Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0289: Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.[1][2] The Android version is tracked separately under Pegasus for Android.

MobileS0289MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Pegasus for iOS matters because ATT&CK describes it as iOS malware advertised and sold for high-value victims, with relationships spanning mobile exploitation, device discovery, sensitive data collection, audio/location access, and out-of-band communications. For leaders, the decision value is not “can we identify this named malware everywhere,” but whether the organization can protect and investigate high-risk mobile devices used by executives, legal, finance, security, journalists, activists, or other sensitive roles.

Executive priority

Treat this as a high-priority mobile security readiness scenario for targeted individuals and sensitive communications. Key questions: which roles carry business-critical or regulated data on iOS devices; how quickly can the organization isolate, preserve, and investigate a suspected compromised phone; and what evidence exists that patching, mobile device management, application permission review, phishing reporting, and incident escalation are operating effectively. Because ATT&CK provides no official detection text for this object, budget and control discussions should focus on mobile telemetry gaps and response preparedness rather than promises of guaranteed detection.

Technical view

Validate coverage around the related ATT&CK behaviors: exploitation for initial access/client execution/privilege escalation, access to stored application data, system information discovery, audio capture, location tracking, collection of call logs/contacts/SMS where possible, out-of-band data use, phishing delivery, and potential modification of client software binaries. SOC and IR teams should confirm what iOS device, MDM, network, application, and user-reporting evidence is actually available before an incident. Pay special attention to the fact that several related techniques depend on elevated privileges, jailbreak/root-like conditions, or exploitation paths that may leave limited endpoint-visible evidence on mobile devices.

Likely telemetry

  • iOS device inventory, OS version, patch level, and hardware details from mobile management sources
  • MDM compliance status, configuration state, jailbreak or integrity indicators where available
  • Application inventory, installation history, and permission posture for microphone, location, contacts, and other sensitive data access
  • Mobile network metadata such as DNS, web proxy, VPN, cellular/Wi-Fi egress records, and unusual destination patterns where collected
  • User reports and messaging/email security telemetry related to suspected mobile phishing or suspicious links

Detection direction

  • Because ATT&CK lists no official detection guidance for Pegasus for iOS, first validate telemetry availability rather than assuming SOC visibility.
  • Tune mobile phishing and suspicious-link workflows for high-risk users, while accounting for false positives from legitimate business messaging and travel activity.
  • Correlate iOS patch status and device model exposure with reports of suspicious mobile behavior, especially for users handling sensitive communications.
  • Review alerts or reports involving unexpected microphone, location, contacts, SMS, or call-log access, recognizing that iOS may restrict direct visibility and that some collection paths may require elevated privileges.
  • Use network monitoring as supporting evidence, not sole proof, because out-of-band data streams and mobile network variability can limit visibility.

Mitigation priorities

  • Prioritize rapid iOS update compliance and visibility for high-risk users and sensitive roles.
  • Maintain MDM-enforced security baselines, device inventory, and compliance reporting that can support audits and incident decisions.
  • Limit sensitive data exposure on mobile devices through least-privilege application access, managed apps, and review of permissions for microphone, location, contacts, and messaging-related data where supported.
  • Strengthen phishing reporting and executive support channels so suspected mobile targeting is escalated quickly.
  • Prepare a mobile incident response workflow covering device isolation, evidence preservation, legal/privacy approvals, forensic handling, and replacement device issuance.
Analyst notes and limits

The supplied ATT&CK object identifies Pegasus for iOS as iOS malware reportedly linked to NSO Group and advertised/sold to target high-value victims, with the Android version tracked separately. The strongest defensive value comes from the related techniques: exploitation, sensitive mobile data access, device discovery, audio/location collection, phishing, and out-of-band communications. This take intentionally avoids asserting current activity, customer exposure, or guaranteed detection.

Official detection is not provided. Tactics are not specified in the supplied object. The object-level platform is iOS, while several related techniques are cross-platform and one supplied relationship, System Network Connections Discovery, is described with Android platform context. Local device management, network architecture, legal constraints, and mobile forensic capability determine what can actually be observed or proven.

Official MITRE ATT&CK definition

Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.[1][2] The Android version is tracked separately under Pegasus for Android.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Mobile T1636.002 Call Log Sub-technique

Pegasus for iOS captures call logs.CitationLookout-Pegasus
Mobile T1421 System Network Connections Discovery

Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.CitationLookout-Pegasus
Mobile T1644 Out of Band Data

Pegasus for iOS uses SMS for command and control.CitationLookout-Pegasus
Mobile T1456 Drive-By Compromise

Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.CitationLookout-Pegasus
Mobile T1404 Exploitation for Privilege Escalation

Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.CitationLookout-Pegasus
Mobile T1645 Compromise Client Software Binary

Pegasus for iOS modifies the system partition to maintain persistence.CitationLookout-Pegasus
Mobile T1426 System Information Discovery

Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.CitationLookout-Pegasus
Mobile T1636.003 Contact List Sub-technique

Pegasus for iOS gathers contacts from the system by dumping the victim's address book.CitationLookout-Pegasus
Mobile T1636.004 SMS Messages Sub-technique

Pegasus for iOS captures SMS messages that the victim sends or receives.CitationLookout-Pegasus
Mobile T1660 Phishing

Pegasus for iOS has been distributed via malicious links in SMS messages.CitationCitizenLab Great iPwn
Mobile T1430 Location Tracking

Pegasus for iOS update and sends the location of the phone.CitationLookout-Pegasus
Mobile T1664 Exploitation for Initial Access

Pegasus for iOS has used zero-day iMessage exploits for initial access.CitationCitizenLab Great iPwn
Mobile T1409 Stored Application Data

Pegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.CitationLookout-Pegasus
Mobile T1429 Audio Capture

Pegasus for iOS has the ability to record audio.CitationLookout-Pegasus
Mobile T1658 Exploitation for Client Execution

Pegasus for iOS can compromise iPhones running iOS 16.6 without any user interaction.CitationScott-Railton_TheCitizenLab Pegasus Apr2022
Relationship explorer

All related ATT&CK context

uses · Technique T1636.002: Call Log Mobile uses · Technique T1421: System Network Connections Discovery Mobile uses · Technique T1644: Out of Band Data Mobile uses · Technique T1456: Drive-By Compromise Mobile uses · Technique T1404: Exploitation for Privilege Escalation Mobile uses · Technique T1645: Compromise Client Software Binary Mobile uses · Technique T1426: System Information Discovery Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1660: Phishing Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1664: Exploitation for Initial Access Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1658: Exploitation for Client Execution Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
bc46eb4fc1d36361...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle bc46eb4fc1d3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-Pegasus

    Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.

    Open source URL
  2. [2]
    PegasusCitizenLab

    Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.

    Open source URL
  3. [3]
    Pegasus for iOS

    (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)

  4. [4]
    mitre-attack S0289
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use