Fake Pegasus Spyware Strains Populate Clear and Dark Web

Source code of fake Pegasus spyware is being sold on the surface web, the dark web and instant messaging platforms, CloudSEK has found.

Following Apple’s recent warning about “mercenary spyware” attacks, cloud security provider CloudSEK investigated the clear and dark web for spyware-related threats.

The firm analyzed approximately 25,000 Telegram posts and found that many claimed to sell authentic source code of Pegasus, a spyware strain commercialized by Israeli company NSO Group.

Most of these posts followed a common template offering illicit services, with Pegasus and NSO tools frequently mentioned. By interacting with over 150 potential sellers, the researchers gained insights into various samples and indicators, including purported Pegasus source code, live demonstrations, file structures, and snapshots.

After analyzing 15 source code samples and over 30 indicators from dark web sources, CloudSEK discovered that nearly all samples were fraudulent and ineffective.

Threat actors created their own tools and scripts, distributing them under Pegasus’ name to capitalize on its notoriety for financial gain.

This trend was also noted across multiple underground forums, where perpetrators marketed and distributed samples, exploiting Pegasus’ name for monetary gain, as well as on surface web code-sharing platforms, where actors disseminated randomly generated source codes falsely associated with Pegasus.

“This report […] highlights the importance of staying vigilant and relying on credible sources for information on cyberattacks and malware. It is not intended to malign or portray the NSO Group negatively, [but] serves as an advisory against scammers and threat actors who are exploiting the growing recognition of NSO Group’s renowned product, Pegasus, for their fraudulent purposes,” CloudSEK noted.

Read more: Governments and Tech Giants Unite Against Commercial Spyware