Listen to this Post

Introduction: When the Watchers Become the Watched
The European Parliament’s investigation into mercenary spyware was supposed to expose hidden abuses of surveillance technology across the continent. Instead, it has now become part of the very story it was trying to uncover. Former Greek Member of the European Parliament Stelios Kouloglou, serving directly within the PEGA Committee inquiry into Pegasus abuse, was himself targeted and infected with spyware during critical phases of parliamentary work. The revelations, confirmed through forensic analysis by Citizen Lab, expose a disturbing paradox: those tasked with investigating surveillance may have been surveilled in real time.
Summary of the Original Investigation: A Case That Hits the Core of EU Security
Citizen Lab confirmed that Kouloglou’s iPhone was compromised at least twice, first on October 21, 2022, and again between March 6–7, 2023. Both attacks occurred while he was actively involved in sensitive PEGA Committee deliberations. The infections are linked to NSO Group’s Pegasus spyware, a powerful surveillance tool associated with zero-click exploits and high-level government clients.
The findings suggest that confidential EU parliamentary discussions may have been exposed during ongoing legislative and investigative processes, raising concerns about institutional security, democratic integrity, and the protection of privileged political communications within the European Parliament.
Expanded Investigation Details: A Pattern Beyond a Single Device
Citizen Lab’s analysis revealed that the attack infrastructure does not point clearly to a single nation-state actor such as Greece. Instead, it indicates a more complex operational footprint. A key identifier, a HomeKit lookup email linked to the infection chain, matched earlier Pegasus targeting infrastructure previously documented in Europe.
This overlap connects the attack to broader Pegasus campaigns that have targeted journalists, activists, and political figures across multiple countries. The evidence suggests that a licensed NSO Group customer operating across jurisdictions may have deployed the spyware, reinforcing concerns that surveillance operations are not isolated incidents but part of a coordinated ecosystem of mercenary spyware usage.
Pegasus Infection Timeline: Targeted at Critical Political Moments
The October 2022 infection occurred during a sensitive phase of PEGA Committee work, shortly before key fact-finding missions. The March 2023 compromise aligned with intense final-report drafting sessions in Brussels, a period when internal discussions carried significant political weight.
These timelines suggest more than opportunistic hacking. Instead, they indicate strategic targeting designed to access privileged political intelligence at moments when it would be most valuable for influencing or anticipating EU investigative outcomes.
Technical Exploitation Chain: Zero-Click Intrusion and Silent Access
The attack leveraged the PWNYOURHOME exploit chain, a sophisticated zero-click method requiring no user interaction. It began with a malicious NSKeyedArchive object delivered via Apple’s HomeKit framework and escalated through MessagesBlastDoorService to execute payload delivery.
At the time, the affected device was running iOS 15.5, leaving it exposed to vulnerabilities later mitigated in iOS updates. The use of zero-click exploitation underscores the advanced capability of Pegasus spyware, particularly its ability to silently compromise devices without user awareness or engagement.
Apple Security Context: Delayed Awareness and Patch Gaps
Apple later patched components of the exploit chain, including vulnerabilities in HomeKit and messaging services. However, the case highlights a critical gap: delayed system updates combined with highly advanced exploit chains can create windows of opportunity for surveillance actors.
Kouloglou also reportedly received multiple Apple threat notifications in 2023 and 2024 warning of mercenary spyware targeting. However, he did not recall seeing them, raising questions about whether such warnings are effectively communicated or understood by high-risk individuals.
Surveillance During Vulnerability: A Hospitalization Window of Exposure
One of the most alarming aspects of the October 2022 infection is its timing. It occurred while Kouloglou was hospitalized for elective surgery, during a visit by journalist Thanasis Koukakis, himself previously targeted by Predator spyware.
This overlap raises the possibility that not only political communications but also sensitive health-related contexts may have been exposed. Such exposure could intersect with EU privacy protections and national healthcare confidentiality laws, amplifying the severity of the breach.
EU Institutional Risk: The PEGA Committee Under Surveillance
The fact that a sitting member of the PEGA Committee was compromised during its investigative work represents a direct institutional security failure. The committee was established specifically to investigate spyware abuse across Europe, including tools like Pegasus developed by NSO Group Pegasus.
The European Parliament, through its PEGA Committee, was meant to serve as a safeguard against exactly this type of intrusion. Instead, the investigation itself appears to have been partially exposed to the very threats it sought to regulate.
Broader Spyware Ecosystem: Beyond a Single Vendor
The case also exists within a wider surveillance ecosystem involving multiple commercial spyware vendors. Alongside Pegasus, tools such as Intellexa Predator have been linked to European surveillance controversies.
While no direct link to the Greek government was confirmed in this case, the infrastructure overlap suggests that mercenary spyware operations often transcend national boundaries, operating through licensed clients across different jurisdictions.
Human Rights and Democratic Integrity: The Core Concern
The targeting of lawmakers raises fundamental questions about democratic resilience. When elected officials investigating surveillance become surveillance targets themselves, the balance of power between institutions and private spyware vendors shifts dangerously.
