You Shall Not PASS - Analysing a NSO iOS Spyware Sample

NSO’s Pegasus spyware used a PKPass file delivered via iMessage to execute a zero-click exploit chain targeting iOS devices

Key indicators of compromise include:

• Repeated Message Blasterd service crashes
• IMTransferAgent process downloading suspicious iMessage attachments
• Files with .png extensions that are actually WebP files
• PKPass files containing suspicious “function” string patterns
• Presence of repeating ‘A’ characters in payloads
• Files written to /private/var/tmp

The attack chain involved multiple layers of:

• Base64 encoding
• Compression
• NSKeyedArchiver serialization
• NSExpression execution

The exploit bypassed iOS 15.1 mitigations by manipulating memory flags to re-enable restricted class execution

Forensic analysis tools used:

• Mobile Verification Toolkit (MVT) for iTunes backup analysis
• Custom Python scripts for decompression/decoding
• Manual crash log analysis

The sample showed modular design with separate configuration, payload delivery and execution phases

The exploit chain specifically targeted iPhones but showed no evidence of iPad targeting

Mercenary spyware vendors tend to reuse complex exploitation frameworks rather than burn new zero-days

iOS forensic investigation is effective but needs more scale and automation

Regular forensic analysis of devices helps detect sophisticated attacks that bypass security controls