■■■■□ Seven things we learned from #WhatsApp vs. #NSO Group #pegasus spyware lawsuit.
https://techcrunch.com/2025/05/13/seven-things-we-learned-from-whatsapp-vs-nso-group-spyware-lawsuit/
https://techcrunch.com/2025/05/13/seven-things-we-learned-from-whatsapp-vs-nso-group-spyware-lawsuit/
TechCrunch
Eight things we learned from WhatsApp vs. NSO Group spyware lawsuit | TechCrunch
The landmark trial between WhatsApp and NSO Group unearthed several new revelations.
NoGoolag
■■■■□ Seven things we learned from #WhatsApp vs. #NSO Group #pegasus spyware lawsuit. https://techcrunch.com/2025/05/13/seven-things-we-learned-from-whatsapp-vs-nso-group-spyware-lawsuit/
■■■■□ Jewish NSO group Fallout.
NSO Group developed a specialized system called the WhatsApp Installation Server (WIS) to deploy its Pegasus spyware. This server sent malformed messages through WhatsApp's infrastructure, mimicking legitimate traffic. These messages exploited vulnerabilities in WhatsApp's code, causing target devices to reach out to NSO-controlled servers and install the spyware—all without user interaction.
To achieve this, NSO reverse-engineered WhatsApp, extracting and decompiling its code to craft messages that a standard client couldn't send. These techniques violated WhatsApp's Terms of Service and applicable laws.
NSO admitted to developing multiple exploit vectors, including Eden and Erised, which were part of a suite called Hummingbird. Notably, Erised was developed and used even after WhatsApp filed its lawsuit in 2019, continuing until WhatsApp implemented server-side patches in May 2020.
Additionally, NSO leased infrastructure from Amazon Web Services (AWS) starting in December 2018 to support its operations. AWS terminated these services in 2021 after being alerted to their misuse.
This case underscores the sophisticated methods employed by NSO to exploit communication platforms and the challenges in defending against such advanced threats.
NoGoolag
■■■■□ Jewish NSO group Fallout. NSO Group developed a specialized system called the WhatsApp Installation Server (WIS) to deploy its Pegasus spyware. This server sent malformed messages through WhatsApp's infrastructure, mimicking legitimate traffic. These…
■■■■□ NSO Fallout
Between April and May 2019, NSO Group's Pegasus spyware targeted 1,223 WhatsApp users across 51 countries. The distribution of victims by country is as follows:
Country Number of Victims
Mexico 456
India 100
Bahrain 82
Morocco 69
Pakistan 58
Indonesia 54
Israel 51
Spain 12
Netherlands 11
Hungary 8
France 7
United Kingdom 2
United States 1
The majority of these victims were journalists, human rights defenders, and members of civil society. Notably, 456 victims were in Mexico, highlighting the extensive reach of the spyware.
A visual map detailing the global distribution of these victims was published by Amnesty International and other research groups.
This data underscores the widespread misuse of Pegasus spyware against individuals in numerous countries.
NoGoolag
■■■■□ NSO Fallout Between April and May 2019, NSO Group's Pegasus spyware targeted 1,223 WhatsApp users across 51 countries. The distribution of victims by country is as follows: Country Number of Victims Mexico 456 India 100 Bahrain 82 Morocco 69 Pakistan…
■■■■■ Here's a full technical rewrite of the WhatsApp vs. NSO Group spyware case, focusing on CVE-2019-3568, its exploitation logic, and WhatsApp’s patch implementation:
➿➿
Remote, via malformed RTCP (Real-time Transport Control Protocol) packets sent during a WhatsApp voice call
Remote Code Execution (RCE) in WhatsApp process without user interaction (zero-click)
Android and iOS WhatsApp clients
➿➿
1. Target Surface
Exploit leverages the libSRTP-based VoIP stack, which handles RTCP packets used for session feedback and control in encrypted voice calls.
RTCP parsing logic failed to sanitize certain control fields, especially those related to extended report block lengths and payload types.
