Pegasus Spyware Re-Targets EU Parliamentarian: Stelios Kouloglou Hacked via PWNYOURHOME Zero-Click Chain While Investigating Spyware Abuse on PEGA Committee — Threadlinqs Intelligence
Threat ID: TL-2026-1193 · Severity: HIGH · Status: ACTIVE · Category: SURVEILLANCE
Attribution: NSO Group Pegasus customer · ESPIONAGE
Citizen Lab forensics confirmed that former Greek MEP and journalist Stelios Kouloglou's iPhone was infected with NSO Group's Pegasus spyware on October 21, 2022 and again on March 6-7, 2023, while he
On July 3-4, 2026, the Citizen Lab published forensic findings that Stelios Kouloglou -- a former investigative journalist and Greek Member of the European Parliament (2014-2023) who served as a substitute member of the Parliament's Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) from March 24, 2022 to July 18, 2023 -- was infected twice with NSO Group's Pegasus spyware on his personal iPhone (running iOS 15.5, build 19F77).
The first infection occurred on October 21, 2022 at 10:16 AM while Kouloglou was in a Greek hospital undergoing elective surgery. Forensic artifacts show a HomeKit-directed email lookup for the attacker-controlled address rauharepo888@gmail.com immediately preceded a Pegasus process consuming mobile data, consistent with NSO Group's PWNYOURHOME zero-click exploit chain: a specially crafted NSKeyedArchive payload is sent to Apple's HomeKit daemon (homed), a deserialization anomaly and Pointer Authentication Code (PAC) bypass are used to gain initial code execution, and a second-stage payload is subsequently routed through MessagesBlastDoorService (iMessage) to escape the BlastDoor sandbox and ultimately launch Pegasus via the mediaserverd process. Apple mitigated the HomeKit component in iOS 16.3.1 (adding a `_shouldDecodeMessage:error:` validation method) and the MessagesBlastDoorService component earlier, likely in iOS 16.1. This first infection occurred ten days before a scheduled November 1-4, 2022 PEGA Committee delegation visit to Cyprus and Greece, during preparation for October 26-27 hearings, and while the first PEGA draft report (delivered November 8, 2022) was circulating among committee members.
The second infection occurred in a window from March 6, 09:49 to March 7, 07:30, 2023, after Kouloglou traveled from Athens to Brussels on March 6; Citizen Lab assessed it as "likely linked to the same exploit" as the October 2022 incident. This coincided with intensive PEGA Committee final-drafting discussions roughly two months ahead of the May 8, 2023 adoption of the first PEGA report, and overlapped with PEGA Rapporteur MEP Sophie in 't Veld's concurrent LIBE Committee mission to Greece (March 6-8, 2023). Apple separately issued Kouloglou three threat notifications -- March 2, 2023, August 29, 2023, and April 10, 2024 -- none of which he recalled receiving, illustrating gaps in state-sponsored-attacker notification delivery and awareness.
Citizen Lab could not attribute either infection to a specific NSO Group customer, but found no evidence implicating the Greek government (which has no known NSO Group license and has been separately and extensively documented abusing Intellexa's Predator spyware against journalists and politicians). Instead, the same attacker email artifact (rauharepo888@gmail.com) matches "Email 1" identified in Citizen Lab and Access Now's May 2024 joint report, "By Whose Authority? Pegasus Targeting of Russian & Belarusian-Speaking Opposition Activists and Independent Media in Europe," which documented hacking between August 2020 and January 2023 of seven Russian- and Belarusian-speaking exiled journalists and opposition activists based in Latvia, Poland, and Lithuania -- including Novaya Gazeta Europe director Maria Epifanova (infected August 2020, the earliest known Pegasus use against Russian civil society), Charter97.org editor Natallia Radzina (infected twice in December 2022 and once in January 2023), RFE/RL journalist Evgeny Pavlov (targeted November 2022 and April 2023), RFE/RL journalist Evgeny Erlikh, and Belarusian opposition politician Andrei Sannikov (infected September 7, 2021). Because the confirmed infections span both Greek and Belgian jurisdictions, Citizen Lab assesses "the customer had a license that enabled infections in multiple EU jurisdictions."
PWNYOURHOME is one of three novel zero-click iOS exploit chains Citizen Lab documented resurfacing in NSO Group's 2022 arsenal (detailed in the April
Weaknesses (CWE)
CWE-502, CWE-284, CWE-451
Target sectors: government administration, news - media, civil society, human-rights, legal
Target regions: greece, belgium, European Union, latvia, poland, lithuania, russia, belarus
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 22 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
SURVEILLANCE, HIGH, threat intelligence, cybersecurity, T1589, T1583, T1588, T1584, T1190, T1203, T1068, T1211, T1027, T1543