We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
You Shall Not PASS - Analysing a NSO iOS Spyware Sample
Dive into the technical analysis of NSO's Pegasus spyware PKPass exploit chain targeting iOS. Learn attack patterns, forensics techniques & detection methods for iOS malware.
-
NSO’s Pegasus spyware used a PKPass file delivered via iMessage to execute a zero-click exploit chain targeting iOS devices
-
Key indicators of compromise include:
- Repeated Message Blasterd service crashes
- IMTransferAgent process downloading suspicious iMessage attachments
- Files with .png extensions that are actually WebP files
- PKPass files containing suspicious “function” string patterns
- Presence of repeating ‘A’ characters in payloads
- Files written to /private/var/tmp
-
The attack chain involved multiple layers of:
- Base64 encoding
- Compression
- NSKeyedArchiver serialization
- NSExpression execution
-
The exploit bypassed iOS 15.1 mitigations by manipulating memory flags to re-enable restricted class execution
-
Forensic analysis tools used:
- Mobile Verification Toolkit (MVT) for iTunes backup analysis
- Custom Python scripts for decompression/decoding
- Manual crash log analysis
-
The sample showed modular design with separate configuration, payload delivery and execution phases
-
The exploit chain specifically targeted iPhones but showed no evidence of iPad targeting
-
Mercenary spyware vendors tend to reuse complex exploitation frameworks rather than burn new zero-days
-
iOS forensic investigation is effective but needs more scale and automation
-
Regular forensic analysis of devices helps detect sophisticated attacks that bypass security controls