2. Exploit Algorithm Flow
1. Attacker initiates WhatsApp voice call to target (call never needs to be answered).
2. During SIP/VoIP session setup, attacker injects a malformed RTCP packet:
- Payload includes an extended report (XR) with a length field that causes heap corruption.
- The data pointer is shifted to point into a controlled heap region.
3. Heap spray is used prior to the call to fill memory with ROP gadgets or shellcode.
4. WhatsApp’s VoIP thread parses the corrupted RTCP payload:
- Triggers a buffer overflow
- Hijacks return address via overwritten heap metadata
5. Final stage loader downloads and injects the Pegasus spyware binary into user space.
➿➿
A lack of proper bounds checking in srtp_unprotect() when handling compound RTCP packet lengths.
Specifically, incorrect handling of:
block_length in XR headers
packet size mismatch vs actual read buffer
ASLR and DEP were bypassed using dynamic heap shaping and ROP chains tailored to the victim’s device/OS version.
➿➿
Patch Details (May 2019)
WhatsApp Patch Analysis
Introduced stricter validation in the VoIP media engine:
Validated block_length and total_length fields in RTCP/XR headers
Rejected malformed RTCP packets that exceeded expected control sizes
Recompiled the VoIP library with stack canaries, PIE, RELRO, and hardened malloc on Android and iOS
Moved critical parsing logic out of untrusted network threads into a sandboxed process (in newer versions)
Net Result
Fully blocked the RTCP overflow path
Rendered Pegasus’s existing payload delivery channel ineffective
Led NSO to shift to other attack chains (like the “Heaven” WhatsApp impersonation method)
➿➿
Tool Purpose
🤍WIS WhatsApp impersonator client (Heaven)
🤍Q&Q Toolset RTCP generator and packet modifier
🤍Pegasus Final payload with device takeover
🤍TraceStitch Heap layout prediction & ROP generator
➿➿
➿➿
CVE-2019-3568 – WhatsApp VoIP Stack RCEExploit Summary
CVE-ID: CVE-2019-3568
Vulnerability Type: Memory corruption – heap-based buffer overflow
Attack Vector:
Remote, via malformed RTCP (Real-time Transport Control Protocol) packets sent during a WhatsApp voice call
Impact:
Remote Code Execution (RCE) in WhatsApp process without user interaction (zero-click)
Platform:
Android and iOS WhatsApp clients
Patched:WhatsApp v2.19.134 (Android) and v2.19.51 (iOS), May 2019.
➿➿
Exploitation Logic
1. Target Surface
Exploit leverages the libSRTP-based VoIP stack, which handles RTCP packets used for session feedback and control in encrypted voice calls.
RTCP parsing logic failed to sanitize certain control fields, especially those related to extended report block lengths and payload types.
2. Exploit Algorithm Flow
1. Attacker initiates WhatsApp voice call to target (call never needs to be answered).
2. During SIP/VoIP session setup, attacker injects a malformed RTCP packet:
- Payload includes an extended report (XR) with a length field that causes heap corruption.
- The data pointer is shifted to point into a controlled heap region.
3. Heap spray is used prior to the call to fill memory with ROP gadgets or shellcode.
4. WhatsApp’s VoIP thread parses the corrupted RTCP payload:
- Triggers a buffer overflow
- Hijacks return address via overwritten heap metadata
5. Final stage loader downloads and injects the Pegasus spyware binary into user space.
➿➿
Vulnerability Root Cause
A lack of proper bounds checking in srtp_unprotect() when handling compound RTCP packet lengths.
Specifically, incorrect handling of:
block_length in XR headers
packet size mismatch vs actual read buffer
ASLR and DEP were bypassed using dynamic heap shaping and ROP chains tailored to the victim’s device/OS version.
