Frequently this website was running a random and sometimes obscure PHP application or CMS

The fingerprint technique is conceptually similar to the JA3S fingerprint technique published by Salesforce in 2019

Amnesty International presented an excerpt of more than 600 domain names tied to NSO Group’s attack infrastructure

System log files also reveal the location of Pegasus binaries on disk. These file names match those we have consistently observed in the process execution logs presented earlier. The binaries are located inside the folder /private/var/db/com.apple.xpc.roleaccountd.staging/ which is consistent with the findings by Citizen Lab in a December 2020 report.

These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS. 

a random identifier tied to the attack attempt followed by the word "stadium".

The Cache.db file for com.apple.coretelephony contains details about the HTTP response which appeared to have been a download of ~250kb of binary data

a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months

HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack

This domain matched a distinctive fingerprint we devised while conducting Internet-wide scans following our discovery of the network injection attacks in Morocco

HTTP request performed by the Apple Music app points to the domain opposedarrangement[.]net

It is interesting to note that in the traces Amnesty International recovered from 2019, the iMessage lookups that immediately preceded the execution of suspicious processes often contained two-bytes 0x00 padding in the email address recorded by the ID Status Cache file

iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.

iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International

_kBridgeHeadConfigurationFilePath in the libaudio.dylib file part of the Pegasus bundle

configuration file located at /var/tmp/jb_cfg

vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.

network usage databases contained records of a suspicious process called “bh”. This “bh” process was observed on multiple occasions immediately following visits to Pegasus Installation domains.

primarily attributed Pegasus spyware attacks based on the domain names and other network infrastructure used to deliver the attacks