Cybercriminals are exploiting the high-profile nature of Pegasus spyware to dupe victims on the dark web. CloudSEK's extensive investigation reveals a systematic scheme where threat actors post claims on platforms like Telegram, asserting they have genuine Pegasus source code for sale.

CloudSEK conducted months of research on dark web sources, uncovering how these cybercriminals manipulate the Pegasus name for financial gain. The report outlines the persistent mentions of Pegasus and NSO Group, particularly after Apple’s recent advisory to users in 92 countries about a mercenary spyware attack.

Anuj Sharma, a lead investigator and security researcher at CloudSEK, highlights the significant misinformation caused by the misuse of Pegasus’s name and logo. This deliberate misrepresentation confuses experts and the public about the true capabilities and origins of the spyware, complicating the attribution of cyberattacks.

CloudSEK researchers analyzed around 25,000 posts on Telegram, many of which claimed to sell authentic Pegasus code. These posts followed a common template, frequently mentioning Pegasus and NSO tools.

CloudSEK engaged with over 150 potential sellers, gaining insights into various samples and indicators. These interactions revealed that many of the offered codes were fraudulent and ineffective.

The investigation identified six instances of fake Pegasus HVNC (Hidden Virtual Network Computing) samples distributed on the dark web between May 2022 and January 2024. Similar scams were observed on surface web code-sharing platforms.

On April 5, a group named Deanon ClubV7 claimed to have legitimate access to Pegasus and offered permanent access for $1.5 million. They boasted about selling four accesses, totaling $6 million, within two days.

CloudSEK emphasizes the importance of employee awareness to combat these scams. Ensuring that employees understand the risks of downloading software from the dark web and IRC platforms is crucial.

Implementing robust network monitoring to detect unusual activity and strict access controls to limit employees' ability to visit dangerous sites or download unauthorized software is essential. Regular updates and alerts about the latest scam tactics involving Pegasus and similar high-profile names are vital.

The fraudulent sale of fake Pegasus spyware source codes on the dark web represents a significant threat. Organizations must stay vigilant, educate their employees, and implement stringent security measures to protect themselves from these sophisticated scams. By understanding and mitigating these risks, businesses can safeguard their operations against cybercriminals exploiting the notoriety of tools like Pegasus.