The NSO Group has been known for targeting dissident journalists and bloggers notably with its proprietary spyware Pegasus. In November 2021, for instance, Apple sued the NSO Group for its alleged surveillance and targeting of its device users. Apple also hoped to seek a permanent injunction to ban the NSO Group from using any of its software, services, or devices.

In line with this, we sought to uncover web properties that could be related to Pegasus based on research conducted by WhoisXML API DNS Threat Researcher Dancho Danchev. Our complete analysis covered:

A number of personal email addresses used to register the domains identified as having ties with Pegasus, leading to the discovery of 10,000+ other domain names

Close to 100 IP addresses the domain IoCs resolved to, which led to the discovery of another 300+ possibly connected domain names

Several malicious web properties from among those we uncovered in our analysis

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download Danchev’s research and the related threat research materials here.

Publicized Pegasus Domains

We began our investigation by collating 1,994 domains known for having ties to Pegasus attacks. Examples include:

• 14-tracking[.]com
• a-redirect[.]com
• babies-bottles[.]com
• cablegirls[.]net
• daily-sport[.]news
• e-loading[.]biz
• fabric-shops[.]com
• gadgetproof[.]net
• hairdresseraroundme[.]com
• icecreamlovesme[.]com

What We Found

A closer look at the publicized Pegasus IoCs revealed common strings, most notably “redirect,” “news,” and “my.”

A bulk WHOIS lookup for sampled domain IoCs showed that a majority of them had redacted WHOIS records. The top services used were whoisprivacycorp.com, privacy.co.com, and whoisprotection.domains. The following chart shows their and other services’ shares.

The bulk WHOIS lookup also gave us six personal email addresses that were used to register the web properties. Using these email addresses as search terms for reverse WHOIS searches unveiled 10,951 potentially connected domains. Examples include:

• ancientworldnews[.]com
• myfriendscupid[.]com
• registeredaccount[.]com
• offshoreloading[.]com
• oxfordport[.]com
• publishingfree[.]com
• thebestbaroque[.]net
• ukrainedomain[.]com
• ulfood[.]com
• voicemail-cafe[.]com

Subjecting the domain IoCs to DNS lookups allowed us to uncover 94 unique IP address resolutions, including:

• 100[.]24[.]208[.]97
• 103[.]224[.]182[.]208
• 103[.]224[.]182[.]242
• 104[.]171[.]21[.]200
• 104[.]21[.]29[.]4
• 104[.]21[.]42[.]225
• 104[.]21[.]62[.]68
• 104[.]21[.]63[.]158
• 104[.]247[.]81[.]52
• 13[.]248[.]216[.]40
• 15[.]197[.]142[.]173

One of these IP addresses—185[.]53[.]177[.]20—was dubbed “malicious,” according to Threat Intelligence Platform (TIP) malware check.

Using these IP addresses as search terms for reverse IP lookups uncovered a sampled additional 301 possibly connected domains. Examples include:

• 0[.]news20[.]biz
• 1[.]ohmyworldgames[.]com
• 0[.]freeload[.]ph
• 0418[.]download
• 011officemailsecureit[.]com
• 001-management[.]com
• cloudfinitysolutions[.]com
• 0beidlymedical[.]com
• 0—mass-mailing-freeware-paseo[.]smartcode[.]com
• 0[.]dating-free[.]cc

There could be many more domains sharing the IP hosts as our analysis only covers a maximum sample of five domain names per IP address.

A bulk TIP malware check for the 11,249 potentially related domains (due to sharing registrant email addresses or IP hosts) showed that 34 were tagged “malicious.” These dangerous web properties include:

• 0[.]load8[.]biz
• 1fpmzke[.]cn
• theappanalytics[.]com
• americakingdom[.]net
• breakingnewsasia[.]com
• creativetunisia[.]com
• dentalmanchester[.]com
• engineerjapan[.]com
• flowershopjapan[.]com
• glasgowa[.]com

Interestingly, the additional domains our in-depth analysis uncovered shared strings similar to those found in the domain IoCs, such as “news,” “my,” “account,” “load,” “port,” “free,” “best,” “domain,” “food,” “mail,” “download,” “manage,” “cloud,” and “medical.” While we can’t definitively confirm the connection, the presence of malicious web properties from among the artifacts we unveiled should at least trigger monitoring on the part of all Internet users, particularly journalists, bloggers, and researchers—the common Pegasus targets.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.