Full Report
Stelios Kouloglou, formerly a member of the European Parliament's committee investigation abuses of commercial spyware, was twice infected with Pegasus while serving, researchers said.
Analysis Summary
# Incident Report: Pegasus Spyware Infection of PEGA Committee Member
## Executive Summary
Stelios Kouloglou, a former member of the European Parliament (MEP), was targeted and successfully infected with Pegasus zero-click spyware on at least two occasions. The attacks occurred while Kouloglou was serving on the PEGA Committee, which was specifically tasked with investigating the misuse of commercial spyware within the European Union. These incidents highlight a direct assault on democratic oversight mechanisms by a sophisticated nation-state actor or state-sponsored operator.
## Incident Details
- **Discovery Date:** May 2026 (Forensic confirmation by Citizen Lab)
- **Incident Date:** October 2022 and March 2023
- **Affected Organization:** European Parliament (specifically the PEGA Committee)
- **Sector:** Government / Legislation
- **Geography:** Greece / European Union
## Timeline of Events
### Initial Access
- **Date/Time:** October 2022 and March 2023
- **Vector:** Zero-click exploit
- **Details:** The attacker utilized "zero-click" capabilities, which require no interaction from the user to successfully compromise the device.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; Pegasus operates as a standalone mobile surveillance tool to gain total control over the handheld device's functions and data.
### Data Exfiltration/Impact
- **Details:** Pegasus allows for the monitoring of encrypted communications, collection of photos/emails, and remote activation of microphones and cameras, effectively turning the phone into a permanent surveillance device.
### Detection & Response
- **How it was discovered:** Forensic analysis by Citizen Lab researchers in May 2026. Evidence also showed Apple had sent three threat notifications to the user, which went unnoticed.
- **Response actions taken:** Forensic imaging of the device, public reporting by Citizen Lab, and political advocacy for stronger spyware regulations.
## Attack Methodology
- **Initial Access:** Zero-click exploit (Pegasus).
- **Persistence:** Maintained through the NSO Group’s proprietary software suite designed to survive reboots.
- **Privilege Escalation:** Exploitation of mobile OS vulnerabilities to gain root/kernel access.
- **Defense Evasion:** Use of encrypted command-and-control (C2) channels and sophisticated obfuscation to hide processes from the user and most mobile security tools.
- **Credential Access:** Scraping stored passwords and session tokens from apps on the device.
- **Discovery:** Monitoring of contacts, calendar entries, and location data.
- **Lateral Movement:** N/A (Device-centric focal point).
- **Collection:** Interception of SMS, WhatsApp, Signal, emails, and call logs.
- **Exfiltration:** Data sent via encrypted bursts to C2 infrastructure.
- **Impact:** Compromise of confidential legislative investigations and sensitive source protection.
## Impact Assessment
- **Financial:** Undisclosed; involves the high cost of forensic investigation.
- **Data Breach:** Full compromise of a European Parliamentarian’s mobile data and communications.
- **Operational:** Potential compromise of the PEGA Committee’s internal deliberations and draft reports.
- **Reputational:** Significant public alarm regarding the vulnerability of European democratic institutions to state-sponsored surveillance.
## Indicators of Compromise
- **Network indicators:** [REDACTED C2 Infrastructure - defanged] - Contact with known NSO Group infrastructure.
- **File indicators:** Forensic artifacts identified by Citizen Lab (e.g., specific process names and log entries associated with Pegasus).
- **Behavioral indicators:** Three Apple "Threat Notifications" sent to the user's Apple ID account.
## Response Actions
- **Containment measures:** Submission of the device for expert forensic audit.
- **Eradication steps:** Likely device replacement and credential reset for all associated accounts.
- **Recovery actions:** Verification of other committee members' devices for similar artifacts.
## Lessons Learned
- **Key takeaways:** High-profile targets often miss automated warnings (like Apple Threat Notifications) if they are not monitored by a central security team.
- **What could have been done better:** MEPs and sensitive committee members should undergo mandatory, periodic forensic device health checks rather than relying on individual vigilance.
## Recommendations
- **Prevention measures:**
- Implementation of "Lockdown Mode" on iOS devices for high-risk individuals.
- Centralized monitoring and response for vendor-sent threat notifications (Apple/Google).
- Regular "Digital Hygiene" audits for officials involved in sensitive investigations.
- Enhanced legislative pressure on commercial spyware vendors and the host nations that harbor them.