Citizen Lab found that the iPhone of former European Parliament member Stelios Kouloglou was infected twice with NSO Group’s Pegasus spyware, in October 2022 and March 2023, while he served on the Parliament’s PEGA Committee investigating spyware abuse across Europe. Researchers said the attacks used a zero-click exploit against an Apple iPhone vulnerability that had been patched but not installed on the device, potentially giving the operator access to private messages, location data, photos, and even ambient audio without any user interaction.
The infections occurred during sensitive PEGA work, including hearings and draft reporting on alleged spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain, intensifying concerns that commercial spyware was used against a lawmaker scrutinizing its misuse. Citizen Lab did not name the government behind the operation, but said the same Pegasus-linked email address and infrastructure overlapped with an earlier cluster targeting Russian- and Belarusian-speaking journalists and opposition figures, strongly suggesting a common operator with cross-border reach; Kouloglou has said he believes he was targeted because of his committee role and plans to sue NSO Group.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Citizen Lab publicly reported that Stelios Kouloglou, a former member of the European Parliament's PEGA Committee, had been infected with Pegasus spyware while helping investigate spyware abuses in Europe. The report said the same targeting email overlapped with an earlier Pegasus campaign, but did not identify the operator's country.
Citizen Lab linked Kouloglou's case to a previously disclosed cluster of Pegasus attacks against seven Russian- and Belarusian-speaking journalists and opposition figures across Europe. The activity occurred between 2020 and 2023 and used the same targeting email, suggesting a common operator.
Following the disclosure, Kouloglou said he believes he was targeted because of his PEGA committee work and that he plans to sue NSO Group. The statement came alongside broader calls from lawmakers and researchers for stronger action against spyware abuse.
Citizen Lab reported that Apple notified Stelios Kouloglou about mercenary-spyware activity on March 2, 2023, August 29, 2023, and April 10, 2024. The alerts were disclosed as part of Citizen Lab's forensic findings on Pegasus targeting of the former MEP.
Researchers concluded with high confidence that Kouloglou's phone was infected a second time in March 2023. Citizen Lab said both infections were linked to the same Pegasus customer.
Citizen Lab found that former European Parliament member Stelios Kouloglou's iPhone was infected with NSO Group's Pegasus spyware in October 2022 while he was serving on the PEGA Committee. The intrusion reportedly used a zero-click exploit against an Apple iPhone vulnerability.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcethehackernews.com
Open sourcecybersecuritynews.com
Open sourcecyberscoop.com
Open sourcecitizenlab.ca
Open sourcewired.com
Open sourcetherecord.media
Open sourcebloomberg.com
Open sourcetechcrunch.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.