Malware pretending to be Amnesty International antivirus for Pegasus discovered
Victims fearing Pegasus spyware targeted in a new malware campaign


Hackers are pretending to be human rights organization Amnesty International to target users with a fake anti-spyware product in a new malware campaign.
Victims were duped into downloading malware they thought was protection against NSO Group’s Pegasus spyware, according to security researchers at Cisco Talos.
Amnesty International recently published a report on the widespread use of Pegasus to target international journalists and activists. Hackers capitalized on this by setting up a fake website that looked like Amnesty International's and linked to an antivirus tool to protect against Pegasus. However, the download installs the little-known Sarwent malware.
Cisco Talos researchers Vitor Ventura and Arnaud Zobec said that Salwent, a remote access tool (RAT), opens a backdoor on the victim machine. It can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.
“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple recently released a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time,” the researchers said.
Researchers were highly confident the hackers behind the campaign are Russian and have been running Sarwent-based attacks on a variety of victims since January 2021. They also said they were uncertain about the actor’s intentions.
RELATED RESOURCE
Eight steps to fight ransomware
Insights into how you can protect yourself from this ever increasing threat
“The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” said researchers.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Investigations failed to find supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.
Researchers concluded that while it may seem like an actor trying to gather some easy-to-monetize information, some aspects, such as the level of customization with the RAT, intentionally misleading information, and the low volume of targets, indicate this may be a more advanced actor without financial motivation.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
What is polymorphic malware?
Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the company
Opinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Greek intelligence allegedly uses Predator spyware to wiretap Facebook security staffer
News The employee’s device was infected through a link pretending to confirm a vaccination appointment
-
North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content
News The insidious software exfiltrates all mail and attachments, researchers warn, putting sensitive documents at risk
-
Young hacker faces 20-year prison sentence for creating prolific Imminent Monitor RAT
News He created the RAT when he was aged just 15 and is estimated to have netted around $400,000 from the sale of it over six years
-
European company unmasked as cyber mercenary group with ties to Russia
News The company that's similar to NSO Group has been active since 2016 and has used different zero-days in Windows and Adobe products to infect victims with powerful, evasive spyware
-
Mysterious MacOS spyware discovered using public cloud storage as its control server
News Researchers have warned that little is known about the 'CloudMensis' malware, including how it is distributed and who is behind it
-
Apple launching Lockdown Mode with iOS 16 to guard against Pegasus-style spyware
News Apple breaks its bug bounty record with $2 million top prize, alongside $10 million grant funding, as it launches industry-first protections for highly targeted individuals
-
El Salvador becomes latest target of Pegasus spyware
News The list of nations with access to Pegasus is growing, with evidence pointing to potential links between 35 confirmed Pegasus cases and the Salvadoran government
-
Egyptian exiles targeted with Predator spyware resembling NSO Group's Pegasus
News A high-profile politician and journalist have been targeted with spyware likely spread using WhatsApp messages