ctipilot.ch

Pegasus infection of PEGA-Committee MEP Stelios Kouloglou

incident · incident:pegasus-mep-kouloglou-pega-committee-2026

Citizen Lab forensic confirmation (2026-07-03) that former MEP Stelios Kouloglou's iPhone was infected twice with NSO Group's Pegasus spyware (Oct 2022 via PWNYOURHOME zero-click HomeKit→BlastDoor chain, and Mar 2023) while he served on the European Parliament's PEGA spyware-inquiry committee; unattributed but overlaps a Pegasus operator also targeting Russian/Belarusian-speaking exiles in Europe.

Aliases: Kouloglou Pegasus hack, PEGA Committee Pegasus targeting

Coverage timeline
1
first 2026-07-03 → last 2026-07-03
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-03Citizen Lab: a European Parliament spyware-inquiry member was himself infected twice with Pegasus
    researchCitizen Lab confirms Pegasus infected a PEGA-Committee MEP via the PWNYOURHOME zero-click chain

Where this entity is cited

  • research1

Source distribution

  • citizenlab.ca1 (50%)
  • therecord.media1 (50%)

Entries about Pegasus infection of PEGA-Committee MEP Stelios Kouloglou (1)

2026-07-03 · view entry permalink →

Citizen Lab: a European Parliament spyware-inquiry member was himself infected twice with Pegasus

notable research discovered 2026-07-03 18:25 UTC

Citizen Lab published a forensic report confirming, with high confidence, that the iPhone of Stelios Kouloglou — a former MEP who sat on the European Parliament's PEGA committee, the inquiry into commercial-spyware abuse — was infected with NSO Group's Pegasus on two occasions, around 21 October 2022 and 6–7 March 2023, while the device ran iOS 15.5 (Citizen Lab, 2026-07-03). The 2022 infection used the PWNYOURHOME zero-click chain: a specially crafted NSKeyedArchive object landing in the HomeKit daemon, followed by malicious content processed by MessagesBlastDoorService (iMessage's sandboxed attachment parser) — a distinct path from earlier NSO chains that abused iMessage directly. Citizen Lab does not attribute the intrusion to any government and explicitly found no indication of Greek-government responsibility, but notes the targeting infrastructure overlaps a previously documented Pegasus campaign against Russian- and Belarusian-speaking exiled journalists and opposition figures in Europe, suggesting a single Pegasus customer with multi-country authorization (The Record, 2026-07-03). Because Kouloglou sat on the committee scrutinising exactly this abuse, the operator would have gained visibility into confidential PEGA deliberations — an EU parliamentary-privilege and confidentiality concern. Defender takeaway: PWNYOURHOME is zero-click, so there is no user action or phishing artefact to detect at the endpoint; the realistic defensive surface for parliamentarians, diplomats, and inquiry staff is proactive forensic triage (MVT against iOS sysdiagnose/backups) plus mandated Lockdown Mode / hardened MDM configuration that strips HomeKit and rich-content parsing from official devices. This continues a 2026 pattern of Citizen Lab naming EU institutional targets of mercenary spyware, alongside its earlier Cellebrite/Pivovarov forensic work.

“We found with high confidence that his device was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.” — Citizen Lab

“PWNYOURHOME appeared to first involve the attacker sending a specially crafted NSKeyedArchive that landed in HomeKit, followed by malicious content that landed in MessagesBlastDoorService.” — Citizen Lab

espionage mobile zero-click europe