Amnesty International reported that an employee and a Saudi activist living abroad were targeted with malicious WhatsApp and SMS messages carrying Saudi-themed lures and links tied to infrastructure believed to deliver NSO Group's Pegasus spyware. Its investigation identified more than 600 suspicious domains associated with Pegasus's anonymizing transmission network, describing how the platform used social engineering, relay nodes, and exploitation servers to silently compromise mobile devices for full surveillance. NSO said its tools were intended only for government customers investigating crime and terrorism, while Amnesty said the targeting showed abusive use of highly invasive surveillance technology against civil society.
Amnesty later documented similar Pegasus activity against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui, who were targeted from at least 2017 through malicious SMS links and suspected mobile network injection attacks. The organization said Monjib's iPhone showed signs consistent with compromise, including Safari redirections to suspicious domains, wiped crash logs, a suspicious process, and a forced reboot, and linked parts of the infrastructure to previously identified NSO systems and a domain associated by Citizen Lab with the Moroccan-linked actor ATLAS. The findings, reinforced by broader Citizen Lab reporting on Pegasus operations across dozens of countries, pointed to sustained surveillance of dissidents and rights advocates beyond traditional criminal or counterterrorism use.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Citizen Lab published research on how Saudi-linked digital espionage reached Canadian soil, adding further public reporting on Pegasus-related surveillance activity.
Citizen Lab published research tracing NSO Group Pegasus spyware operations to 45 countries, expanding public attribution of the spyware's global deployment.
In 2019, Amnesty identified suspected mobile network injection attacks against Maati Monjib's iPhone, including Safari redirections to suspicious domains, wiped crash logs, a suspicious process, and a forced reboot, leading it to believe at least one compromise succeeded.
Amnesty International reported that Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui were targeted from at least 2017 with malicious SMS messages containing exploit links tied to NSO Group Pegasus infrastructure.
On 2019-10-10, Amnesty International published findings that two Moroccan human rights defenders had been targeted with NSO Group Pegasus spyware and linked parts of the infrastructure to previously identified NSO systems and a domain associated by Citizen Lab with the Moroccan-linked actor ATLAS.
In October 2018, Amnesty International later released the full list of suspicious domains identified in its NSO Group investigation to the research community.
In June 2018, an Amnesty International staff member and a Saudi activist living abroad received malicious WhatsApp and SMS messages with Saudi-themed bait and links associated with NSO Group Pegasus delivery infrastructure.
On 2018-08-01, Amnesty International published research linking the June 2018 targeting and more than 600 suspicious domains to NSO Group's Pegasus Anonymizing Transmission Network, and included NSO Group's response denying misuse of its tools.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
citizenlab.ca
Open sourcecitizenlab.ca
Open sourceamnesty.org
Open sourcesecurityaffairs.com
Open sourceamnesty.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.