Posted in

Pegasus Spyware Targeted EU Lawmaker Investigating Surveillance Abuse

A new investigation has revealed that former Member of the European Parliament (MEP) Stelios Kouloglou was repeatedly infected with the notorious Pegasus spyware while serving on a parliamentary committee responsible for investigating the misuse of commercial surveillance technologies across the European Union.

Forensic analysis of Kouloglou’s iPhone suggests attackers may have gained access to sensitive committee documents, internal discussions, and other confidential information during the investigation into spyware abuse.

Spyware Attack Targeted Investigator

Kouloglou served on the European Parliament’s PEGA Committee, a special body established in March 2022 to investigate the use of Pegasus and similar surveillance tools by EU member states and other governments.

The committee examined whether commercial spyware had been deployed in ways that violated fundamental rights, privacy protections, and democratic principles.

Investigators discovered evidence indicating Kouloglou’s iPhone was compromised on multiple occasions between October 2022 and March 2023 while he was actively participating in the committee’s work.

Pegasus Exploited Apple’s HomeKit Vulnerability

The forensic investigation indicates the attacks likely relied on a zero-click exploit targeting Apple’s HomeKit framework, internally referred to as PWNYOURHOME.

The vulnerability allowed Pegasus to infect devices without requiring any interaction from the victim. Apple later fixed the flaw in iOS 16.3.1.

Researchers identified spyware activity occurring around:

  • October 21, 2022
  • March 6, 2023
  • March 7, 2023

At the time of the compromises, Kouloglou’s device was reportedly running iOS 15.5.

Apple Issued Multiple Spyware Warnings

Analysis of the device also revealed that Apple sent spyware threat notifications to Kouloglou on three separate occasions:

  • March 2, 2023
  • August 29, 2023
  • April 10, 2024

These notifications are typically issued when Apple detects activity consistent with attacks carried out using highly sophisticated commercial spyware.

Timing Raises Serious Concerns

The first confirmed infection occurred while Kouloglou was hospitalized for elective surgery.

During that period, he received a visit from Greek investigative journalist Thanasis Koukakis, who had previously been targeted with Predator spyware and had testified before the PEGA Committee only weeks earlier.

The second wave of infections coincided with intensive discussions surrounding the committee’s final report and public hearings, just months before lawmakers adopted the PEGA Committee’s first official findings.

Researchers note that this is the first publicly confirmed case of a PEGA Committee member being infected with Pegasus while actively serving on the committee investigating spyware abuses.

Links to Previous European Pegasus Campaigns

Investigators also identified technical similarities between Kouloglou’s infection and an earlier Pegasus campaign targeting Russian- and Belarusian-speaking journalists, activists, and political dissidents living across Europe.

One of the strongest indicators is the reuse of the same email address associated with Pegasus infrastructure during both operations.

Researchers believe this suggests the attacks were carried out by the same Pegasus operator or by customers with authorization to conduct surveillance across multiple European countries.

No public evidence currently attributes the attacks to a specific government.

Growing Concerns Over Commercial Spyware

The findings add to ongoing concerns about the misuse of commercial surveillance software originally marketed for investigating terrorism, organized crime, and child exploitation.

Instead, numerous investigations have documented spyware being used against journalists, politicians, opposition figures, lawyers, human rights defenders, and civil society organizations.

Cellebrite Tools Also Used in Political Investigation

The disclosure follows another recent investigation involving digital forensic tools produced by Cellebrite.

Researchers found that Russian authorities used Cellebrite’s Universal Forensic Extraction Device (UFED) to access the iPhone of detained opposition activist Andrey Pivovarov in 2021.

Investigators reported that officials searched the seized device for information relating to opposition organizations, political figures, and human rights activists.

Some of those individuals were later targeted in phishing campaigns linked to the Russian state-aligned hacking group COLDRIVER, raising concerns that data extracted from the device may have supported subsequent surveillance operations.

Telecom Infrastructure Also Being Exploited

In a separate investigation, researchers uncovered two long-running surveillance campaigns abusing weaknesses in global telecommunications infrastructure to secretly track mobile users.

Unlike traditional spyware attacks, these operations required no malware installation on victims’ devices.

One campaign used specially crafted SMS messages containing hidden commands to transform phones into covert location trackers.

The second exploited long-known weaknesses in the SS7 and Diameter signaling protocols, enabling attackers to determine a target’s location directly through mobile network infrastructure.

Researchers also identified three telecommunications providers whose networks were allegedly abused as transit points for these surveillance activities:

  • 019Mobile
  • Airtel Jersey
  • Tango Networks UK

According to the report, attackers manipulated telecom signaling protocols and spoofed network identities to conceal their activity and evade detection.

Final Thoughts

The latest findings highlight the expanding role of commercial surveillance technologies in targeting politicians, journalists, activists, and government officials.

The repeated compromise of a lawmaker investigating spyware abuse underscores the growing challenges governments and institutions face in protecting sensitive communications. Combined with emerging abuses of telecom infrastructure and forensic extraction tools, the report paints a concerning picture of how advanced surveillance capabilities continue to evolve beyond their intended law enforcement purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *