Sarwent-based assaults have been active since at least January of this year, and have targeted a wide range of victim profiles in a number of countries.
The bait employed in previous attacks is unknown at this time, however, Cisco Talos researchers recently discovered a new assault in which Sarwent was delivered via a phony Amnesty international website selling Anti-Pegasus AV.
By creating a suitable graphical user interface, the threat actor attempted to make the infection appear to be a real antivirus.
The actor’s decision of disguise suggests that he is attempting to deceive people concerned about Pegasus malware infiltrating their devices.
Although there is no sign of a large-scale effort, a study of the domains in this campaign “shows that the first domains are being accessed worldwide,” according to an analysis of the domains in this campaign.
Looking at the C2 [command and control] domains’ volume, we can see a much narrower distribution country-wise, with an even lower volume.
The virus primarily targeted users in the United Kingdom, according to data from the