CyberSecurity news

FlagThis - #spyware

rulesbot@community.emergingthreats.net //
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.

Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools.

In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.

Recommended read:
References :

Cynthia B@Metacurity //
References: Risky.Biz , Metacurity , cyberscoop.com ...
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.

Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations.

Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator.

Recommended read:
References :
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Metacurity: Customers keep buying Predator spyware despite US sanctions
  • Risky Business Media: Risky Bulletin: Predator spyware alive despite US sanctions
  • cyberscoop.com: Predator spyware activity surfaces in new places with new tricks

Pierluigi Paganini@securityaffairs.com //
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.

The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist.

Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.

Recommended read:
References :
  • infosec.exchange: NEW: Four months after releasing iOS 18.3.1, Apple has published details about a zero-day that it fixed at the time, but did not publicize.
  • Zack Whittaker: Citizen Lab have confirmed two journalists had their phones hacked with Paragon's Graphite spyware, likely by the same customer.
  • securityaffairs.com: Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks.
  • techcrunch.com: Apple fixes new iPhone zero-day bug used in Paragon spyware hacks
  • The Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
  • infosec.exchange: Researchers found forensic evidence of Paragon's spyware on the iPhones of two journalists. One is Ciro Pellegrino, who works for Fanpage.
  • Zack Whittaker: NEW: Apple has confirmed in a now-updated February security advisory that it fixed a zero-day bug used in an "extremely sophisticated attack."
  • cyberinsider.com: New Zero-Click iMessage Exploit Infected iPhones with Paragon Spyware
  • securityaffairs.com: Apple confirmed that Messages app flaw was actively exploited in the wild
  • The Hacker News: Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • Help Net Security: iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Threats | CyberScoop: Predator spyware activity surfaces in new places with new tricks
  • Risky Business Media: Predator spyware alive despite US sanctions
  • www.scworld.com: New Predator spyware activity identified
  • cyberscoop.com: The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity.
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
  • www.metacurity.com: Customers keep buying Predator spyware despite US sanctions
  • Schneier on Security: Paragon Spyware Used to Spy on European Journalists
  • citizenlab.ca: First forensic confirmation of Paragon's iOS mercenary spyware finds journalists targeted
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks

@Links //
Spyware maker Paragon has severed ties with the Italian government following a dispute over an investigation into the alleged hacking of journalist Francesco Cancellato’s phone. Paragon stated that it offered its assistance to determine whether its Graphite system was used against the journalist in violation of Italian law and contractual terms. However, the Italian authorities declined Paragon’s offer to independently verify the matter, leading the company to terminate its contracts in Italy. This marks the first instance of a spyware provider publicly acknowledging ending a contract with a government client due to concerns over potential abuse.

The Italian government, through its Department of Information for Security (DIS), rejected Paragon’s proposal, deeming it an “invasive practice” that was “unverifiable in scope, results and method.” The government also expressed concerns that accepting Paragon’s help would compromise national security and expose confidential data to a foreign private company. Several Italian news outlets reported on the government's decision.

The Parliamentary Committee for the Security of the Republic (COPASIR) conducted its own investigation, acknowledging that Italian intelligence services had used Paragon’s Graphite spyware to target phones belonging to civil society activists. However, the committee found no evidence that Cancellato was specifically targeted using the technology. This incident has raised questions about the use of spyware by governments and the need for greater transparency and accountability in the industry.

Recommended read:
References :
  • infosec.exchange: NEW: Spyware maker Paragon says it cancelled contracts with Italian spy agencies because the government refused help investigating spyware attack on journalist.
  • techcrunch.com: Paragon says it canceled contracts with Italy over government’s refusal to investigate spyware attack on journalist
  • Links: Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone
  • www.metacurity.com: Starlink endangers WH security, Nigeria convicts Chinese cybercriminals, US sentences Nigerian hacker, ICE arrests Oz hacker, Italy ends contract with spyware company Paragon, Supreme Ct. gives DOGE our social security data, BADBOX 2.0 infects 1m+ devices, EU issues cyber blueprint, much more

info@thehackernews.com (The@The Hacker News //
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.

Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion.

Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities.

Recommended read:
References :
  • The Citizen Lab: Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
  • securityonline.info: Weaponized Uyghur Language Software: Citizen Lab Uncovers Targeted Malware Campaign
  • techcrunch.com: Citizen Lab says exiled Uyghur leaders targeted with Windows spyware
  • securityonline.info: Researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the
  • The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
  • thecyberexpress.com: Text Editor Used in Targeted Uyghur Spying
  • The Register - Software: Open source text editor poisoned with malware to target Uyghur users
  • The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
  • Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
  • citizenlab.ca: 🚩 Trojanized UyghurEdit++ Text Editor Used to Target Uyghur Diaspora With Windows Surveillance Malware
  • The Cyber Express: Trojanized Text Editor Software Used in Targeted Uyghur Spy Campaign
  • hackread.com: China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…
  • Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
  • www.scworld.com: Uyghur leaders subjected to malware attack

@cloud.google.com //
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.

Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.

Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.

Recommended read:
References :
  • Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
  • securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
  • techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
  • The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
  • The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
  • cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
  • securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
  • www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
  • thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
  • cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products
  • socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
  • Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products

info@thehackernews.com (The@The Hacker News //
References: hackread.com , Risky.Biz , The Hacker News ...
Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.

The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance.

Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats.

Recommended read:
References :
  • hackread.com: Fake Alpine Quest Mapping App Spotted Spying on Russian Military
  • Risky.Biz: Risky Bulletin: Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics
  • Risky Business Media: Risky Bulletin: Russian military personnel targeted with Android spyware
  • The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
  • bsky.app: Podcast: risky.biz/RBNEWS415/ Newsletter: https://news.risky.biz/risky-bulletin-russian-military-personnel-targeted-with-android-spyware-reminiscent-of-russias-own-tactics/ -Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics -Hegseth involved in 2nd Signalgate scandal -two CISA Secure by Designs execs leave -Asian cyber scam call centers spread worldwide
  • The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
  • BleepingComputer: Russian army targeted by new Android malware hidden in mapping app
  • github.com: Details on trojanized Alpine Quest app version
  • The Register - Security: Booby-trapped Alpine Quest Android app geolocates Russian soldiers
  • www.scworld.com: Spyware-laced app targeted Russian military phones
  • securityaffairs.com: Android spyware hidden in mapping software targets Russian soldiers
  • The DefendOps Diaries: Espionage Threats: Android.Spy.1292.origin and Military Cybersecurity

@NCSC News Feed //
A coalition of governments, including the UK, US, Australia, Canada, Germany, and New Zealand, has issued an alert regarding the use of BADBAZAAR and MOONSHINE spyware. These sophisticated tools are being used to target civil society groups and ethnic minorities, specifically Uyghur, Taiwanese, and Tibetan communities. The spyware is embedded within seemingly legitimate Android applications, effectively acting as Trojan malware to gain unauthorized access to sensitive data. These malicious apps are designed to appear harmless, often mimicking popular apps or catering to specific interests of the targeted groups.

These spyware families are capable of accessing a wide range of information on infected devices, including location data, microphone and camera feeds, messages, photos, and other stored files. The UK's National Cyber Security Centre (NCSC) has stated that the targeted individuals are those connected to topics considered a threat to the Chinese state, such as Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and the Falun Gong spiritual movement. The indiscriminate nature of the spyware's spread raises concerns that infections may extend beyond the intended targets, potentially affecting a broader range of users.

