New findings by R3D, with technical support from the Citizen Lab, document Pegasus infections of Mexican journalists and a human rights defender between 2019 and 2021, including an infection of opposition politician Agustín Basave Alanís in 2021. The report shows zero-click exploitation and ongoing Pegasus abuse in Mexico, despite prior government denials, and notes links between these infections and Pegasus infrastructure contracts with Mexican defense entities. #Pegasus #R3D #CitizenLab #RaymundoRamos #RicardoRaphael #AnimalPolitico #AgustinBasaveAlanis #RECKLESS-1 #KISMET #HOMAGE #FORCEDENTRY
Keypoints
- R3D, with Citizen Lab support, confirms Pegasus infections in Mexico affecting journalists and a human rights defender (2019–2021).
- The infections include a 2021 case of opposition politician Agustín Basave Alanís.
- Victims include Raymundo Ramos (human rights defender) and Ricardo Raphael (journalist), plus an anonymous Animal Politico journalist.
- The 2019–2021 infections used zero-click exploits (no user interaction needed) rather than relying on deceptive messages.
- Earlier Pegasus activity in Mexico (2016–2017) involved SMS with malicious links; some infrastructure links (bit.ly, notisms.net, banca-movil.net) are identified in the report.
- The report cannot yet attribute these recent infections to a specific NSO Group customer, but notes potential interest from Mexican government or cartels; investigations call for independent scrutiny.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Zero-click exploits used to compromise Pegasus on mobile devices; “The 2019-2021 infections leveraged zero-click attacks: no deception was required to trick victims into clicking.”
- [T1566.001] Phishing: Spearphishing Link – Early infections used SMS with shortened malicious links that redirected to Pegasus infection domains; “The URL, which is shortened with bit[.]ly, redirects to the Pegasus infection domain hxxps://network190[.]com/5557819s/.”
- [T1566.001] Phishing: Spearphishing Link – Additional SMS phishing with links leading to infection infrastructure; “Dear Ricardo, my column was published today in 24 Horas, I’d love your opinion greetings: hxxp://bit[.]ly/2lM9jqpTranslation: …”
Indicators of Compromise
- [Domain] notisms.net – used in 2017 SMS targeting of Ricardo Raphael; “The domain notisms[.]net was part of NSO Group’s Pegasus infection infrastructure …”
- [Domain] banca-movil.net – used in 2017 SMS targeting; “The domain banca-movil[.]net was also part of NSO Group’s Pegasus infection infrastructure …”
- [Domain] network190.com – used in 2016 SMS infection; “The URL redirects to the Pegasus infection domain hxxps://network190[.]com/5557819s/.”
- [URL] https://network190[.]com/5557819s/ – infection domain referenced in the 2016 event
- [URL] hxxps://notisms[.]net/bNBzPerL – linked to the 2017 SMS attack on Raphael
Read more: https://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/