Organizations like Citizen Lab and others have repeatedly warned that mercenary spyware undermines not only individual privacy but also institutional integrity, especially when deployed against political actors involved in oversight.
Institutional Response: Calls for Urgent Reform and Protection
Following the findings, researchers have called for immediate forensic screening of PEGA Committee members and staff. Recommendations include stronger device protection measures such as mobile lockdown modes, enhanced threat monitoring systems, and formal investigations by EU institutions.
The European Parliament and European Commission are now under pressure to reassess internal cybersecurity protocols to ensure that sensitive legislative processes are not exposed to external surveillance threats.
What Undercode Say:
The case signals a structural failure in EU institutional cybersecurity resilience
Zero-click spyware remains one of the most dangerous modern cyber intrusion methods
Political targeting of lawmakers undermines legislative independence
PEGA Committee exposure indicates insider-level intelligence compromise risk
Surveillance tools are evolving faster than regulatory countermeasures
Mercenary spyware creates a privatized intelligence ecosystem beyond state control
Infrastructure overlap suggests multi-jurisdiction surveillance coordination
Device patch latency remains a critical vulnerability window
Apple threat notifications lack behavioral effectiveness in real-world scenarios
Hospital or private life contexts are increasingly exploited attack windows
EU political investigations are no longer insulated from cyber threats
Intelligence gathering may now target oversight bodies directly
Zero-click exploits bypass traditional security hygiene entirely
HomeKit and messaging frameworks represent high-value attack surfaces
Spyware operators prioritize timing over brute-force persistence
Cross-border infrastructure hints at commercialized surveillance networks
Journalist-lawmaker overlap indicates ecosystem targeting clusters
Legislative confidentiality is no longer guaranteed digitally
Advanced spyware blurs line between intelligence and criminal intrusion
Political exposure risk increases during report drafting phases
Institutional trust is weakened by invisible data breaches
Cyber forensic attribution remains probabilistic, not absolute
EU cybersecurity policy may lag behind offensive capability evolution
Surveillance detection requires continuous real-time monitoring
Device compromise often persists undetected for months
Threat intelligence sharing between institutions remains limited
Spyware targeting is increasingly precision-based, not mass-based
Legislative oversight bodies are now strategic intelligence targets
Mobile devices remain weakest link in high-level security chains
Regulatory response cycles are slower than exploit development cycles
Pegasus ecosystem continues to evolve despite global scrutiny
Infrastructure reuse is a signature of persistent operators
Health-related contexts create additional privacy risk layers
Awareness gaps reduce effectiveness of official threat warnings
Institutional cybersecurity must expand beyond technical fixes
Human factors remain central to breach persistence
Mercenary spyware markets incentivize continuous innovation
EU governance systems require embedded digital protection layers
Transparency in spyware use remains politically contested
The Pegasus case is now a benchmark for democratic cyber risk
✅ Citizen Lab has previously documented Pegasus infections targeting journalists and political figures across Europe, supporting the broader context of the claim.
❌ Direct attribution of the attack to a specific NSO Group customer is not definitively proven; findings are based on infrastructure correlation, not confirmed identity.
⚠️ The infection timing and device vulnerability details are forensic conclusions, but exact operational intent cannot be independently verified beyond technical indicators.
Prediction:
(+1) Increased EU regulatory pressure will likely lead to stricter spyware export controls and internal parliamentary cybersecurity reforms. 🔐📉
(-1) Commercial spyware ecosystems like Pegasus and Predator may continue evolving faster than enforcement mechanisms, enabling ongoing political targeting risks. ⚠️🕵️
Deep Analysis: Cybersecurity Forensics & System Exposure
Linux / Network Investigation Commands
Check suspicious outbound connections netstat -tulpen | grep ESTABLISHED
Inspect DNS queries for anomalies
journalctl -u systemd-resolved --no-pager | tail -n 200
Analyze device compromise indicators (iOS backup extraction case)
idevicebackup2 backup ./backup
Search for suspicious HomeKit-related logs (conceptual)
grep -i "homekit" /var/log/
Review process-level anomalies
ps aux --sort=-%mem | head -n 20
Incident Response Framework
Identify zero-click entry vectors in messaging frameworks
Correlate timeline logs with political activity windows
Validate forensic artifacts from mobile device backups
Compare infrastructure fingerprints across campaigns
Cross-reference threat intelligence databases (IOCs)
Preserve chain-of-custody for legal admissibility
Perform memory and sandbox analysis of exploit payloads
Monitor HomeKit, iMessage, and Apple services telemetry
Validate OS patch level exposure windows
Conduct multi-jurisdiction attribution correlation
Security Architecture Insight
The Pegasus case demonstrates that modern surveillance bypasses traditional perimeter security. Instead, exploitation occurs at the application layer, often inside trusted system services. This shifts cybersecurity defense from firewall-centric models to behavioral and telemetry-driven detection systems.
Strategic Implication
Future institutional defense will require embedded endpoint monitoring, continuous OS integrity validation, and AI-assisted anomaly detection capable of identifying zero-click patterns before full compromise occurs.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




