This repository contains network and device indicators of compromised related to NSO Group's Pegasus spyware. These indicators are a result of multiple investigations by the Amnesty International Security Lab and other partners. Additional technical information was collected as part of a collaborative investigation, the Pegasus Project coordinated by Forbidden Stories and involving a global network of investigative journalists.
Amnesty International has released a Technical Methodology report which outlines how to use these indicators to hunt for Pegasus and other mobile spyware products. The Amnesty International Security Lab is also releasing an open-source tool, the Mobile Verification Toolkit (MVT). MVT can be used with the the pegasus.stix2 indicators to check a devices for potential signs of compromise with Pegasus spyware.
These indicators include:
domains.txt: list of all Pegasus-related domains, with sub-files:v2_domains.txt: list of Pegasus Version 2 infrastructure. These domains were identifed and published previously by Citizen Labv3_domains.txt: list of Pegasus Version 3 infrastructurev4_domains.txt: list of Pegasus Version 4 infrastructurev4_validation_domains.txt: list of Pegasus Version 4 validation/URL shortener domainsemails.txt: list of iCloud accounts used for exploiting zero-click vulnerabilities in iMessage and other Apple appsfiles.txt: list of suspicious filespegasus.stix2: STIX v2 file containing IOCs that can be used with MVTprocesses.txt: list of Pegasus-related process names identified on compromised phones