Forensic Investigation Reveals Pegasus Spyware Compromise of MEP Stelios Kouloglou

On July 3, 2026, Citizen Lab published a comprehensive forensic report documenting the unauthorized infection of former Greek Member of the European Parliament (MEP) Stelios Kouloglou with NSO Group’s Pegasus spyware while he was serving on the European Parliament’s Committee of Inquiry into the use of Pegasus and similar surveillance tools (the PEGA Committee). The compromise occurred during critical phases of the committee’s investigative work, potentially exposing confidential deliberations and sensitive policy discussions.

Technical Details of the Infection

  • Infection Dates: October 21, 2022, and March 6‑7, 2023.
  • Device Configuration: iPhone running iOS 15.5 at the time of infection.
  • Delivery Mechanism: A zero‑click exploit chain leveraging Apple’s HomeKit and iMessage infrastructure, specifically through a malicious NSKeyedArchive payload delivered via HomeKit.

Indicators of Compromise

The initial compromise was linked to a suspicious HomeKit lookup associated with the email address rauharepo888[@]gmail.com. Subsequent Pegasus activity over mobile data further corroborated a silent, userless intrusion. These indicators align with known Pegasus tactics, including the exploitation of trusted system components to bypass user awareness.

Exploit Chain Overview

1. Delivery: A malicious NSKeyedArchive file was injected into the device’s secure storage via HomeKit.
2. Execution: The payload was executed without user interaction, leveraging vulnerabilities in Apple’s MessagesBlastDoorService to establish a persistent foothold.
3. Persistence: Pegasus utilized the MessagesBlastDoorService to maintain access across device reboots and maintain communication channels with the command‑and‑control infrastructure.

Timeline Correlation with Committee Activities

The first infection occurred just days before a series of high‑profile hearings on spyware regulation and the final drafting of the PEGA Committee’s report. This timing suggests a strategic intent to access internal communications, draft documents, and strategic discussions before they were finalized. The second infection, on March 6‑7, 2023, coincided with intense deliberations on the committee’s conclusions and Kouloglou’s presence in Brussels, raising concerns that real‑time monitoring of legislative processes may have been enabled.

Related Threat Notifications

Between 2023 and 2024, Apple issued multiple threat notifications to Kouloglou warning of mercenary spyware activity. However, these alerts were not noticed by the victim, highlighting usability deficiencies in current threat notification systems.

Infrastructure Overlap and Attribution

Analysis of device identifiers revealed repeated use of the rauharepo888[@]gmail.com address across multiple Pegasus campaigns. This identifier has been associated with prior attacks targeting Russian and Belarusian exiled journalists and activists across Europe, indicating a common operator with cross‑jurisdictional operational authorization. No evidence directly ties the attacks to the Greek government.

Broader Implications

Security researchers caution that this case represents the first confirmed instance of a PEGA Committee member being compromised while actively investigating spyware abuses. Earlier incidents have targeted other MEPs using similar commercial surveillance tools. The breach underscores systemic risks posed by unregulated commercial spyware to democratic oversight mechanisms throughout the European Union.

Recommendations

  • Perform comprehensive forensic screening of devices used by MEPs and parliamentary staff.
  • Deploy enhanced cybersecurity measures, such as mobile lockdown modes and regular application of security patches.
  • Establish formal investigations by EU institutions into the procurement and use of Pegasus and similar tools.
  • Improve threat detection reporting and foster coordinated defensive strategies among European governmental bodies.

This incident highlights the growing threat posed by mercenary spyware not only to journalists and activists but also to lawmakers themselves, potentially undermining the integrity of democratic processes at the highest levels.

Related Articles

Back to top button