Threat Research

GeckoSpy: Pegasus Spyware Used against Thailand’s Pro-Democracy Movement – The Citizen Lab

Securonix

Pegasus spyware was used against Thailand’s pro-democracy movement, with at least 30 civil society victims infected between October 2020 and November 2021, triggering Apple security notifications in November 2021 and a collaborative forensic investigation. The report highlights zero-click iOS exploits (KISMET and FORCEDENTRY), potential Thai government involvement, and independent validation of Pegasus infections by Amnesty International Security Lab, alongside extensive documentation of affected individuals and groups. #Pegasus #FORCEDENTRY

Keypoints

  • At least 30 Pegasus victims identified among Thai civil society groups, with infections spanning October 2020 to November 2021.
  • Apple notified several Thai activists in November 2021, prompting contact with Citizen Lab and partner NGOs (iLaw and DigitalReach).
  • Independent validation of Pegasus infections conducted by Amnesty International’s Security Lab for a subset of cases.
  • Forensic methods relied on Pegasus indicators, exchanging artifacts with victims’ consent and applying a snowball-sampling approach.
  • Zero-click exploits KISMET (early 2020) and FORCEDENTRY (Feb–Nov 2021) were used to compromise iPhones, often via iMessage and malicious PDFs.
  • Victims include prominent activists and groups (e.g., FreeYOUTH, WEVO, UFTD) and high-profile individuals like Panusaya Sithijirawattanakul and Arnon Nampa, with multiple infections per person.
  • The report raises strong implications of state-sponsored operation in Thailand and calls for accountability, while noting NSO Group’s denials and ongoing human rights concerns.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The earliest infections used the KISMET exploit, and FORCEDENTRY was deployed as a zero-click iOS exploit delivered via iMessage, enabling Pegasus installation. Quote: “The earliest cases of infections we identify in this report were carried out with the KISMET exploit… The FORCEDENTRY exploit was deployed against Thai iPhones starting in February 2021. The FORCEDENTRY exploit was a zero-click iOS exploit delivered via iMessage.”

Indicators of Compromise

  • [IP] Pegasus-related servers (GMT+7 time zone) – 69.28.93[.]191, 54.187.156[.]128
  • [Domain] Pegasus-related domains – siamha[.]info, thtube[.]video

Read more: https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/