A House Democrat who’s been at the forefront of congressional efforts to scrutinize the federal government’s use of commercial spyware wants the Commerce Department to brief Capitol Hill amid apprehension that the Trump administration might further embrace the technology.

Rep. Summer Lee, D-Pa., sent a letter to the department Thursday seeking a briefing on several developments stemming from Immigration and Customs Enforcement acknowledging its use of Paragon’s Graphite spyware, as well as an American company purchasing a controlling stake in Israel’s NSO Group. The Commerce Department sanctioned NSO Group under former President Joe Biden after widespread abuse allegations, including eavesdropping on government officials, activists and journalists.

“The Trump Administration appears to be broadly receptive to using commercial spyware to infiltrate cell phones and allowing U.S. investment in sanctioned spyware companies like NSO Group,” Lee wrote in her letter to Commerce Secretary Howard Lutnick, which CyberScoop is first reporting.

NSO Group’s new executive chairman, David Friedman, is a former Trump ambassador to Israel and was his bankruptcy attorney. He has said in November that he expects the administration will be “receptive” to using NSO Group tech.

“Given those close ties between NSO Group and the Trump Administration, and the serious concerns about how NSO’s technology could be used to spy on Americans, we write to request information regarding the purchase of NSO Group by an American company and the potential usage of NSO Group spyware by federal law enforcement,” wrote Lee, who sits on the Oversight and Government Reform panel and is the top Democrat on its Federal Law Enforcement Subcommittee.

Lee was one of the authors of a recent Democratic letter seeking confirmation of ICE’s use of Paragon’s Graphite, which ICE acknowledged. But they criticized the administration for not answering all their questions, in addition to being outraged.

In her latest letter, Lee asked the Commerce Department to brief Oversight and Government Reform Committee staff about internal department deliberations, Commerce communication with the White House and any outside conversations — including with Friedman — about government use of NSO Group technology or any other commercial spyware, and American investment in NSO.

NSO Group “appears to view the Trump administration as friendly to its interests in the United States, pitching itself as a vital tool for the U.S. government to safeguard national security,” Lee wrote, citing company court filings that it “is reasonably foreseeable that a law enforcement or intelligence agency of the United States will use Pegasus.”

The Biden administration sanctions, and court losses in a case against Meta, represented setbacks for NSO Group’s ambitions. And prior to the U.S. investment firm controlling stake purchase last fall, the Commerce Department under Trump rebuffed efforts to remove NSO Group from its sanctions list.

But the tens of millions of dollars worth of investment, following news that Israel had used Pegasus to track people kidnapped or murdered by Hamas, was a boon.

NSO Group maintains that its products are designed only to help law enforcement and intelligence fight terrorism and crime, and that it vets its customers in advance as well as investigates misuse. News accounts and other investigations have turned up a multitude of abuses.

There have been scattered reports of U.S. flirtation with using NSO Group technology. The FBI acknowledged it had bought a Pegasus license, but stopped short of deploying it. The Times of London reported that “it is believed” the Central Intelligence Agency used Pegasus spyware as part of a rescue mission last month for a U.S. airman downed in Iran.

You can read the full letter below.

The post One House Democrat is pressing Commerce on the government’s spyware use appeared first on CyberScoop.

Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

An apparent hack-for-hire campaign from a group with suspected Indian government connections targeted Middle Eastern and North African journalists and activists using spyware, three collaborating organizations said in reports published Wednesday.

The attacks shared infrastructure that pointed to the advanced persistent threat group known as Bitter, which most frequently targets government, military, diplomatic and critical infrastructure sectors across South Asia, according to conclusions from researchers at Access Now, Lookout and SMEX.

Each group took on a different piece of the puzzle:

• Access Now got calls on its helpline that led it to examine a spearphishing campaign in 2023 and 2024. It contacted Lookout for technical support about the malware it encountered.
• Lookout attributed the malware to Bitter, concluding it was a likely hack-for-hire campaign, using the Android ProSpy spyware.
• SMEX dived into a spearphishing campaign targeting a prominent Lebanese journalist last year, collaborating with Access Now to discover shared infrastructure between the campaigns.

One of the victims, independent Egyptian journalist Mostafa Al-A’sar, said he contacted Access Now after receiving a suspicious link from someone he’d been talking to about a job position. He was skeptical because his phone had been targeted before, when he was arrested in Egypt in 2018.

The lesson for journalists and civil society groups is that cybersecurity “is not a luxury,” he said.

“I feel like I’m threatened,” Al-A’sar said, and even though he was living in exile, he feels like “they are still following me. I also felt worried about my family, about my friends, about my sources.”

The combined research found a wider campaign than just the original victims.

“Our joint findings expose an espionage campaign that has been operational since at least 2022 until present day primarily targeting civil society members and potentially government officials in the Middle East,” Lookout wrote. “The operation features a combination of targeted spearphishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device.”

The Committee to Protect Journalists condemned the campaign.