➿➿
Patch Details (May 2019)
WhatsApp Patch Analysis
Introduced stricter validation in the VoIP media engine:
Validated block_length and total_length fields in RTCP/XR headers
Rejected malformed RTCP packets that exceeded expected control sizes
Recompiled the VoIP library with stack canaries, PIE, RELRO, and hardened malloc on Android and iOS
Moved critical parsing logic out of untrusted network threads into a sandboxed process (in newer versions)
Net Result
Fully blocked the RTCP overflow path
Rendered Pegasus’s existing payload delivery channel ineffective
Led NSO to shift to other attack chains (like the “Heaven” WhatsApp impersonation method)
➿➿
Notable Tools Used by NSO Group
Tool Purpose
🤍WIS WhatsApp impersonator client (Heaven)
🤍Q&Q Toolset RTCP generator and packet modifier
🤍Pegasus Final payload with device takeover
🤍TraceStitch Heap layout prediction & ROP generator
➿➿
Forensics Indicators
Malformed rtcp packets seen in logs: unusual XR block types and lengths.WhatsApp crash logs showing access violation in libwhatsapp.so VoIP thread.Outbound connections to AWS/Vultr endpoints post-exploitation.Forwarded from The Cradle
Israel to use facial recognition tech to 'screen' Palestinians in need of aid
The threat of total famine looms over the entirety of Gaza as a result of a months-long blockade imposed by Israel
The threat of total famine looms over the entirety of Gaza as a result of a months-long blockade imposed by Israel
Introducing oniux: Kernel-level Tor isolation for any Linux app
https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/
https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/
blog.torproject.org
Introducing oniux: Kernel-level Tor isolation for any Linux app | Tor Project
Introducing oniux: Kernel-level Tor isolation for any Linux app. This torsocks alternative uses namespaces to isolate Linux applications over the Tor network and eliminate data leaks.
Share this info out to as many channels as you can.
Give send go link: https://www.givesendgo.com/Dries
PO tweet: https://x.com/DVanLangenhove/status/1922994733149729101
Give send go link: https://www.givesendgo.com/Dries
PO tweet: https://x.com/DVanLangenhove/status/1922994733149729101
Forwarded from 🇵🇸 Automated Apartheid in Palestine
🇵🇸 At least 120 Palestinians, most of them children, have been killed since dawn on Thursday in deadly Israeli attacks targeting crowded residential areas, tents, a clinic, and civilian gatherings across the #Gaza Strip.
https://qudsnen.co/one-of-the-deadliest-days-over-120-palestinians-killed-in-israeli-strikes-across-gaza/
15/05/2025
Video source @eyesonpal
#Palestine #oPt #Genocide
https://qudsnen.co/one-of-the-deadliest-days-over-120-palestinians-killed-in-israeli-strikes-across-gaza/
15/05/2025
Video source @eyesonpal
#Palestine #oPt #Genocide
Forwarded from 🇵🇸 Automated Apartheid in Palestine
🇵🇸 On Nakba Day, we release the first English translation of Basil al-Araj’s essay “The Wounded Memory of the Nakba”. In harrowing detail, it describes several theaters of #extermination during the #Zionist #colonization of Palestine in 1947-49.
https://newyorkwarcrimes.com/the-wounded-memory-of-the-nakba
Translated by Alex Jreisat, the text was generously provided by Safarjal Press, who in consultation with al-Araj’s family and friends have edited a full English translation of al-Araj’s I HAVE FOUND MY ANSWERS (2018), where this essay was first published in Arabic.
Find an excerpt in print with the latest issue of the New York War Crimes—the #Nakba Day edition, or download the full issue here:
https://newyorkwarcrimes.com/print-issue-vol-ii-no-17
Via @PopularUniversity 4 Gaza
https://newyorkwarcrimes.com/the-wounded-memory-of-the-nakba
Translated by Alex Jreisat, the text was generously provided by Safarjal Press, who in consultation with al-Araj’s family and friends have edited a full English translation of al-Araj’s I HAVE FOUND MY ANSWERS (2018), where this essay was first published in Arabic.
Find an excerpt in print with the latest issue of the New York War Crimes—the #Nakba Day edition, or download the full issue here:
https://newyorkwarcrimes.com/print-issue-vol-ii-no-17
Via @PopularUniversity 4 Gaza