Skip to content

S0289 Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. 1 2 The Android version is tracked separately under Pegasus for Android.

Item Value
ID S0289
Associated Names
Version 1.1
Created 25 October 2017
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Audio Capture Pegasus for iOS has the ability to record audio.1
mobile T1645 Compromise Client Software Binary Pegasus for iOS modifies the system partition to maintain persistence.1
mobile T1456 Drive-By Compromise Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.1
mobile T1404 Exploitation for Privilege Escalation Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.1
mobile T1430 Location Tracking Pegasus for iOS update and sends the location of the phone.1
mobile T1644 Out of Band Data Pegasus for iOS uses SMS for command and control.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log Pegasus for iOS captures call logs.1
mobile T1636.003 Contact List Pegasus for iOS gathers contacts from the system by dumping the victim’s address book.1
mobile T1636.004 SMS Messages Pegasus for iOS captures SMS messages that the victim sends or receives.1
mobile T1409 Stored Application Data Pegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.1
mobile T1426 System Information Discovery Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.1
mobile T1421 System Network Connections Discovery Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.1