Wednesday, April 24, 2024

3 iOS Zero-Click Exploits Exploited by NSO Group to Deploy Spyware

In 2022, NSO Group, the Israeli firm notorious for its spyware technology, reemerged with a slew of zero-click exploit chains designed for iOS 15 and iOS 16. 

These sophisticated chains of exploits, targeted at iPhones and iPads, were deployed against human rights activists in Mexico and worldwide.

In a recent press release, Citizen Lab published the results of its investigation into recent activities of the NSO Group.

3 iOS Zero-Click Exploits

The investigative team at Citizen Lab has uncovered compelling evidence linking NSO Group to a digital espionage campaign aimed at human rights organizations in Mexico. 

Specifically, they’ve identified three exploit chains that launched Pegasus spyware attacks on groups like Centro PRODH, a legal advocacy group fighting against alleged abuses committed by the Mexican military.

Here below, we have mentioned the three iOS 15 and iOS 16 zero-click exploit chains that were used to launch Pegasus spyware:-


Since then, Apple has made a HomeKit security update available with iOS 16.3.1

There has been a long history of the military and government of Mexico engaging in the following illicit activities:-

  • Grave human rights abuses
  • Extrajudicial killings
  • Disappearances


Furthermore, it has come to light that two individuals dedicated to promoting and protecting human rights, employed at Centro PRODH, have fallen victim to the notorious Pegasus spyware.

Pegasus targeted Centro PRODH during important events related to human rights violations by the Mexican Army, indicating an attempt to weaken their impact.

Jorge Santiago Aguirre Espinosa, Centro PRODH’s Director, had his device infected with Pegasus. He was previously targeted in 2017 when Citizen Lab discovered Pegasus infection attempts via a text message sent to his device in 2016.

In 2022, he was infected by the FINDMYPWN exploit at least twice. His device was infected with spyware between June 22, 2022, and July 13, 2022, when the spyware was active on it.

Mr. Aguirre’s phone was first infected on June 22, 2022, which coincided with the launch of Mexico’s truth commission on the Dirty War. The ceremony was held at a military camp witnessing many abuses.

After the ceremony, another member of the Centro PRODH, María Luisa Aguilar Rodríguez, who is the International Coordinator at Centro PRODH, became infected on June 23, 2022.

Her device was infected twice more using the FINDMYPWN exploit, and it was active on her phone between September 24 and 29, 2022.


Citizen Lab has refrained from disclosing additional details about Pegasus indicators to preserve their ability to identify infections. They suspect NSO Group of making concentrated efforts to avoid detection, which they continue to observe.

In October 2022 and January 2023, Citizen Lab notified Apple about their observations regarding these exploit chains.

As a recommendation, the cybersecurity researchers at Citizen Lab have urged all users who are at risk to enable the Lockdown Mode on their Apple devices.

Despite the potential for reduced usability, they believe the benefits of the feature may outweigh this cost by making it more expensive for attackers.

Building Your Malware Defense Strategy – Download Free E-Book

Related Read:


Latest articles

Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools

AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create...

Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely

The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code...

CoralRaider Hacker Evade Antivirus Detections Using Malicious LNK File

This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany,...

Spyroid RAT Attacking Android Users to Steal Confidential Data

A new type of Remote Access Trojan (RAT) named Spyroid has been identified.This...

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles