Six months of embedded persistence within NSO Group's R&D staging network. Initial ingress via misconfigured bastion host (SSH with known default credentials), pivoted through internal asset management VLAN using relayed Kerberos TGTs. Lateral movement achieved via signed PowerShell over WinRM and authenticated SSH tunnels.
Access maintained through a passive implant on the devnet syslog aggregator, exfiltrating credentials and JWTs issued by the internal OAuth2 identity provider. From there, access to the Pegasus 2.0 alpha C2 instance was obtained deployed in a Dockerized cluster behind an unmonitored Traefik reverse proxy.
The panel is live. Session control is fully operational. No binary deployment required; all target devices are already linked through active sessions. Credentials, bearer tokens, command modules, and implant configs are preloaded.
Capabilities:
Current Active Targets (sample):
Tox: 3001439AF2274971CE7CBF53FEDC9E15BFDE1B1E18B113721F647F52CF0AE92B7E1005894BA6
Access maintained through a passive implant on the devnet syslog aggregator, exfiltrating credentials and JWTs issued by the internal OAuth2 identity provider. From there, access to the Pegasus 2.0 alpha C2 instance was obtained deployed in a Dockerized cluster behind an unmonitored Traefik reverse proxy.
The panel is live. Session control is fully operational. No binary deployment required; all target devices are already linked through active sessions. Credentials, bearer tokens, command modules, and implant configs are preloaded.
Capabilities:
- Full access to internal Pegasus 2.0 dashboard (build v2.0.3-alpha, unsigned)
- Remote interaction: microphone, camera, GPS, accelerometer, clipboard, ambient sensors
- Stealth session hijack via passive token injection (no user-side triggers)
- Live exfiltration of SMS, Signal, Telegram, WhatsApp, Facebook, and native app traffic
- Full contact, call log, and file system extraction
- Shell module for real-time command execution and payload staging (per device profile)
- Compatible with:
- iOS 16.1 – 17.5 (A12–A17 chips, including iPhone 15)
- Android 13/14 (incl. Pixel, GrapheneOS, Samsung Knox)
- Built-in auto-persistence for re-infection post reboot
- Zero notifications, zero background activity logs, sandbox-aware
- Deployment and telemetry logging completely disabled from admin panel
Current Active Targets (sample):
- +1 202-*-** – US Embassy, Washington
- +34 6** *** *** – Pedro Sánchez, Spain
- +33 6** *** *** – Élysée Staff
- +44 75*** **** – GCHQ, UK
- +972 5* *** **** – NSO internal device
- +971 50*** **** – UAE Ministry official
- +49 15******** – Bundesnachrichtendienst
- +39 3** *** **** – Italian Ministry of Defence
- +41 7** *** *** – Swiss Federal Assembly
- +81 90*** **** – Japan National Diet
- +380 67*** **** – SBU field operative
- +966 5** *** *** – Saudi GID
- +90 5** *** *** – Turkish MIT asset
- +7 9** *** **** – FSB technical unit
- 50,000 XMR
- One transfer only
- No previews
- No BTC
- No questions
- No negotiation
Tox: 3001439AF2274971CE7CBF53FEDC9E15BFDE1B1E18B113721F647F52CF0AE92B7E1005894BA6
Trust is earned, not given.
If you understand this, you know how to reach me.
If you understand this, you know how to reach me.
