SHIELD: ACTIVE // NETWORK SECURE

2026-07-06 - Spyware Scandal: Citizen Lab Confirms Pegasus Attack on MEP Investigating Surveillance Abuses

Spyware Scandal: Citizen Lab Confirms Pegasus Attack on MEP Investigating Surveillance Abuses

Executive Summary

A major geopolitical surveillance scandal has been confirmed following a forensic report published by the cybersecurity research group Citizen Lab and validated by Amnesty International. Forensics conducted on the mobile device of former Member of the European Parliament (MEP) Stelios Kouloglou confirmed that his phone was targeted and infected with the highly invasive Pegasus spyware in October 2022 and March 2023.

At the time of these state-sponsored infections, Kouloglou sat on the European Parliament's PEGA Committee, which was actively investigating the illegal use and abuses of surveillance spyware across Europe. This incident highlights the extreme, continued risk that commercial surveillance tools pose to democratic institutions and political figures globally.

Deep-Dive Technical Analysis

Pegasus, developed by the Israeli surveillance firm NSO Group, is a military-grade spyware suite sold exclusively to government and intelligence agencies. It operates by exploiting zero-day vulnerabilities in mobile operating systems to achieve silent, full-privilege device compromise.

A technical analysis of the Pegasus infections confirms a highly advanced, zero-click attack pattern:

* Zero-Click Infiltration (MFA Bypass): Unlike standard spyware that requires user interaction (such as clicking a malicious link), Pegasus is deployed via "zero-click" exploits (such as the infamous iMessage and WhatsApp exploits). Attackers send a specially crafted, silent push notification or media file to the target device, triggering a memory-corruption vulnerability in the operating system's background image-parsing library to execute code without user awareness.

* Achieving Full Kernel Privilege: Once code execution is achieved, the spyware escalates its privileges, gaining root and kernel-level access to the mobile operating system. This allows Pegasus to bypass all sandbox protections and access the device's deepest data buffers.

* Complete Data Exfiltration: Once active on Kouloglou's device, Pegasus was capable of:

* Silently exfiltrating private chat histories (including encrypted WhatsApp, Signal, and iMessage communications).

* Activating the device's microphone and camera in real-time to record private conversations.

* Accessing stored photos, contact directories, emails, and precise real-time GPS location data.

* Targeting the PEGA Committee: The timeline of the infections (October 2022 and March 2023) directly coincided with Kouloglou's active participation in the European Parliament's PEGA Committee. This committee was tasked with investigating Pegasus abuses, suggesting the spyware was used as a tool of political espionage to monitor the investigation's progress and gather intelligence on the committee's findings.

Industry Impact and Recommendations

This incident demonstrates that commercial, high-privilege spyware is actively being weaponized to subvert democratic oversight and target human rights defenders, journalists, and political leaders. The fact that an active MEP investigating surveillance abuses was targeted highlights the absolute impunity with which state-sponsored spyware operators currently function.

We recommend that all high-profile executives, government officials, and security teams implement the following mobile-hardening controls:

Control Type

Recommended Action

Implementation Strategy

Platform Security

Enable Apple Lockdown Mode

Mandate activation for high-risk iOS users to restrict attack surfaces (disables complex attachments and unverified web technologies).

Operational Hygiene

Daily Device Reboots

Encourage daily shutdowns to terminate spyware sessions residing strictly in volatile memory (RAM).

Forensic Auditing

Regular Device Audits

Utilize open-source mobile verification toolkits (MVT) to scan backups for known indicators of Pegasus compromise.

Communication

Secure Segregated Channels

Use separate, out-of-band networks and hardened devices for high-consequence operations and sensitive meetings.

References

* Amnesty International

* The Hacker News

Category: Cyber Security Intelligence