fellow)Ron Deibert (Citizen Lab director)Claudio Guarnieri (Amnesty International Security Lab technical director)Donncha Ó Cearbhaill (Amnesty International Security Lab)Bill Robertson + Engin Kirda (Northeastern University academic researchers)The Guardian + Le Monde + Washington Post + Süddeutsche Zeitung + multiple consortium partners
Key reporting
reportCitizen Lab (Bill Marczak + John Scott-Railton): The Million Dollar Dissident, NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender (August 25, 2016), first publicly-documented Pegasus disclosure (Ahmed Mansoor case)
reportLookout Security: Pegasus iOS Malware Technical Analysis (August 2016), accompanying detailed technical disclosure
reportCitizen Lab + Amnesty International: WhatsApp NSO Pegasus Targeting Disclosure (October 2019)
reportPegasus Project Consortium (Amnesty International + Citizen Lab + Forbidden Stories + 17 media organizations): Pegasus Project, Leaked 50,000 phone numbers analysis (July 2021)
reportAmnesty International Security Lab (Claudio Guarnieri + Donncha Ó Cearbhaill): Forensic Methodology Report, How to Catch NSO Group's Pegasus (July 2021)
reportCitizen Lab (Bill Marczak + John Scott-Railton): FORCEDENTRY, NSO Group iMessage Zero-Click Exploit Captured in the Wild (September 13, 2021)
reportGoogle Project Zero (Ian Beer + Samuel Groß): A Deep Dive into NSO Zero-Click iMessage Exploit FORCEDENTRY (December 2021), canonical Project Zero technical analysis
reportCitizen Lab Report No. 165 (Bill Marczak + John Scott-Railton + Bahr Abdul Razzak + Ron Deibert): Triple Threat, NSO Group's Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains (April 18, 2023)
reportCitizen Lab: BLASTPASS, NSO Group iPhone Zero-Click Zero-Day Exploit Captured in the Wild (September 7, 2023)
reportUS Department of Commerce: NSO Group Entity List Final Rule (November 2021)
reportWhatsApp Inc. v. NSO Group + Q Cyber Technologies, US District Court Northern District of California, 4:19-cv-07123-PJH (October 2019 - present)
reportApple Inc. v. NSO Group + Q Cyber Technologies, US District Court Northern District of California (November 2021)
reportApple Security Research: CVE-2021-30860 + CVE-2023-41064 + CVE-2023-41061 + others, Pegasus-related security advisories
reportMicrosoft Threat Intelligence Center: NSO Group adjacent tracking (DEV-0336 era)
reportKaspersky GReAT: NSO Group commercial spyware ecosystem context
reportMalpedia Actor Profile: NSO Group / Pegasus

Operational

State sponsor

Israeli cyber-arms company (private offensive cyber operations contractor / commercial spyware vendor) headquartered in Herzliya, Israel. NSO Group operates as a cyber-mercenary entity selling its Pegasus spyware capability to government clients globally under Israeli Ministry of Defense export licensing regime, Pegasus is classified as a weapon by Israel and any export of the technology must be approved by the Israeli government per Wikipedia compilation of public sourcing. Israeli state regulatory relationship + operational capability attribution operates at high confidence: (a) Israeli Ministry of Defense export approval regime: "Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government.

The Israeli Ministry of Defense licenses the export of Pegasus to foreign governments, but not to private entities." The export-licensing regime operationally establishes Israeli state regulatory control over Pegasus sales, though NSO Group itself remains a private commercial entity. (b) Workforce drawn from Israeli military intelligence: "Almost all of NSO's research team is made up of former Israeli military intelligence personnel, most of them having served in Israel's Military Intelligence Directorate, and many of these in its Unit 8200. The company's most valuable staff are graduates of the military intelligence's highly selective advanced cyberweapons training programs." Co-founder Karmi served in military intelligence and the Mossad.

The Unit 8200 / 8200-alumni workforce composition operationally establishes NSO Group as operationally adjacent to Israeli signals-intelligence cyber capabilities. (c) Founders + corporate structure: NSO standing for Niv (Karmi), Shalev (Hulio), and Omri (Lavie), the names of the company's founders. Parent company Q Cyber Technologies.

First Pegasus version finalized 2011. NSO Group has come to employ over 700 personnel globally. Almost 500 employees as of 2017.

