A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit

Name: A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit
Duration: 32 min
Description: In mid-2024, Citizen Lab researchers Bill Marczak and Daniel Roethlisberger stumbled onto something unusual on VirusTotal: an old sample of NSO Group's Pegasus spyware, calibrated to a specific victim

Bill Marczak, Daniel Roethlisberger

REcon 2025 · Day 2 · Main Track

In mid-2024, Citizen Lab researchers Bill Marczak and Daniel Roethlisberger stumbled onto something unusual on VirusTotal: an old sample of NSO Group's Pegasus spyware, calibrated to a specific victim

AI review

Citizen Lab unearthed a 2017 Pegasus persistence exploit from a VirusTotal ghost, built a 130-syscall iOS emulator from scratch to understand it, and dropped attribution evidence suggesting NSO's exploit code crossed organizational lines — this is what elite conference research looks like.

Watch on YouTube