European Parliament Member Investigating Spyware Was Hacked with Pegasus

Irony and Outrage: EU Lawmaker on Spyware Committee Hacked with Pegasus

CRITICAL
July 4, 2026
6m read
CyberattackThreat ActorMobile Security

Related Entities

Organizations

The Citizen Lab NSO GroupEuropean ParliamentApple

Other

Stelios KouloglouPegasus

Full Report

Executive Summary

In a striking case of espionage targeting a democratic institution, The Citizen Lab has confirmed that former Greek Member of the European Parliament (MEP) Stelios Kouloglou was targeted and successfully infected with NSO Group's Pegasus spyware. The attacks occurred while Kouloglou was an active member of the European Parliament's PEGA committee, which was specifically tasked with investigating the use of Pegasus and other spyware within the EU. Forensic analysis revealed at least two successful zero-click infections of his iPhone in October 2022 and March 2023, coinciding with sensitive work of the committee. The incident has sparked outrage and raises grave concerns about the security of EU institutions and the impunity with which government clients of NSO Group operate.

Threat Overview

The attack was carried out using Pegasus, a sophisticated mobile surveillance tool sold exclusively to government clients. It is designed for zero-click infections, meaning it requires no interaction from the target.

  • Victim: Stelios Kouloglou, a then-serving MEP and member of the PEGA investigative committee.
  • Infection Dates: Confirmed infections occurred around October 21, 2022, and again on March 6-7, 2023.
  • Exploit Vector: The October 2022 infection was assessed with high confidence to have used the PWNYOURHOME zero-click exploit, which targeted a vulnerability in Apple's HomeKit framework.
  • Attribution: Citizen Lab did not attribute the attack to a specific government but noted that it was not consistent with activity from the Greek government. However, technical indicators linked the operator to a known Pegasus customer that has previously targeted Russian and Belarusian-speaking journalists in Europe. This suggests the operator has a mandate to conduct surveillance across multiple EU countries.

Technical Analysis

Pegasus is one of the most advanced mobile spyware implants known. Its attack chain is designed for complete stealth and total device compromise.

  • Initial Access: The attack used a zero-click exploit, likely delivered via a silent push message. This aligns with T1434 - Data from Mobile Device and exploits vulnerabilities in the underlying OS or its applications (T1404 - Exploitation for Client Execution).
  • Execution & Persistence: Once the exploit is successful, the Pegasus payload is installed. It often uses sophisticated techniques to gain persistence across reboots, such as modifying trusted system processes.
  • Privilege Escalation: Pegasus achieves root-level access to the device, granting it complete control (T1404 - Exploitation for Privilege Escalation).
  • Collection: With full control, the spyware can access all data on the device: encrypted messages (from Signal, WhatsApp, etc.), emails, photos, and contacts. It can also activate the microphone and camera for live surveillance. This covers a wide range of collection techniques, including T1429 - Audio Capture and T1425 - Video Capture.

Impact Assessment

The impact of this attack is multi-layered and severe.

  • Breach of Parliamentary Privilege: The hacking of an MEP investigating the very tool used against him is a direct assault on the democratic process. It likely led to the compromise of confidential committee documents, witness information, and internal deliberations.
  • Chilling Effect: Such attacks on investigators, journalists, and civil society have a profound chilling effect, discouraging scrutiny of powerful government actors.
  • Erosion of Trust: The incident further erodes trust in the security of communication and the ability of democratic institutions to protect themselves from state-level surveillance tools, even within the borders of the EU.
  • Personal Impact: For Kouloglou, it represents a gross violation of privacy and a direct threat to his personal security and that of his contacts.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were disclosed in the reports to protect methodologies.

Cyber Observables — Hunting Hints

Detecting zero-click attacks like Pegasus on an individual device is extremely difficult without specialized forensic tools. However, at a network level, some general patterns might be observable.

Type
Network Traffic Pattern
Value
Connections to known NSO Group infrastructure
Description
Security firms occasionally publish IP addresses or domains associated with Pegasus C2 servers. Monitoring for connections to these is critical.
Type
Device Behavior
Value
Unexpected reboots or battery drain
Description
While not definitive, these can sometimes be ancillary symptoms of a sophisticated malware infection.
Type
Log Source
Value
sysdiagnose logs (iOS)
Description
Detailed system logs on iOS can sometimes contain traces of the exploitation process, but require expert analysis to interpret.

Detection & Response

  • Forensic Analysis: The only reliable way to detect a Pegasus infection is through expert forensic analysis of the device, as performed by organizations like Citizen Lab or Amnesty International's Security Lab.
  • Reboot: Regularly rebooting a phone can sometimes disrupt older versions of Pegasus that lack strong persistence mechanisms, though this is not a reliable defense against modern variants.
  • Apple Lockdown Mode: For high-risk individuals, enabling Apple's Lockdown Mode can significantly reduce the attack surface by disabling features commonly targeted by zero-click exploits.

Mitigation

Mitigating state-sponsored spyware requires both technical and political action.

  1. Enable Lockdown Mode: High-risk users (journalists, activists, politicians) on Apple devices should enable Lockdown Mode. This is a direct implementation of D3FEND's Platform Hardening (D3-PH).
  2. Keep Devices Updated: Promptly installing all OS and application updates is crucial, as exploit developers often target recently patched but not-yet-updated vulnerabilities. This is a basic Software Update (D3-SU) measure.
  3. Regulatory Action: The most effective mitigation is political and legal. This includes stronger export controls on surveillance technology, sanctions against abusive vendors like NSO Group, and binding legal frameworks to hold government clients accountable for misuse.

Timeline of Events

1
October 21, 2022
First confirmed Pegasus infection of Stelios Kouloglou's iPhone.
2
March 6, 2023
Second confirmed Pegasus infection of Kouloglou's iPhone begins.
3
May 1, 2026
Kouloglou is advised to have his phone checked for spyware.
4
July 3, 2026
Citizen Lab publishes its report confirming the Pegasus infections.
5
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

Keeping the mobile operating system and all applications fully updated is the best defense against exploits targeting known vulnerabilities.

For high-risk users, enabling advanced security features like Apple's Lockdown Mode can significantly harden the device against zero-click exploits.

Timeline of Events

1
October 21, 2022

First confirmed Pegasus infection of Stelios Kouloglou's iPhone.

2
March 6, 2023

Second confirmed Pegasus infection of Kouloglou's iPhone begins.

3
May 1, 2026

Kouloglou is advised to have his phone checked for spyware.

4
July 3, 2026

Citizen Lab publishes its report confirming the Pegasus infections.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

PegasusNSO GroupSpywareZero-ClickEuropean ParliamentCitizen LabMobile SecurityEspionage

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.