“Spying on journalists is often the first step in a broader pattern of intimidation, threats, and attacks,” said the group’s regional director, Sara Qudah. “These actions endanger not only journalists’ personal safety, but also their sources and their ability to do their work. Authorities in the region must stop weaponizing technology and financial resources to surveil journalists.”

Access Now said it didn’t have enough information to attribute who was behind the attacks it identified.

ESET first published research on the ProSpy malware last year, after finding it targeting residents of the United Arab Emirates.

The post Hack-for-hire spyware campaign targets journalists in Middle East, North Africa appeared first on CyberScoop.

A federal judge has sentenced the maker of stalkerware pcTattleTale, which went out of business after a data breach, to supervised release and a $5,000 fine.

Bryan Fleming pleaded guilty in January to a charge of intentionally manufacturing, possessing or selling a device with the knowledge that it would be primarily used for surreptitious interception of communications. On Friday, a judge handed down Fleming’s sentence.

It was the first stalkerware conviction since 2014, when the maker of StealthGenie, pled guilty and also didn’t serve prison time, instead receiving a $500,000 fine from the court.

According to Fleming’s plea agreement, his incriminating activity began as early as 2017, as the owner of Fleming Technologies LLC.

“Defendant’s software enabled buyers to covertly and remotely monitor a victim’s cellular telephone and computer activities, including, texts, emails, phone calls, geo-location, and web browsing,” the agreement states. “Defendant began directly advertising his spying software to persons wanting to spy on spouses or partners without their knowledge.”

It continued: “Defendant’s spying software covertly created a video every time a victim’s device was used, which captured any and all activity occurring on the device. The person monitoring the device could log into a remote dashboard and monitor the activity on the victim’s device.”

An undercover agent from Homeland Security Investigations, a division of U.S. Immigration and Customs Enforcement, posed as a marketing affiliate and customer to communicate with Fleming, according to a 2022 indictment.

pcTattletale went out of business in 2024 after suffering a data breach. Researchers have found that stalkerware apps often fail to protect personal information collected during their use.

An attorney for Fleming didn’t immediately respond to a request for comment Monday morning.

The post pcTattleTale stalkerware maker sentence includes fine, supervised release appeared first on CyberScoop.

Iran-linked hacking groups are turning to high-volume, low-impact cyberattacks, and AI is providing a boost.

The post Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare appeared first on SecurityWeek.

Leaked iOS spyware has some cybersecurity professionals raising urgent alarms about potential mass iPhone compromises, a development that pairs ominously with the recent discovery of two sophisticated iOS exploit kits.

At the same time, some other experts say Apple’s defensive features for iPhones remain elite. But several factors have created unprecedented circumstances: the public accessibility of a version of DarkSword, shortly after the discovery of the original version of DarkSword and the earlier discovery of a similar kit known as  Coruna, and a  growing market for iPhone exploits driven by their high value as targets.

Allan Liska, field chief information security officer at Recorded Future, said he was worried about what the leaked DarkSword version could do to “democratize” iPhone exploits.

“Right now, iPhone exploitations are among the most expensive to research/implement so they have been, largely, the realm of nation-states,” he said. “If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface.”

Google, iVerify and Lookout released research last week on DarkSword’s discovery, centered on Ukraine. Google also said it saw targeting in Saudi Arabia, Turkey and Malaysia. And that was before a version turned up on GitHub, a development TechCrunch first reported and Google and iVerify have analyzed. (The week before, iVerify and Google uncovered Coruna. Google declined to comment further for this story.)

“It’s extremely alarming that this leaked out on GitHub,” said Rocky Cole, co-founder of iVerify. “I would assume that it’s being used all around the world, and including here in the United States.”

Hundreds of millions of iPhones running iOS 18 could be vulnerable to DarkSword.

“I think that the top line issues here are pretty clear: people who have devices that are vulnerable should upgrade ASAP,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “It is very likely that these vulnerabilities are being used right now to exploit vulnerable devices at scale, which is unusual for Apple products.”

The propagation problem

Coruna was concerning enough for Apple that it took the rare step of backporting security updates to still older versions of iOS, Cole said. The fear, he said, was that it might be wormable — capable of spreading from one device via text message to everyone in a phone’s contact list.

But Cole said Apple hasn’t released similar security-focused updates to iOS 18, for reasons he doesn’t know.

Apple has emphasized the patches it has issued, urged users to update their phones and touted Lockdown Mode as a defense against spyware.

“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and every day Apple’s security teams around the world work tirelessly to protect users’ devices and data,” said Apple spokesperson Sarah O’Rourke. “Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products, and devices with updated software were not at risk from these reported attacks.”

IPhones’ widespread use makes them high-value targets, fueling a thriving market for exploits. Coruna and DarkSword are indicators of this growing demand. 

“It’s time for organizations to start thinking of mobile security the way they think about desktop security, which is to say everyone knows how to secure their laptop,” Cole said. And for iPhone exploit hunting in particular, “you’re starting to see people do it at a mass level.” Furthermore, the resale market is such that exploits that once were exclusive are no longer, and AI makes it even easier to customize them in the code, he said. 

