New Pegasus Scanner Used to Infect Windows

The spyware mimics the behavior pattern of a real antivirus program designed to check the system for Pegasus traces and remove them.

Sarwent-based assaults have been active since at least January of this year, and have targeted a wide range of victim profiles in a number of countries.

What Happened?

The bait employed in previous attacks is unknown at this time, however, Cisco Talos researchers recently discovered a new assault in which Sarwent was delivered via a phony Amnesty International website selling Anti-Pegasus AV.

By creating a suitable graphical user interface, the threat actor attempted to make the infection appear to be a real antivirus.

The actor’s decision of disguise suggests that he is attempting to deceive people concerned about Pegasus malware infiltrating their devices.

Although there is no sign of a large-scale effort, a study of the domains in this campaign “shows that the first domains are being accessed worldwide,” according to an analysis of the domains in this campaign.

Looking at the C2 [command and control] domains’ volume, we can see a much narrower distribution country-wise, with an even lower volume.


The virus primarily targeted users in the United Kingdom, according to data from the

Read More: