In a striking case of espionage targeting a democratic institution, The Citizen Lab has confirmed that former Greek Member of the European Parliament (MEP) Stelios Kouloglou was targeted and successfully infected with NSO Group's Pegasus spyware. The attacks occurred while Kouloglou was an active member of the European Parliament's PEGA committee, which was specifically tasked with investigating the use of Pegasus and other spyware within the EU. Forensic analysis revealed at least two successful zero-click infections of his iPhone in October 2022 and March 2023, coinciding with sensitive work of the committee. The incident has sparked outrage and raises grave concerns about the security of EU institutions and the impunity with which government clients of NSO Group operate.
The attack was carried out using Pegasus, a sophisticated mobile surveillance tool sold exclusively to government clients. It is designed for zero-click infections, meaning it requires no interaction from the target.
PWNYOURHOME zero-click exploit, which targeted a vulnerability in Apple's HomeKit framework.Pegasus is one of the most advanced mobile spyware implants known. Its attack chain is designed for complete stealth and total device compromise.
T1434 - Data from Mobile Device and exploits vulnerabilities in the underlying OS or its applications (T1404 - Exploitation for Client Execution).T1404 - Exploitation for Privilege Escalation).T1429 - Audio Capture and T1425 - Video Capture.The impact of this attack is multi-layered and severe.
No specific Indicators of Compromise (IOCs) were disclosed in the reports to protect methodologies.
Detecting zero-click attacks like Pegasus on an individual device is extremely difficult without specialized forensic tools. However, at a network level, some general patterns might be observable.
sysdiagnose logs (iOS)Mitigating state-sponsored spyware requires both technical and political action.
Keeping the mobile operating system and all applications fully updated is the best defense against exploits targeting known vulnerabilities.
For high-risk users, enabling advanced security features like Apple's Lockdown Mode can significantly harden the device against zero-click exploits.
First confirmed Pegasus infection of Stelios Kouloglou's iPhone.
Second confirmed Pegasus infection of Kouloglou's iPhone begins.
Kouloglou is advised to have his phone checked for spyware.
Citizen Lab publishes its report confirming the Pegasus infections.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.