Quote:The journalists received suspicious messages on the Viber messaging app from an unknown phone number. Both Viber messages were sent by the same Serbian phone number, +381659940263, which is assigned to Telekom Srbija, a Serbian state-owned telecommunications operator. After suspecting that these Viber messages were an attempt to install spyware on their phones, the journalists reached out to Amnesty International’s Security Lab for support.

Amnesty International has determined with high confidence that the domain contained in the link is associated with NSO Group’s Pegasus spyware. The determination was based on evidence gathered by Amnesty International as part of our multi-year investigation into the misuse of NSO Group’s Pegasus spyware and other forms of highly invasive spyware which poses a risk to civil society.

When opened by Amnesty International investigators in a secure environment, the Pegasus infection link redirected to a decoy page at https://n1info.com, another Serbian media website. We note that a previous Pegasus 1-click attack attempt targeting a Serbian protest leader in July 2023 also redirected to the same media website (see “A Digital Prison” report).

We believe the continued use of n1info.com as a decoy domain for expired or failed Pegasus infection links, alongside the use of a Serbian language domain name, is indicative of the attacks being carried out by a single Serbian Pegasus customer who is using a consistent and repeated attack methodology.

Amnesty International concludes that there is a strong likelihood that one or more Serbian state actors, or agents acting on their behalf, were involved in this recent use of NSO Group’s Pegasus spyware to target the two investigative journalists in Serbia. It is of concern that NSO Group seems to have continued to make the Pegasus spyware available for use in Serbia despite two previous Amnesty International reports documenting the misuse of the Pegasus spyware in the country.

Quote:How Serbian civil society can identify possible Pegasus attacks


Pegasus spyware can be installed through zero-click attacks, which don’t require user action, and 1-click attacks, which require action from the target to enable the infection of their device, typically the opening of a malicious link.

Various social engineering techniques are used to trick the target into opening the link, including spoofing legitimate websites or news articles. If clicked on, the attack link loads an exploit chain to first compromise the web browser and ultimately install the spyware agent on the target device. The links are most often sent over messenger apps such as WhatsApp, SMS, Signal or Viber.

Amnesty International has observed multiple Pegasus infection attempts in Serbia where the Pegasus operator used a Viber or WhatsApp account registered with a Telekom Srbija phone number. In each case, the attacker messaged the target with an enticing message and a link pretending to be a news article.