According to Slowmist, the Pegasus group is using iMessage accounts to send PassKit attachments containing malicious images to victims. This method is used to exploit vulnerabilities in Apple devices, particularly those used by crypto professionals.Two zero-day vulnerabilities that were being aggressively exploited by the Israeli NSO Group to install its Pegasus spyware on iPhones have been addressed by Apple.

The zero-click vulnerability was discovered by internet watchdog group Citizen Lab while inspecting the device of a person working for a civil society organization with international headquarters situated in Washington, DC.

Without the victim’s involvement, the exploit chain was able to compromise iPhones running the most recent version of iOS (16.6), according to a statement released late on Thursday by Citizen Lab.

They called the exploit chain ‘BLASTPASS’. PassKit attachments containing malicious photos were sent from an attacker’s iMessage account to the victim as part of the vulnerability.

Citizen Lab quickly informed Apple of our findings and helped with their inquiry.


Immediate Steps to Take

  1. Update your Apple device to the latest version to patch the vulnerability.

  2. Be cautious of any unexpected or unfamiliar messages received through iMessage.

  3. Enable two-factor authentication for an extra layer of security.