The advisory includes a list of over 100 malicious Android apps that have been identified as carrying the BADBAZAAR and MOONSHINE spyware. These apps often masquerade as Muslim and Buddhist prayer apps, chat applications like Signal, Telegram, and WhatsApp, or utility apps like Adobe Acrobat PDF reader. To mitigate the risk, individuals are urged to download apps only from official app stores, keep their devices and apps up to date, avoid rooting or jailbreaking their devices, and carefully review app permissions before installation. The NCSC and its partners continue to monitor the activities of these malicious cyber actors and provide guidance to help individuals protect themselves from these evolving threats.

Recommended read:
References :
  • thecyberexpress.com: Global Cybersecurity Agencies Warn of Spyware Targeting Uyghur, Tibetan, and Taiwanese Communities
  • ComputerWeekly.com: NCSC issues warning over Chinese Moonshine and BadBazaar spyware
  • NCSC News Feed: BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors
  • Danny Palmer: The NCSC has put out a warning on how malicious cyber actors are using two forms of spyware - dubbed MOONSHINE and BADBAZAAR - hiding in otherwise legit mobile apps to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
  • Zack Whittaker: A coalition of global governments have identified dozens of Android apps that are bundled with the prolific BadBazaar and Moonshine spyware strains, which they say are targeting civil society who oppose China's state interests.
  • techcrunch.com: Governments identify dozens of Android apps bundled with spyware
  • Threats | CyberScoop: BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns
  • techcrunch.com: Governments warn of BadBazaar and Moonshine spyware, MSFT issued fixes for at least 121 flaws, Scattered Spider persists after arrests, UK probes suicide forum, Hackers abuse SourceForge to distribute malware, Dutch gov't to screen researchers and students for espionage risks, much more
  • NCSC News Feed: The NCSC has put out a warning on how malicious cyber actors are using two forms of spyware - dubbed MOONSHINE and BADBAZAAR - hiding in otherwise legit mobile apps to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
  • securityonline.info: Spyware Alert: BADBAZAAR and MOONSHINE Target Civil Society and Ethnic Groups
  • cyberscoop.com: BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns
  • Tenable Blog: Tenable Blog on Mobile Spyware Attacks
  • cyberinsider.com: CyberInsider article on Western intelligence agencies exposing Chinese spyware

Alex Lekander@CyberInsider //
Amnesty International's Security Lab has uncovered evidence that two investigative journalists from the Serbia-based Balkan Investigative Reporting Network (BIRN) were targeted with NSO Group’s Pegasus spyware in February 2025. This marks the third time in two years that Amnesty International has found Pegasus being used against civil society members in Serbia, building upon previous findings detailed in their December 2024 report, "A Digital Prison." The journalists received suspicious text messages, and research confirmed the links led to a domain previously identified as part of NSO Group's infrastructure.

These latest findings reinforce concerns about Serbian authorities abusing invasive spyware to target journalists, activists, and other members of civil society. NSO Group responded to Amnesty International's findings by stating they cannot comment on specific customers or disclose technical information, while reiterating their commitment to respecting human rights and upholding the UN Guiding Principles on Business and Human Rights. Despite this commitment, security researchers are increasingly able to detect Pegasus attacks, suggesting challenges for NSO Group in maintaining operational security and concealing their activities.

Recommended read:
References :
  • securitylab.amnesty.org: Journalists targeted with Pegasus spyware - Amnesty International Security Lab
  • CyberInsider: Viber Messenger Abused for Delivering Pegasus Spyware on Targets
  • thecyberexpress.com: Investigative Journalists in Serbia Hit by Advanced Spyware Attack
  • techcrunch.com: Again and again, NSO Group’s customers keep getting their spyware operations caught
  • infosec.exchange: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,” said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
  • PrivacyDigest: Again and again, Group’s customers keep getting their operations caught | TechCrunch On Thursday, published a new report detailing attempted against two , allegedly carried out with NSO Group’s spyware .
  • ESET Research: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,â€� said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
  • The420.in: The murky world of cyber surveillance has once again been thrust into the spotlight as Amnesty International uncovered an attempt to hack two Serbian journalists using Pegasus, the notorious spyware developed by Israeli firm NSO Group.