Pegasus is the best-known, but far from the only commercial spyware that specifically targets iPhones. Behind these programs are private companies that sell surveillance software to state customers. The vast majority of iPhone users will never be affected – but those who are targeted face attacks that cost millions and, in modern variants, work entirely without the victim clicking anything. Below we explain how Pegasus operates, who is really at risk, what Apple's threat notifications mean and which protective measures make sense.
Apple officially refers to this class of attack tools as "mercenary spyware." The term replaces the previously used phrase "state-sponsored attacks" and describes the business model more precisely: private companies develop highly complex surveillance software and sell it to state actors. The best-known example is Pegasus from the Israeli NSO Group, but the market has grown. Coruna and DarkSword have emerged in 2025 and 2026 as additional iOS exploit kits that Apple had to address in several emergency security updates. For those affected, Apple's Lockdown Mode is the most important line of defense – but all other users benefit from understanding the threat landscape as well.
What Pegasus actually is
Pegasus was first documented in 2016, when the security firm Lookout and the Citizen Lab at the University of Toronto discovered the software on the iPhone of a human rights activist from the United Arab Emirates. It is developed by the NSO Group, an Israeli company that sells the spyware exclusively to state customers – officially to combat terrorism and crime.
Pegasus has evolved significantly in technical terms. The version discovered in 2016 was still a one-click attack: Ahmed Mansoor received a text message with a link, and a single tap was enough to trigger the infection. By 2020 at the latest, the shift to zero-click exploits was documented – initially via the Kismet vulnerability, and from February 2021 via the far better-known FORCEDENTRY attack, which bypassed Apple's then-new BlastDoor protection layer in iMessage and was closed in September 2021 with iOS 14.8. In a zero-click attack, the victim has to do nothing – simply receiving a crafted message, a manipulated image or a specific web call is enough to exploit a vulnerability in iOS and install the software unnoticed. Once active, the spyware gains near-complete access to the iPhone: messages, emails, photos, location, microphone, camera and stored passwords can be read out or monitored in real time.
Pegasus is not the only tool of its kind. Predator is distributed by the Intellexa Consortium, an alliance of several companies founded by former Israeli intelligence officer Tal Dilian. The actual development takes place at the consortium's company Cytrox AD in North Macedonia. In addition, Coruna and DarkSword are two further iOS exploit kits in active use, employed among others by groups attributed to Russia as well as by commercial surveillance vendors.
Who is actually targeted
Apple itself makes it clear: the vast majority of iPhone users will never be affected by a mercenary spyware attack. The cost per target runs into several million dollars, operations are often only briefly active and are deliberately directed against individual persons.
Typical targets include:
- Journalists engaged in critical reporting
- Human rights activists and dissidents
- Politicians and diplomats
- Lawyers handling sensitive cases
- Researchers in geopolitically relevant fields
Known cases include the surveillance of people close to Saudi journalist Jamal Khashoggi, who was murdered in 2018, targeted attacks on Indian journalists and opposition politicians, and spyware found on the devices of European activists. Since 2021, Apple has notified users in more than 150 countries with threat notifications about such attempted attacks.
How Apple notifies affected users
When Apple detects activity consistent with a mercenary spyware operation, the affected user is notified in two ways. After signing in at account.apple.com, a threat notification appears at the top of the page. In parallel, Apple sends a notification by email to all addresses linked to the Apple Account and an iMessage to the phone numbers on file.
Since April 2025, emails are sent from the address threat-notifications [at] email.apple.com, while iMessage notifications come from threat-notifications [at] apple.com. Earlier emails were also sent from threat-notifications [at] apple.com.
Apple explicitly points out what a genuine threat notification does not contain:
- No links to click on
- No prompts to install apps or profiles
- No requests for the Apple Account password
- No requests for a verification code
Anyone who receives such a notification can reliably verify its authenticity by signing in directly at account.apple.com. If the warning appears at the top of the page there, it is genuine.
Distinguishing threat notifications from phishing
Since the term "Pegasus" has now become widely known, phishing attackers deliberately use it for fake warnings. Pop-ups with text like "Warning Pegasus Spyware Activated" or fake emails urging users to call a supposed Apple Care hotline are pure scam attempts. Apple never makes unsolicited calls, never requests actions via phone numbers in warning messages and never sends browser pop-ups. The methods for spotting such fakes are described in detail in our separate guide on phishing warning signs.
A second peculiarity: real Pegasus infections are designed to remain undetected. Anyone who sees a message claiming that their iPhone is "infected with Pegasus" can be certain that it is a scam.
What to do after receiving a genuine threat notification
Apple itself recommends contacting specialized support organizations. The Digital Security Helpline of the nonprofit Access Now is available around the clock and supports recipients of Apple threat notifications free of charge with individual security recommendations. Amnesty International and the Citizen Lab at the University of Toronto also offer forensic investigations for at-risk groups.
The order matters: anyone who immediately resets or re-installs the iPhone may destroy forensic traces that would be crucial for investigating the attack. A restart does remove many memory-resident components of the spyware, but it also wipes valuable log files. Unless there is an urgent need, expert help should therefore be consulted first.
