Targeted Exploitation During Sensitive Hearings
Researchers from Citizen Lab have uncovered that a former Member of the European Parliament, Stelios Kouloglou, had his iPhone repeatedly infected with NSO Group’s Pegasus spyware while he served on a committee investigating the abuse of commercial spyware. The digital attacks occurred in October 2022 and March 2023, during his tenure on the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware, known as the PEGA Committee. Forensic analysis of his device, conducted in May 2026, revealed that the attackers potentially gained access to confidential documents and internal committee deliberations.
The first infection on October 21, 2022, exploited a zero click vulnerability in Apple’s HomeKit software, an issue that Apple later addressed in iOS 16.3.1. At the time of the attacks, Kouloglou’s device was still running iOS 15.5. A second wave of Pegasus activity was detected on March 6 and 7, 2023, coinciding with intense final drafting discussions and hearings within the committee. This marks the first publicly identified case of a PEGA Committee member being victimized by the very spyware their committee was tasked to investigate.
Operator Attribution and Broader Campaign
Citizen Lab has not formally attributed the attacks to any specific government, though they found no evidence implicating the Greek government. The investigation identified a crucial link between the October 2022 infection and a prior surveillance campaign targeting Russian and Belarusian speaking exiled journalists and activists in Europe. This connection was established through the use of a specific email address used in the infection chain, suggesting that a single Pegasus operator with authorization to conduct surveillance across multiple European countries is likely responsible.
The researchers noted that based on NSO Group’s licensing structure, the ability to infect targets in several EU jurisdictions significantly narrows the list of possible government customers behind the operation. The findings underscore ongoing concerns about how commercial spyware, marketed for counterterrorism and fighting serious crime, is frequently repurposed to target journalists, dissidents, and lawmakers. The development also follows recent Citizen Lab revelations about Russian authorities using Cellebrite forensic tools to access the iPhone of a detained opposition activist, further highlighting the global reach and misuse of surveillance technology.
Source: The Hacker News