DarkSword has drawn federal attention: The Cybersecurity and Infrastructure Security Agency this week added vulnerabilities that DarkSword exploits to the list that federal agencies must patch.

The number of people still using iOS 18 is large, up to 25% of all iPhones. Cole said several factors are contributing to that, such as users being leery of iOS 26’s onboard artificial intelligence or the Liquid Glass interface.

Said Galperin: “There are many reasons why people do not keep their devices up to date, so when I tell people ‘just patch your stuff’ I think it is important to realize that there are circumstances under which this is easier said than done.”

Proven defenses despite expanding risks

Despite the concerns, Cole credited iPhone for its high security standards, in particular for its app store.

For Natalia Krapiva, senior tech-legal counsel at Access Now, a key takeaway is the worrisome proliferation of commercial spyware and cyber intrusion capabilities.

“This is exactly what human rights activists and digital security researchers have been warning governments and companies about: In the absence of effective regulation for the industry, these exploits will get out and end up in the hands of adversaries like Russia, China, Iran, or, as in the case of DarkSword, leaked online for any criminal to use,” she said.

On the other hand, Apple’s Lockdown Mode and Memory Integrity Enforcement are top-notch defensive measures, Krapiva said. We’ve yet to see a Lockdown Mode-enabled iPhone being infected with spyware, she said.

“I think we’ll keep seeing more attempts to exploit both Apple and Android devices as they improve their software and hardware security,” she said. “It’s the old cat-and-mouse game.”

Adam Boynton, senior enterprise strategy manager at Jamf, said what’s happened with Coruna and DarkSword is evidence of Apple’s success.

“What’s encouraging here is that Apple’s security model works,” he said. “Coruna skips devices running the latest iOS versions and avoids those with Lockdown Mode enabled entirely. That’s a strong validation of the defences Apple has built.

“DarkSword reinforces the same principle,” he continued. “Where Coruna targeted older iOS versions, DarkSword demonstrates that even relatively current releases can be targeted by determined actors. Apple moved quickly to patch the vulnerabilities involved, and devices running the latest iOS are protected.”

The post DarkSword’s GitHub leak threatens to turn elite iPhone hacking into a tool for the masses appeared first on CyberScoop.

Researchers have discovered a second instance of suspected Russian hackers using iOS exploits, pointing to what they say are several foreboding trends.

iVerify, Lookout and Google collaborated on the research published Wednesday, a follow-up to earlier revelations about a similar exploit kit, Coruna. While the second kit — dubbed DarkSword — also targeted users in Ukraine, the scale is significant: iVerify estimated up to 270 million iPhone users could be susceptible, while Lookout told CyberScoop roughly 15% of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable to the exploit kit.

The research reveals a range of new details, as well as interesting patterns:

• Whereas Russian and Chinese hackers used Coruna with financial gain in mind, there are signs DarkSword could serve both financial and surveillance purposes, and/or could be used to inflict harm.
• Lookout observed that someone used a large language model to customize both Coruna and DarkSword.
• The discovery of DarkSword reinforces earlier concerns about a secondary exploit market, Lookout and iVerify said.
• DarkSword is the second “mass” iOS campaign discovered this month, with the first known one to be Coruna.
• Both kits suggest cyberattacks are migrating toward mobile phones as they make up a bigger portion of internet traffic, Rocky Cole, iVerify’s co-founder and chief operating officer, told CyberScoop.
• Google also found that DarkSword was used against targets in Saudi Arabia, Turkey, and Malaysia

DarkSword can exfiltrate saved passwords, crypto wallets, text messages and more, researchers found. Attackers are leveraging the exploit kit by first compromising Apple’s WebKit and then using WebGPU as a pivot point for sandbox escapes, according to Justin Albrecht, Lookout’s global director for mobile threat intelligence.

What’s less clear is who, exactly, is behind the exploit kit, other than the links to Russia. Cole said DarkSword is hosted on the same command and control infrastructure as Coruna, but is an entirely separate kit made by entirely separate people. Google has attributed the campaigns to a group it tracks as UNC6353, which it describes as a Russian-backed espionage group, as well as UNC6748 and Turkish commercial surveillance vendor PARS Defense. 

The attackers’ motives are also a bit opaque, mixing what appears to be both espionage and financial objectives. Albrecht noted there is precedent for this: Russian threat groups have targeted cryptocurrency in Ukraine before, notably with Infamous Chisel, an Android exploit kit deployed by Sandworm. 

“They’re probably well-funded, probably well-connected, but it’s confirmed that they’re stealing crypto. There is definitely a financial motivation,” Albrecht told CyberScoop. “Now, I think the big question is, depending on who the group is, is the financial motivation in this just to do damage to Ukrainians, or is it to steal crypto?”

Russia has been under heavy sanctions for a long time and is starting to have budget problems due to the ongoing war in Ukraine, he noted. “Why not start to fund their operations with stolen funds? It wouldn’t be outside the norm, although it would be a potential shift in their TTPs for Russian APTs in general,” Albrecht said. 