In parallel, Lockdown Mode should be activated. Apple has developed it explicitly for this class of threats. It dramatically reduces the attack surface by restricting features such as message attachments, FaceTime calls from unknown contacts and certain web technologies – exactly the vectors through which mercenary spyware typically gets in.
Practical protection for all users
Even those who have not received a threat notification can reduce their own attack surface through consistent security hygiene. Apple recommends the following for all users:
- Always keep devices on the latest iOS version
- Set a passcode
- Use two-factor authentication for the Apple Account
- Install apps only from the App Store
- Use secure and unique passwords
- Do not open links or attachments from unknown senders
Anyone facing an elevated risk for professional reasons – for example as a journalist, a lawyer handling politically sensitive cases or an NGO employee working with authoritarian regimes – should keep Lockdown Mode permanently activated, even without a specific threat notification. The functional restrictions are noticeable in everyday use, but the additional layer of protection is substantial.
Apple versus the spyware industry
Apple filed a lawsuit against the NSO Group in 2021, with the aim of permanently barring the company from using Apple services and devices. In January 2024, a US court rejected NSO Group's motion to dismiss. But in September 2024, Apple withdrew the lawsuit itself. The reasoning: the proceedings would have required Apple to disclose internal threat intelligence information – a risk that had become too high after a suspected intervention by Israeli authorities in NSO documents. In addition, the spyware market had diversified, and a single lawsuit against NSO was no longer effective.
Apple has since invested more heavily in technical measures rather than legal ones. Lockdown Mode has been expanded, threat notifications have been refined, and Apple is cooperating in the new cybersecurity initiative Project Glasswing with Anthropic to systematically uncover security vulnerabilities.
A realistic look at your own risk
Pegasus and Predator are real but highly targeted threats – anyone without a high-risk political profile is statistically not in the crosshairs of these operations, because the cost per target is simply too high. The picture is different with Coruna and DarkSword: these exploit kits have moved beyond the state-sponsored niche and are now also being used by criminals for mass attacks, for example to steal cryptocurrencies via compromised websites. Anyone running an outdated version of iOS who clicks on a manipulated link or visits an infected site can end up being targeted even without a political profile. The key takeaway for every iPhone user: keep your devices consistently up to date, understand Apple's threat notifications and be able to distinguish them from phishing attempts. Anyone who does that is as well protected against the tools of the mercenary spyware industry as a consumer device can be today. Time for fresh accessories? Visit our Amazon Storefront and discover a wide selection of products from leading manufacturers, including for HomeKit! (Image: Shutterstock / Bits And Splits)
- Secure email usage on the iPhone
- AI makes your iPhone more secure – what that really means for you
- Apple Security Updates: How Apple protects your Devices
- Ransomware explained: Could my iPhone be affected?
- Identity theft: What to do if your Data has been stolen?
- Recognizing Social Engineering: How to Protect Yourself from Manipulation
- Detecting AI fraud: Deepfakes, fake voices and how to protect yourself
- Recognizing Quishing: How to protect yourself from QR code fraud
- Use public Wi-Fi safely: How to protect your iPhone
- iOS 26.4: Show Hotspot Data usage per Device
- Recognizing Smishing: How to protect yourself from SMS fraud
- Create and manage secure passwords: The Apple guide
- WhatsApp hacked: How to protect your Account
- Recognizing Phishing: How to protect yourself from fraud
- Creating, Changing, and Deleting an Apple ID: The complete Overview
- Activate iPhone Call forwarding: All Methods under iOS 26
- iPhone vibrates for no Reason: Causes and Solutions under iOS 26
- Connecting and resetting AirPods: Instructions for all Models
- AirDrop not working: All Solutions for iOS 26
- iPhone loading slowly: Causes and Solutions under iOS 26
- iPhone Screen Recording: Instructions for iOS 26
- How to view your Wi-Fi Password on your iPhone: All Methods under iOS 26
- iPhone Update Problems: All Solutions for iOS 26
- Creating an iPhone Backup: All methods under iOS 26
Frequently Asked Questions about Pegasus and Commercial Spyware
Pegasus is highly sophisticated spyware that, in modern versions, is installed without any interaction from the victim (zero-click) and costs millions of dollars per deployment. Ordinary malware almost always relies on phishing or malicious apps and targets broad user groups rather than individual persons.
Yes – that is actually the design goal. Pegasus is built to remain completely undetected. Messages like "Pegasus activated" are exclusively phishing attempts.
The mode is Apple's most effective protection against mercenary spyware. Citizen Lab and Apple have documented several concrete cases in which Lockdown Mode blocked active attacks – including with Pegasus and Predator. A one-hundred-percent guarantee never exists in software security, but the mode reduces the attack surface dramatically.
Genuine threat notifications come from threat-notifications [at] email.apple.com and are shown in parallel at account.apple.com after signing in. They never contain links to click or requests to enter a password.
According to reports and court filings, the cost per target runs into several million dollars. This makes the use of Pegasus against private individuals without a political profile economically unattractive.
A reset or restart removes many memory-resident components but can also wipe important forensic traces. Anyone who has received a threat notification should consult expert help from organizations such as Access Now or Citizen Lab before performing a reset.
