Threat Actors Spoofing Pegasus Spyware Name to Sell Fake Code

Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web

Be cautious! Hackers are selling fake Pegasus spyware source code, alerts CloudSEK. Learn how to protect yourself from this cyber deception.

Contextual AI platform CloudSEK’s latest research report reveals a concerning trend of widespread misuse of NSO Group’s Pegasus spyware name, leveraged by threat actors on the dark web for monetary gains, with almost all identified samples being fraudulent. 

This development aligns with Hackread’s recent report on Apple’s warning about “mercenary spyware” attacks on April 10, 2024. The tech giant revealed how such attacks affect iPhone users in 92 countries, highlighting that state actors or private companies could create mercenary spyware, like Pegasus.

Threat Actors Spoofing Pegasus Spyware Name to Sell Fake Code
Apple notification sent in April 2024

What is Pegasus Spyware?

Pegasus is a powerful and invasive spyware linked to serious attacks on journalists, activists, and even government officials. It can steal data, track locations, and even activate phone microphones for eavesdropping.

After Apple’s advisory, CloudSEK researchers started analyzing Dark and Deep Web sources for incidents involving the NSO Group names and Pegasus spyware. They analyzed 25k Telegram posts, over 150 potential Pegasus sellers, 15 samples, and 30+ indicators from HUMINT and underground platforms. 

Their analysis revealed that threat actors were offering fraudulent Pegasus source code, tools, and scripts for hundreds of thousands of dollars, with most posts often following a standard template where illicit services were offered as Pegasus and other NSO Tools to make money.

“Threat actors created their own tools and scripts, distributing them under Pegasus’ name to capitalize on its notoriety for financial gain,” report author Anuj Sharma explained.

For instance, Deanon ClubV7, a TG group, obtained legitimate access to Pegasus and offered permanent access for USD 1.5 million. Within two days, they sold four accesses, bringing in $6,000,000.

The most propagated samples were Pegasus HVNC (Hidden Virtual Network Computing), with six unique samples posted on the deep web between May 2022 and Jan 2024, offered for “hundreds of thousands of dollars.”

Threat Actors Spoofing Pegasus Spyware Name to Sell Fake Code
Two among several examples that researchers shared in their technical report

Researchers also noted that actors are spreading malware to compromise users’ devices, using Pegasus’ name to persuade them to download malicious programs. The misuse of surface web code-sharing platforms was also observed, where actors were spreading fake, randomly generated source code as Pegasus Spyware.

Don’t be duped by the name

The incident highlights how scammers can use Pegasus’ source code as a scheme to distribute custom-built malware. If you encounter a suspicious offer, don’t respond to emails, or messages, or click on the links provided. Report the incident to the platform where it occurred or a trusted cybersecurity organization.

  1. Fake Voicemails Target Users, 1000 Attacks in 14 Days
  2. OpenSSF Warns: Fake Maintainers Targeting JavaScript Projects
  3. Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam
  4. iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
  5. Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices
Total
0
Shares
Related Posts