The kit could be handy for someone trying to do a “pattern of life” analysis, Cole said, and thus useful for surveillance and intelligence purposes.

He said a commercial spyware vendor might have made the kit with no target audience in mind, thus the “Swiss Army knife”-like quality of it. The major concern for Cole is that there’s apparently a growing market for these kinds of tools, and people may be lulled into a false sense of security about iPhones not being vulnerable.

Despite the sophistication of the exploits themselves, the threat actors behind DarkSword may not be particularly experienced, Albrecht said. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labeled “Dark sword file receiver” — poor operational security for a seasoned Russian threat actor.

“Your experienced Russian threat actors, your APT29’s of the world, I would expect them to have better OPSEC,” Albrecht said.

One of the more unusual findings in the research is the clear presence of large language model-generated code. The server-side component of DarkSword, for instance, includes telltale signs of AI-generated code, complete with detailed notes and comments characteristic of LLM output.  It’s a development that effectively lowers the barrier to entry for deploying advanced mobile exploits, even among state-sponsored actors, Albrecht said.

All three research teams have been in contact with Apple about the findings, according to Albrecht, with Google likely in closest contact since they began investigating the threat in late 2025. In its blog, Google said it reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3, although most were patched prior.

CLARIFICATION 3/18/26: Clarified the suspected origins of the DarkSword exploit kit and any links to tools developed for the U.S. government.

The post Second iOS exploit kit now in use by suspected Russian hackers appeared first on CyberScoop.

An exploit kit that may have originated from a leaked U.S. government framework is behind what researchers are calling the first mass-scale attack on iOS, the operating system for Apple’s iPhones.

Traces of the exploits, found in the work of Chinese cybercriminals, also have been spotted in Russian attacks on Ukraine and used by a customer of a spyware vendor.

Those conclusions come from two pieces of research that Google Threat Intelligence Group and iVerify released separately Tuesday. Rocky Cole, co-founder of iVerify, said it represented a potential “EternalBlue moment,” with echoes of that exploit software escaping the National Security Agency to fuel the global WannaCry ransomware and NotPetya attacks in 2017.

Google said that the so-called Coruna exploit kit that’s the subject of Tuesday’s research “provides another example of how sophisticated capabilities proliferate,” as it wrote in a blog post about the zero-day — or previously undisclosed and unpatched — exploits.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Said iVerify: “While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Just last week, a U.S. court sentenced a former L3 Harris executive to prison for selling zero-day exploits to a Russian broker.

Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.

An Apple spokesperson didn’t respond to a request for comment Tuesday afternoon. Apple issued multiple patches in response to Operation Triangulation, and worked with Google on the newest research.

Spencer Parker, chief product officer at iVerify, said the attack affected at least 42,000 devices —a “massive number” for iOS, even if it sounds small to other platforms. That number has the potential to expand as researchers dive further into the technical details, Cole said.

Other signs point to U.S. development of the exploit kit, Cole said.

“The code base for the framework and the exploits was superb,” he said. “It was elegantly written. It’s fluid and holds together very well. There were comments in the code that, as someone who’s been around the U.S. defense industrial base for years, really are reminiscent of the sort of insider jokes and insider remarks that you might see from a U.S. based coder. Certainly they were native English language speakers.”

Google said it tracked the use of the exploit kit over the course of last year in operations from an unnamed customer of a surveillance vendor to attacks on Ukrainian users from a suspected Russian espionage group, before retrieving the complete exploit kit from a financially motivated group operating out of China.

Apple-focused security researcher Patrick Wardle observed on the social media site X about the Coruna research: “Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices.”

The post Possible U.S.-developed exploits linked to first known ‘mass’ iOS attack appeared first on CyberScoop.

WhatsApp unveiled a lockdown-style feature on Tuesday similar to those offered by other tech providers aimed at blocking sophisticated cyberattacks, with spyware in mind.

The “Strict Account Settings” feature will roll out in the coming weeks and once enabled, will allow users to limit features in certain ways, such as blocking attachments and media from others not in a user’s contact list.

“We will always defend that right to privacy for everyone, starting with default end-to-end encryption,” WhatsApp said in a blog post. “But we also know that a few of our users — like journalists or public-facing figures —  may need extreme safeguards against rare and highly-sophisticated cyber attacks.”

WhatsApp has been fighting a legal battle against NSO Group stemming from the 2019 installation of the company’s Pegasus spyware on an estimated 1,400 WhatsApp users. Meta, WhatsApp’s parent company, has scored some wins in that court fight.

The WhatsApp feature “sounds like an excellent addition” to features like Apple’s Lockdown Mode and Memory Integrity Enforcement, as well as Google’s Advanced Protection, said Natalia Krapiva, senior tech legal counsel at the digital civil rights group Access Now.

“It is encouraging to see more companies enabling advanced security features to protect high risk users from spyware,” Krapiva said. “While litigation is an essential tool in combating spyware, due to the high costs and jurisdictional hurdles, it may not be accessible to most victims.

“Introducing measures like this that are free and do not require advanced technical knowledge could help stop spyware harms and prevent them from happening in the future for millions of users, especially journalists, activists, and human rights defenders,” she said.

Users can enable the feature by going to Settings > Privacy > Advanced.

The post WhatsApp releases account feature that looks to combat spyware appeared first on CyberScoop.

An international effort to create voluntary standards for the commercial cyber intrusion industry is wrestling with questions like who they should apply to, how to incentivize and measure compliance and what to do with companies with a checkered past.

The first round of the Pall Mall Process focused on a code of conduct for government use of commercial hacking tools. This year, participants are turning their attention to industry guidelines. At the DistrictCon conference in Washington D.C. Saturday, representatives from the government, industry and civil society organizations weighed some of the factors that will go into deciding those voluntary rules.

The discussion under Chatham House rules that forbids disclosure of the identity of the participants comes as nations look to use or regulate spyware or both, and as the Trump administration and Congress are considering a broader role for the private sector in stepping up cyber offense.

A foreign government representative at the event said the goal of the Pall Mall Process isn’t to eliminate commercial intrusion products that can help in legitimate pursuits like law enforcement, but to establish rules of the road for their responsible government use and purchase from responsible vendors.

“We do want that marketplace,” they said. “It’s not about trying to stop it.”

The scope of the industry guidelines was a big question for Saturday’s discussion. It included debates and speculation about who the rules would apply to: Would the rules include things like reconnaissance tools, and how would they draw the line between academic research and illegitimate goals?

Some participants were more focused on the incentives and disincentives for participation. It’s possible some vendors would reject the voluntary rules if they turned into nettlesome barriers to selling products to governments, some said.

“Right now I haven’t heard anything that makes me want to do any of this,” one said.

A different participant argued that while the rules could mean vendors might find it more profitable to do business with nations that don’t adhere to the guidelines, the upside is that they can stay in their field of work and make money without contributing to the persecution or even deaths of victims of their technology.

Another participant said streamlining the procurement process across governments could make the code of conduct more inviting, if it would allow vendors to do business with multiple nations simultaneously.

Another topic was how to handle companies that have been shady in the past, if they want to enlist with the code of conduct going forward. As the foreign government representative noted, the question is how to avoid the rules being used to “launder irresponsible behavior.”

One participant added for clear punishment for those who show disregard for the rules after subscribing to them. Another said that the rules shouldn’t have too high of a barrier, and they “can’t be punitive,” so as to invite those who misbehave back into the fold to steer them on a better path.

The standards could also address what kind of guidelines vendors should follow about keeping up with their customers and knowing whether they’re fostering abuse, and whether companies should have “responsibility for a kill switch,” as the foreign government representative phrased it.

While the rules wouldn’t be binding, they still could be used by governments to shun companies that don’t subscribe to them and do what they can to discourage others from buying from them, the foreign government representative said.

The post Industry, government, nonprofits weigh voluntary rules for commercial hacking tools appeared first on CyberScoop.

Jordanian authorities used Cellebrite phone-cracking technology to access the devices of domestic activists and human rights defenders and then extract information from them, according to an investigation published Thursday.

The nonconsensual access stood in conflict with international human rights treaties that Jordan ratified, the University of Toronto’s Citizen Lab investigation determined, prompting the research organization to call on Cellebrite to open a probe into clients in Jordan.

Citizen Lab, which released its investigation in coordination with the Organized Crime and Corruption Reporting Project (OCCRP), analyzed the phones of four activists after Jordanian authorities seized and returned them, then concluded with “high confidence” that the  devices had been subjected to Cellebrite’s forensic extraction products. Court documents from criminal proceedings under Jordan’s 2023 Cybercrime Law supplied additional evidence.

The cases Citizen Lab evaluated transpired between late 2023 and mid-2025, during a time of protests in support of Palestinians. They involved a political activist, student organizer, activist/researcher and human rights defender, three of whom had iPhones and the other of whom had an Android device.

The Citizen Lab probe adds to a body of reporting about alleged Cellebrite abuses. Last year, Amnesty International reported that Serbian authorities had used Cellebrite in conjunction with spyware to eavesdrop on activists and journalists, the latter category of whom have reportedly had their phones accessed in a number of countries via Cellebrite tech.

Citizen Lab further concluded that products by the Israel-based Cellebrite are widely used against civil society in Jordan, with forensic data showing its use dating back to at least 2020.

“Surveillance is not limited to spyware,” said the lead author of the report, Kamel Al-Shawareb, a pseudonymous research fellow at Citizen Lab. “Authoritarian states access smartphone data remotely with spyware like Pegasus or by physically seizing a device and using Cellebrite to access the contents.”

Activists whose phones Citizen Lab examined said it shook their confidence and had them resorting to self-censorship.

“I felt wronged and violated, like they stole something from me, and not because they’re strong, but because we’re legally weak,” one of the people told the OCCRP on condition of anonymity. 

Victor Cooper, a spokesperson for Cellebrite, said that the company can’t disclose specific information on its customers. But he said it prohibits transactions with any entities on the sanctions list of the United States and other nations and organizations. 