(d) Government-client business model: per NSO: the company "deals with government clients only" and offers "the smartphone spyware tool Pegasus to government clients for the exclusive intended purpose of combating crime and terrorism." Documented government clients have included: Bahrain (operator codenamed LULU per Citizen Lab), Saudi Arabia, UAE, Mexico (multiple administrations including Peña Nieto era 2016-2019 + subsequent post-AMLO targeting of Centro PRODH human rights defenders 2022), Panama (under Martinelli administration 2012+), Spain (multiple senior politicians + Catalan independence movement), Hungary, India, Azerbaijan, Armenia, Bangladesh, Palestine, Morocco, Rwanda (alleged), Togo, Kazakhstan, El Salvador, and dozens of others. (e) Documented operational abuse against civil society globally: "governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists", per Wikipedia compilation.

Notable cases: assassinated Saudi journalist Jamal Khashoggi targeted in months before his October 2018 murder by Saudi government agents; Ahmed Mansoor UAE human rights activist first publicly documented Pegasus case 2016; Princess Haya of Dubai targeted by ex-husband ruler Sheikh Mohammed bin Rashid Al Maktoum per UK High Court 2021 ruling cited in NSO CEO deposition; 9 Bahraini rights activists hacked June 2020
  • February 2021 per Citizen Lab; Centro PRODH human rights defenders Mexico 2022 via PWNYOURHOME + FINDMYPWN + LATENTIMAGE exploit chains; President Emmanuel Macron of France per Pegasus Project 2021; senior politicians in Spain per Catalangate. The Pegasus Project 2021 (Amnesty International + Citizen Lab + 17 media organizations) analyzed leaked list of ~50,000 phone numbers as potential Pegasus targets with forensic analysis of ~100 devices confirming 80 infections. Operational significance: per Google Project Zero analysis of FORCEDENTRY exploit: NSO Group has technical expertise and resources to rival those previously thought to be accessible to only a handful of nation states. FORCEDENTRY exploit was described as "one of the most technically sophisticated exploits ever seen in the wild" and the exploit effectively created "a weapon against which there is no defense." NSO labs in Herzliya headquarters feature racks stacked with phones being tested against new exploits. Operational classification: cyber-mercenary / commercial spyware vendor. Operationally distinct from nation-state- aligned clusters through commercial business model and Israeli export-licensing regime, though operating with offensive cyber capability comparable to top-tier nation- state actors. Operationally adjacent to but distinct from Israeli state-attributed offensive cyber operations. The cluster fills the cyber-mercenary / private-offensive- actor cell in this curated corpus, 1st cyber-mercenary cluster, operationally distinct from nation-state-aligned clusters through commercial model. Operationally adjacent to other cyber-mercenary clusters not yet curated (Candiru Israeli, Intellexa/Predator multinational, Paragon Solutions Israeli "Graphite," DarkMatter UAE, QuaDream Israeli, all candidates for future curation).
Motivations
commercial_spyware_sales_to_government_clients, private_offensive_cyber_operations_for_government_clients, smartphone_zero_click_remote_surveillance_capability_provision, mobile_device_compromise_as_a_service, government_intelligence_collection_via_commercial_capability, high_value_individual_targeting_journalists_activists_politicians_dissidents, law_enforcement_and_intelligence_agency_capability_provision_per_marketing, civil_society_surveillance_per_documented_abuse_patterns
Sectors
journalistshuman_rights_activistshuman_rights_defendersdissidentsopposition_politiciansheads_of_stategovernment_officialslawyersdiplomatscivil_society_organizationsreligious_leadersmembers_of_parliamentcabinet_ministersvice_presidentsprincesses_royal_familybusiness_executivesmagistrates_judgesunion_leadersintimate_partners_targeted
Regions
mexicobahrainsaudi_arabiaunited_arab_emiratesindiahungaryazerbaijanpanamaspainfrancemoroccorwandatogokazakhstanel_salvadorarmeniabangladeshpalestineunited_statesunited_kingdomglobal_45_plus_countries

Techniques Used

60
T1003T1005T1010T1016T1020T1027T1027.001T1027.002T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1053.003T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.006T1059.007T1068T1070T1070.001T1070.002T1070.004T1071T1071.001T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1106T1113T1114T1114.001T1114.002T1119T1123T1125T1129T1133T1140T1190T1203T1204T1204.001T1213T1218T1430

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)55/60 · 91%
Analytics (MITRE CAR)24/60 · 40%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)12/60 · 20%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SAFARI WEBKIT EXPLOITATIONSHUTDOWN LOG DELAY ARTIFACT

CVEs Exploited

7
CVECVE-2016-4655
CVECVE-2016-4656
CVECVE-2016-4657
CVECVE-2019-3568
CVECVE-2021-30860
CVECVE-2023-41061
CVECVE-2023-41064
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin