NSO Group rapidly shutdown many of their Version 3 servers shortly after the Amnesty International and Citizen Lab’s publications on 1 August 2018.

Pegasus is no longer maintaining persistence on iOS devices

a random identifier tied to the attack attempt followed by the word "stadium".

The Cache.db file for com.apple.coretelephony contains details about the HTTP response which appeared to have been a download of ~250kb of binary data

We found traces of this HTTP request in a cache file stored on disk at /private/var/wireless/Library/Caches/com.apple.coretelephony/Cache.db containing metadata on the request and the response.

In many cases the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator

configuration file located at /var/tmp/jb_cfg

network usage databases contained records of a suspicious process called “bh”. This “bh” process was observed on multiple occasions immediately following visits to Pegasus Installation domains.

iOS maintains records of process executions and their respective network usage in two SQLite database files called “DataUsage.sqlite” and “netusage.sqlite” which are stored on the device. It is worth noting that while the former is available in iTunes backup, the latter is not. Additionally, it should be noted that only processes that performed network activity will appear in these databases.

Session Resource logs

Safari’s Session Resource logs provide additional traces that do not consistently appear in Safari’s browsing history

app-specific WebKit local storage, IndexedDB folders,

For example, we could identify visits through Safari’s Favicon.db database, which was left intact by Pegasus