“Beyond these baselines, the company vets potential customers against internal human rights parameters, leading us to historically cease business in jurisdictions where risks were deemed incompatible with our corporate values,” he said in an email to CyberScoop. “We license technology solely for lawful purposes, requiring customers to explicitly certify they possess valid legal authority prior to usage.”

He said that Cellebrite tech, unlike spyware, can’t intercept communications or monitor devices in real time, but rather can access private data under legal processes to aid investigations after something has occurred.

“We take seriously all allegations of potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement,” Cooper said. “ Once solid information is shared with Cellebrite, we review the allegations and take proactive precise steps to investigate each claim in accordance with our ethics and integrity policies. When appropriate we stop the use of our products by the relevant customers. ”

Citizen Lab said Cellebrite’s responses to its questions as part of the investigation were “vague and unsubstantiated.”

Jordan’s Ministry of Government Affairs and its embassy in the United States did not respond to requests for comment.

The post Researchers find Jordan government used Cellebrite phone-cracking tech against activists appeared first on CyberScoop.

Predator spyware operators have the ability to recognize why an infection failed, and the tech has more sophisticated capabilities for averting detection than previously known, according to research published Wednesday.

Jamf Threat Labs found from an analysis of a Predator sample that it has an error code system that can alert operators to why an implant didn’t stick, with “error code 304” signifying that a target was running security or analysis tools.

“This error code system transforms failed deployments from black boxes into diagnostic events,” Shen Yuan and Nir Avraham wrote for the company. “When an operator deploys Predator against a target and receives error code 304, they know the target is running security tools — not that the exploit failed, not that the device is incompatible, but specifically that active analysis is occurring.

“This has direct implications for targeted individuals: if security analysis tools like Frida are running, Predator will abort deployment and report error code 304 to operators, who can then troubleshoot why their deployment failed,” they continued.

Furthermore, the capability to detect specific security tools reveals more about Predator’s workings.

“The inclusion of netstat is noteworthy — it suggests Predator is concerned about targets who might be monitoring their own network connections, not just researchers with specialized tools,” the researchers wrote. “A privacy-conscious user simply checking their network connections would trigger this detection.”

And Predator suppresses crash logs that can help detect infection attempts, Jamf concluded.

It’s the second time in as many months that researchers have uncovered capabilities that differentiate Predator, made by Intellexa, from competitors.

Jamf said the results of its analysis show that Predator is interested in dodging both spyware researchers and security products, and overall point to better anti-analysis capabilities than those that have been previously documented.

The post Predator spyware demonstrates troubleshooting, researcher-dodging capabilities appeared first on CyberScoop.

The Trump administration this week removed three Iranians from its sanctions list who were previously accused of working for Intellexa, the consortium behind the Predator spyware that recent investigations say has circumvented human rights safeguards.

The Biden administration imposed sanctions against the trio in 2024 as part of a broader move to sanction spyware operators. The Treasury Department noted the deletions this week as part of other sanctions moves.

Under the prior sanctions designations, the Biden administration said that Merom Harpaz was manager of Intellexa S.A., a member of the consortium; that Andrea Nicola Constantino Hermes Gambazzi was functionally the owner of Thalestris Limited and Intellexa Limited, two other consortium members; and that Sara Aleksandra Fayssal Hamou was a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium.

While the Tuesday notice about the sanctions removal provided no explanation, “this removal was done as part of the normal administrative process in response to a petition request for reconsideration,” a U.S. official told CyberScoop.

“Each individual has demonstrated measures to separate themselves from the Intellexa Consortium and it has been determined that the circumstances resulting in the sanction no longer apply,” the official said. “The power of sanctions derive not only from the ability to designate individuals, but also from our willingness to remove sanctions consistent with the law.”

Only last month, an investigation concluded that despite sanctions against those three individuals and others, Intellexa had retained the capacity to remotely access the systems of Predator customers, raising human rights questions. Other reports from last month found evidence of expanded Predator targeting and exploitation of malicious mobile advertisements to infect targets.

Researchers and advocates who work on spyware issues found the sanctions removals concerning.

“The public deserves to know what evidence exists to prove that these individuals have ceased their involvement with Intellexa,” Natalia Krapiva, senior tech-legal counsel at Access Now, wrote on Bluesky.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said on X that he found the removals “puzzling,” adding that “Some in the mercenary spyware ecosystem are probably reading today’s Intellexa exec [delisting] as: ‘scoff at US, help hack Americans & you can still skirt consequences with the right lobbying.’”

The post Treasury removes Intellexa spyware-linked trio from sanctions list appeared first on CyberScoop.

The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.

The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions. The House could take it up as soon as this week.

The legislation states that the secretary of defense “shall ensure” that wireless mobile phones the department provides to its senior leaders and others working on sensitive national security missions meets a list of cybersecurity requirements, such as data encryption. A Pentagon watchdog last week published long-awaited examinations of the Signalgate incident that enveloped Defense Secretary Pete Hegseth. 

