NSO Group’s Pegasus spyware detected in attacks against Moroccan journalist, activist

Similar spyware attacks have been detected against critics of the Mexican and Saudi governments.
Morocco, Casablanca
A Moroccan flag in Casablanca. (Getty Images)

Hackers potentially working on behalf of a foreign government have targeted Moroccan human rights advocates with malicious software built by NSO Group, a controversial spyware vendor, according to Amnesty International.

Since 2017, journalist Maati Monib and Abdessadak El Bouchattaoui, an attorney who has protested the Moroccan government’s security forces, repeatedly have received malicious links and browser redirections that, if trusted, would install the Pegasus malware, Amnesty found. It’s the latest allegation that NSO Group provided Pegasus to a customer that used it for more than combating terrorism and crime. The software allows attackers to take almost total control of an affected phone.

Human Rights Watch has documented a list of government efforts to obstruct reform in Morocco, including prison sentences for people who have “harmed” the monarchy there or insulted Islam. El Bouchattaoui, one of the activists whose experience was detailed by Amnesty, was sentenced to two years in prison for internet posts criticizing authorities’ use of excessive force during demonstrations in 2017.

“Surveillance is a type of punishment,” he said in a statement from Amnesty. “You can’t behave freely. It is part of their strategy to make you suspect you’re being watched so you feel like you’re under pressure all the time.” Pegasus users can track calls, collect username and password credentials, find the infected device’s location and assume other details.


Amnesty did not definitively tie the attacks to the Moroccan government. Israel-based NSO Group consistently has said it does not operate the Pegasus spyware, but that it only licenses it to closely vetted government customers. The tool previously has been aimed against journalists in Mexico, Saudi dissidents and Amnesty’s own researchers.

“As per our policy, we investigate reports of alleged misuse of our products,” an NSO Group spokesperson said. “If an investigation identifies actual or potential adverse impacts on human rights, we are proactive and quick to take the appropriate action to address them. This may include suspending or immediately terminating a customer’s use of the product, as we have done in the past.”

In this case, the messages targeting El Bouchattaoui were sent during Hirak El-Rif, a series of mass demonstrations two years ago. The messages appeared to be automated spam texts, directing the recipient to click the link in order to stop receiving them. The attacks against Monjib relied on a different tact, redirecting his desktop internet browser to malicious links that masqueraded as legitimate websites like Yahoo.

“Network injection attacks, like those we described in our report, are difficult to identify and prevent, even for the most tech-savvy and privacy conscious human rights defenders,” said Claudio Guarnieri, head of Amnesty’s security lab. “There are no SMS messages, no links to be clicked. The attack happens transparently and, at best, the victim might only experience an application crash, which are not uncommon.”

This story has been updated to include comment from NSO Group. 

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts