What is NSO Group? Pegasus Spyware Explained

OPSECOperational security is the practice of minimizing information leaks across behavior, devices, accounts, payments, and routines that can expose identity or intent.Glossary →SurveillanceMarch 2026~10 min read

Key points

  • NSO Group became the public face of commercial state spyware because Pegasus kept showing up in abuse investigations.
  • Pegasus matters because it hits the phone itself, which makes encrypted apps far less reassuring.
  • If you are a serious target, the goal is risk reduction, not certainty.
2010
Founded
reuters.com
Pegasus
Flagship tool
citizenlab.ca
Entity List
U.S. action
bis.doc.gov
High-value phones
Typical target
amnesty.org

NSO Group became famous because Pegasus turned a vague fear into a documented fact. Investigators did not just warn that powerful actors could hack phones. They showed real infections tied to real people: journalists, activists, lawyers, opposition politicians, and heads of state. That changed the story. Commercial spyware was not a fringe tool. It was an active market with real victims.

NSO has long framed Pegasus as a lawful tool for fighting terrorism and serious crime. That line kept collapsing under reporting from Citizen Lab, Amnesty International, Forbidden Stories, major newspapers, and later court cases. The pattern was blunt. People who challenged power kept appearing in the evidence. Once you see that pattern, the clean sales pitch stops mattering.

1
Pegasus attacks the endpoint. That is why app-level comfort is not enough. Signal, WhatsApp, iMessage, Telegram, email encryption, and browser isolation all assume the phone is still under your control. If the device is compromised, the attacker can often read messages before or after encryption, grab files locally, or watch what you type.
2
Zero-click changed the threat model. Older malware often needed a phishing click or a visible mistake. Pegasus cases showed that some attacks could land through messaging or calling systems without the target doing anything. Good habits still help. They just do not solve this class of threat.
3
The victim list tells you the real use case. When infections keep showing up around reporters, dissidents, lawyers, clerics, campaign figures, and civil society staff, the practical use case is political intelligence. Some operators may also chase serious crime. That does not erase the record.
4
Forensics is hard and still necessary. Mobile spyware tries to disappear. Evidence comes and goes. Some compromised phones will never yield clean proof later. That is why work from Citizen Lab and Amnesty's Mobile Verification Toolkit matters so much. It gives defenders a method. It does not give certainty.
5
Sanctions and lawsuits do not end the market. NSO landed on the U.S. Entity List. Apple sued. WhatsApp won a major legal milestone after alleging Pegasus abuse through its platform. All of that matters. None of it removes state demand for mercenary spyware.

How Pegasus reaches phones

Public investigations have documented several delivery paths: malicious links, browser exploits, and zero-click chains delivered through communication apps. The specific exploit changes. The lesson stays the same. Mobile operating systems are huge attack surfaces, and high-value targets attract expensive exploit budgets.

Apple's Lockdown Mode was an important response because it admitted a hard truth: some users face attackers far beyond normal cybercrime. Lockdown Mode is inconvenient on purpose. It strips out features that have historically expanded the attack surface. Convenience drops. Odds of compromise can drop with it.

Who gets targeted

Pegasus is not sprayed at random like commodity malware. It is expensive, selective, and tied to political or strategic value. Typical targets are people whose phones open wider networks: editors, organizers, negotiators, investigators, executives with geopolitical exposure, or relatives of priority targets. If you are not in those groups, Pegasus is probably not your main problem. If you are, you should treat it as plausible even without proof.

$High-risk mobile rules
Patch speed
Install iOS and Android security updates fast, not whenever convenient.
Hardened mode
Use Lockdown Mode or similar restrictions on high-risk Apple devices.
Device split
Separate sensitive work, finance, and personal life across different hardware.
Investigation path
If you suspect compromise, preserve the phone and get expert forensic help.

What you can realistically do

There is no switch that makes Pegasus irrelevant. The practical defense is layered: patch fast, keep fewer apps installed, reduce rich message surfaces where possible, split identities across devices, and stop treating the phone like a safe. It is a sensor pack that can fail.

For high-risk users, the strongest moves are often procedural. Keep the most sensitive planning off phones. Do not store archives you cannot afford to lose. Compartment work by device and role. Build habits around the idea that one handset can burn without warning.

The best public sources are still Citizen Lab reports, Amnesty International's Security Lab, Apple security advisories, the U.S. Commerce Department action, and court filings tied to Apple and WhatsApp. Read those before vendor spin. Pegasus is not just a product story. It is a market lesson.

Frequently Asked Questions

What is NSO Group?

NSO Group is an Israeli spyware company known for Pegasus, a phone surveillance tool sold to governments and repeatedly linked to abuse against journalists, activists, lawyers, and political figures.

What is Pegasus spyware?

Pegasus is a mobile spyware platform that can compromise a phone, pull messages and files, activate sensors, and send data back to the operator.

Is Pegasus the same as Cellebrite?

No. Pegasus is mainly tied to remote compromise. Cellebrite is known for extracting data from seized devices. Both are dangerous, but they solve different surveillance problems.

Can ordinary users fully defend against Pegasus?

No. But fast patching, hardened settings, fewer apps, device separation, and realistic threat modeling can lower the risk.

← PreviousWhat is Kape Technologies? The Israeli Company Behind ExpressVPN, CyberGhost, and PIANext →Government Surveillance-Resistant Infrastructure

Related