The bill directs the department to make sure that behavioral health specialists with proper security clearances are dispatched to United States Cyber Command and the Cyber Mission Force. It follows in the tradition of past provisions of defense policy bills to address the mental health needs of personnel there.

The department is told to revise mandatory training on cybersecurity for members of the Armed Forces and civilian employees “to include content related to the unique cybersecurity challenges posed by the use of artificial intelligence.”

There are plenty of other cybersecurity provisions contained in the bill.

It would set up barriers to splitting the leadership of Cyber Command and the National Security Agency by prohibiting any department funding from being used to “reduce or diminish the responsibilities, authorities or organizational oversight of the Commander of the United States Cyber Command.”

On behalf of defense contractors, the bill orders the department to “harmonize the cybersecurity requirements” across the department and reduce the number of cybersecurity requirements “that are unique to specific contracts.” That’s a focus of the forthcoming Trump administration cybersecurity strategy.

It also includes a statement of policy on the use of commercial spyware. It says that policy is to oppose the misuse of commercial spyware to include groups like journalists and human rights activists, to coordinate with allies to prevent the export of commercial spyware to those who are likely to misuse them and to “establish robust guardrails,” as well as work with the private sector counter abuse.

Such statements of policy don’t carry legal force but give a sense of lawmaker consensus and intentions.

The post Defense bill addresses secure phones, AI training, cyber troop mental health appeared first on CyberScoop.

Leaked training videos suggest that Intellexa retained the ability to remotely access the systems of customers who had used its Predator spyware, raising questions about human rights safeguards, according to an investigation published Thursday.

That was just one finding from a series of separate but overlapping probes released over the past 24 hours. The training video revelations came via a joint investigation by Inside Story, Haaretz and WAV Research Collective in partnership with Amnesty International. Google and Recorded Future also published research Thursday about Intellexa.

“The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals [—] raises questions about its own human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty International Security Lab, said in a news release.

“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” he continued.

The “Intellexa Leaks” investigation learned more about the U.S.-sanctioned company’s operations as well. One revelation was that Intellexa was exploiting malicious mobile advertisements to infect targets, a vector named “Aladdin,” investigators concluded.

Other findings include confirmation of Predator domains imitating legitimate Kazakhstani news sites, and additional evidence linking Predator spyware to surveillance of prominent Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis, according to Amnesty. And the news publications reported on the first reported Predator infection in Pakistan, of a human rights lawyer, and additional targeting in the country.

A lawyer for Intellexa founder Tal Dilian only responded in part to questions from Haaretz, the publication reported, saying that ‘progressive groups rely on biased and politically motivated international organizations that spread unfounded claims, and use journalists, as ‘useful idiots,’ who repeatedly publish so-called investigative reports directed by the same actors.”

The attorney added: “I have not committed any crime nor operated any cyber system in Greece or anywhere else. Any claim suggesting otherwise is false and defamatory. I categorically reject any attempt to link me to events in Greece or to the media campaign surrounding them. I protect my rights and will continue pursuing legal action against those who defame me.”

Recorded Future’s Insikt Group, meanwhile, published a study on individuals and groups connected to Intellexa.

“These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation,” wrote Julian-Ferdinand Vögele, principle threat researcher. “In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.”

On Wednesday, Google said it had identified the companies Intellexa had created to infiltrate the advertising ecosystems, with partners subsequently shutting down the accounts.

Additionally, the firm pointed to one way Intellexa stands out among others.

“Over the past several years, Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers,” a blog post from Google Threat Intelligence Group reads. “Despite the consistent efforts of security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers.”

The post Intellexa remotely accessed Predator spyware customer systems, investigation finds appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency warned Monday about threat groups using commercial spyware to target messaging apps, and urged users to take protective steps.

“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps),” the agency said in a brief online notice. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The warning draws on research this year that calls attention to hackers who are mimicking popular apps to deploy Android spyware, as well as Android spyware targeting Samsung devices by sending image files over WhatsApp. The warning also piggybacks on research about Russian hackers infecting Signal accounts.

“While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East, and Europe,” the CISA warning states.

It’s rare, but not unheard of, for CISA to warn about spyware threats. One alert dates back to 2009 from a predecessor to CISA. It has released cybersecurity advice for dealing with spyware, and placed vulnerabilities that spyware vendors have exploited on its so-called “must-patch” list for federal agencies, including the recent Samsung vulnerability.

This time, CISA directed users to mobile security guidelines and advice for civil society groups. 

Beyond the warnings about targeting messaging apps, CISA also said threat groups are using malicious QR codes and zero-click exploits, which infect users even if they don’t take any direct action themselves.

The post CISA alert draws attention to spyware’s targeting of messaging apps appeared first on CyberScoop.

NSO Group argued in a court filing this week that the court should pause the permanent injunction preventing it from targeting WhatsApp with its spyware while the company appeals the decision. According to the company, enforcing the injunction would cause irreparable harm to its business and prevent the U.S. government from using its products.

