Amnesty International has published a new report exposing attempted cyberattacks against two Serbian journalists using NSO Group Pegasus spyware. The attacks, reportedly phishing attempts, involved suspicious text messages containing malicious links.
Amnesty researchers confirmed that one of the links led to a domain previously associated with NSO Group’s infrastructure.
“Amnesty International has spent years tracking NSO Group Pegasus spyware and how it has been used to target activists and journalists,” said Donncha Ó Cearbhaill, head of Amnesty’s Security Lab. “This technical research has allowed Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign.”
Security experts, including Citizen Lab’s John Scott-Railton, argue that NSO Group and its clients are struggling to remain undetected. Since Citizen Lab first documented a Pegasus attack in 2016, researchers have identified at least 130 victims worldwide.
NSO Group has come under growing scrutiny, especially after the Pegasus Project. An investigative effort based on a leaked list of over 50,000 phone numbers allegedly targeted by the spyware. Additional victims have been discovered through investigations by Amnesty, Citizen Lab, and Access Now.
Apple has also been alerting users targeted by Pegasus, leading to further disclosures about spyware attacks.
Experts believe NSO’s core issue is its client base.
“The OPSEC mistake that NSO Group is making here is continuing to sell to countries that are going to keep targeting journalists and end up exposing themselves,” Ó Cearbhaill noted.
NSO Group did not respond to requests for comment regarding the spyware’s visibility or concerns from its clients.
