Knock, knock: Why the recent announcement about mobile spyware leak was fake

Background: Recently, a Telegram account announced the publication of source codes related to a mobile spyware. Before drawing any final conclusions, it is important to understand that this announcement was made in the context of various geopolitical conflicts. In addition, we are facing two challenges: identifying the source and conducting package research.

Research: The package contained some files, including PDFs and source code. Now, let's take a look at the PDF. The PDF contains a leaked document related to spyware, which is quite old and has been seen previously. The next file is a 7z archive named "pegasus n.s.o". Upon review, we can see that this tool is open-source and freely available. It has no connection with the actual mobile spyware vendor’s product. Other files were related to Windows products associated with open-source RATs.

Another file contained a malicious (malwarized) file, but it has been freely available since 2018.

Conclusion: Based on the current analysis, the file that was impersonated as a new leak appears to be quite old. The confidence in claiming that it is a unique leak is low; it is likely a false alarm.