NSO Group

NSO Group is an Israeli private sector offensive actor and spyware vendor, also referred to as NSO and Q Cyber Technologies. Its signature spyware is Pegasus, also referred to in the content as Q Suite. Microsoft maps DEV-0336 to Night Tsunami and identifies it as NSO Group. The content describes NSO Group as a commercial provider of surveillance and hacking capabilities sold to government customers, and as an "access-as-a-service" provider selling packaged hacking solutions. Pegasus is described as spyware / a remote access trojan capable of infecting iOS, Android, and BlackBerry devices. Once installed, Pegasus can provide near-complete access to a target device, including passwords, contacts, calendar events, text messages, live voice calls, emails, photos, messages, browser history, screenshots, communications from apps such as iMessage, Skype, Telegram, WeChat, Facebook Messenger, and WhatsApp, as well as camera, microphone, GPS, and location data. The supporting content links NSO Group with multiple zero-click and zero-day delivery vectors. WhatsApp publicly attributed a 2019 campaign to NSO Group in which a vulnerability in WhatsApp audio-calling functionality, tracked as CVE-2019-3568, was used to target roughly 1,400 devices by placing crafted calls that could trigger spyware installation even if the call was not answered. Court filings cited in the content allege NSO Group and Q Cyber used WhatsApp infrastructure, reverse-engineered WhatsApp traffic, created WhatsApp accounts, and routed malicious code through signaling and relay servers to deliver Pegasus. Trial reporting in the content says NSO used a "WhatsApp Installation Server," follow-on infrastructure, and internally named WhatsApp vectors Eden, Heaven, and Erised, collectively Hummingbird, and that targeting via WhatsApp continued after the lawsuit was filed. The content also attributes iMessage-based Pegasus exploitation to NSO Group. Citizen Lab attributed the ForcedEntry exploit to NSO Group with high confidence; ForcedEntry exploited CVE-2021-30860 and was used as a zero-click iMessage chain against activists, including Bahraini and Saudi activists, while bypassing Apple BlastDoor protections. Separate Apple emergency updates addressed CVE-2023-41061 and CVE-2023-41064, which Citizen Lab reported were weaponized in the BLASTPASS zero-click iMessage exploit chain to deliver Pegasus against a Washington, D.C.-based civil society target. The content further references a previously undocumented "MMS Fingerprint" capability from NSO-related contract evidence, described as revealing device and OS version by sending an MMS without requiring user interaction; researchers reproduced automatic handset HTTP requests leaking UserAgent and x-wap-profile data that could help tailor Pegasus deployment. Targets explicitly mentioned in the content include journalists, human rights activists and defenders, lawyers, political dissidents, diplomats, government officials, senior foreign government officials, civil society members, activists, and other specific individuals across multiple countries. The content cites targeting in at least 20 countries and references victims in 51 countries in the 2019 WhatsApp campaign. It also references documented Pegasus targeting involving a Saudi activist, a Bahraini activist, Amnesty International staff, human rights defenders in Morocco and Bahrain, a close confidant of Jamal Khashoggi, and New York Times journalist Ben Hubbard. The content states NSO Group claims it sells only to government clients and that exports are conducted under Israeli export laws and oversight. At the same time, the content describes repeated allegations and findings of abuse by government customers against civil society. It notes WhatsApp sued NSO Group in 2019, Apple later sued NSO Group over Pegasus attacks on Apple users, the United States added NSO Group to the Entity List, and a California jury ordered NSO Group to pay Meta $167.25 million over the 2019 WhatsApp Pegasus campaign.