Fake code, inflated prices

Researchers at CloudSEK analyzed approximately 25,000 posts on Telegram, many of which claimed to sell authentic Pegasus code, the statement added. These posts often followed a common template offering illicit services, with frequent mention of Pegasus and NSO tools.

CloudSEK researchers went a step further, engaging with over 150 potential sellers.

By interacting with over 150 potential sellers, CloudSEK gained insights into various samples and indicators shared by these actors. “This included purported Pegasus source code, live demonstrations, file structures, and snapshots,” CloudSEK report said.

The report also identified six instances of fake Pegasus HVNC (Hidden Virtual Network Computing) samples distributed on the dark web between May 2022 and January 2024.

The same misuse was also observed on surface web code-sharing platforms, where scammers were disseminating their own randomly generated source codes, falsely associating them with the Pegasus Spyware, the cybersecurity firm said in the report.

“After analyzing 15 samples and over 30 indicators from human intelligence (HUMINT), deep, and dark web sources, CloudSEK discovered that nearly all samples were fraudulent and ineffective,” the statement said outlining the outcome of the investigation. “Threat actors created their own tools and scripts, distributing them under Pegasus’ name to capitalize on its notoriety for financial gain.”