Those were just two of the arguments NSO Group employed in its motion to stay on Wednesday. The second argument coincides with the vendor’s recent decision to tap an ex-U.S. envoy to Israel from the first Trump administration as its executive chairman, and its confirmation of U.S. investors purchasing the company.

NSO Group repeated its claim that the Northern District Court of California’s decisions  could effectively shut down the company, which makes Pegasus spyware. “NSO will suffer irreparable, potentially existential injuries if the injunction is not stayed,” it says.

But the company dived further into its reasoning. The injunction, it argues, requires the defendants to destroy code that accesses or uses the WhatsApp platform.

“The deletion and destruction of computer code and technologies cannot be undone or remedied by money damages — once these are gone, they are gone,” the NSO Group motion contends. “And the injunction prohibits NSO from engaging in entirely lawful conduct to develop, license, and sell products used in authorized government investigations — a prohibition that would devastate NSO’s business and could well force it out of business entirely.”

In the meantime, NSO Group’s competitors would have no such restrictions, the motion states. And, it says, the injunction “apparently bans NSO from selling or maintaining any technology to collect information from user devices if the target information comes from WhatsApp — even if the collection method never touches WhatsApp servers.” The effect would be to halt any NSO Group business during its appeal, the company argues.

NSO Group also maintains that the injunction goes against one of the pertinent laws in the case, the main federal anti-hacking statute: The Computer Fraud and Abuse Act.

The law “expressly excepts from the CFAA’s prohibitions ‘any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States . . . or of an intelligence agency of the United States,’” the motion states. 

A stay is in the public interest because of Pegasus’ use in combating crime in terrorism, the company added.

“Because the Court refused to carve U.S. law-enforcement operations out of the permanent injunction, that injunction would prevent the FBI (or any other U.S. or state law enforcement or intelligence agency) from entering into another such license for any existing version of Pegasus,” the motion reads. “Regardless of whether the FBI or any other U.S. government agency has made direct, operational use of the system in the past, allowing the injunction to go into effect would thus deprive U.S. law enforcement of the ability to use the system in the future.“

The FBI once purchased a license for Pegasus and reportedly flirted with deeper involvement with NSO Group.

The second Trump administration earlier rebuffed an attempt by NSO Group to get the company removed from a Commerce Department trade blacklist. That decision came before the company’s recent U.S.-flavored moves, however.

The post NSO Group argues WhatsApp injunction threatens existence, future U.S. government work appeared first on CyberScoop.

A new commercial-grade spyware has apparently been targeting Samsung Galaxy phones in the Middle East, but it’s not clear who’s behind it, researchers said in a blog post Friday.

Whoever’s responsible, they seized upon a previously unknown, unpatched vulnerability known as a zero-day — a flaw Samsung has since closed, the researchers from Palo Alto Networks’ Unit 42 said.

The company dubbed the spyware “Landfall.” The research indicates potential targets in Iran, Iraq, Morocco and Turkey, the blog post states. It’s a campaign that has been underway since at least the middle of 2024, pointing to the spyware’s ability to remain hidden.

Landfall is embedded in malicious DNG image files that seem to have been sent via WhatsApp, although there is no indication of any new vulnerability with that messaging platform. WhatsApp has been fighting spyware on another front, in a ground-breaking legal battle against leading spyware vendor NSO Group.

It doesn’t appear to require any interaction with victims, a kind of exploit called “zero-click.” Once it infects a phone, Landfall has the kind of sweeping surveillance capabilities found in spyware sold by industry vendors, capable of activating microphone recording or collecting photos and contacts.

“We believe the focus on Samsung Galaxy devices stems from the attackers exploiting a Samsung-specific image-processing zero-day, so the tooling was built for that environment,” Itay Cohen, senior principal researcher at Unit 42 told CyberScoop in an emailed comment. “That said, we think we’re only seeing part of the activity. This isn’t isolated — this campaign delivering LANDFALL appears to be part of a broader DNG exploitation wave that also hit iPhone devices via a different zero-day. It’s also possible that other mobile vendors were targeted using undiscovered vulnerabilities to deliver the same or similar implants.”

The spyware specifically targets S22, S23, S24 and Fold/Flip Samsung devices.

There are some potential clues as to who might be involved, but all of them are inconclusive, Palo Alto Networks said.

Landfall’s command and control infrastructure and domain registration patterns share similarities with a group known as Stealth Falcon, which has suspected links to the United Arab Emirates government.

“As of October 2025, except in infrastructure, we have not observed direct overlaps between the mobile campaigns of LANDFALL and the endpoint-based activity from Stealth Falcon, nor direct strong links with Stealth Falcon,” Palo Alto Networks wrote. “However, the similarities are worth discussion.”

Samsung did not immediately respond to a request for comment.

The post New Landfall spyware apparently targeting Samsung phones in Middle East appeared first on CyberScoop.

Heather Doerges // My mom called the other day. It started out, “Honestly, your father.” Which, isn’t a strange way for her to start a conversation about my dad. “What […]

The post That One Time My Parents Were Hacked appeared first on Black Hills Information Security, Inc..