Analyzing Pegasus Spyware\u2019s Zero-Click iPhone Exploit ForcedEntry<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\"><br \/>\n<meta property=\"og:title\" content=\"Analyzing Pegasus Spyware\u2019s Zero-Click iPhone Exploit ForcedEntry\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/ForcedEntry-main.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Analyzing Pegasus Spyware\u2019s Zero-Click iPhone Exploit ForcedEntry\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/ForcedEntry-main.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.655172413793\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1625426501\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7744360902256\">\n<div class=\"article-details\" role=\"heading\" readability=\"39.097744360902\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits & Vulnerabilities<\/p>\n<p class=\"article-details__description\">Citizen Lab has released a report on a new iPhone threat dubbed ForcedEntry. This zero-click exploit seems to be able to circumvent Apple’s BlastDoor security, and allow attackers access to a device without user interaction. <\/p>\n<p class=\"article-details__author-by\">By: Mickey Jin <time class=\"article-details__date\">September 15, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"44.70697167756\">\n<div readability=\"35.372549019608\">\n<p>Citizen Lab has released a <a href=\"https:\/\/citizenlab.ca\/2021\/08\/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits\/\" target=\"_blank\" rel=\"noopener\">report<\/a> detailing sophisticated iPhone exploits being used against nine Bahraini activists. The activists were reportedly hacked with the NSO Group\u2019s Pegasus spyware using two zero-click iMessage exploits: <a href=\"https:\/\/citizenlab.ca\/2020\/12\/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit\/\" target=\"_blank\" rel=\"noopener\">Kismet<\/a>, which was identified in 2020; and <a href=\"https:\/\/citizenlab.ca\/2021\/08\/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits\/\" target=\"_blank\" rel=\"noopener\">ForcedEntry<\/a>, a new vulnerability that was identified in 2021. Zero-click attacks are labeled as sophisticated threats because unlike typical malware, they do not require user interaction to infect a device. The latter zero-click spyware is particularly notable because it can bypass security protections such as BlastDoor, which was designed by Apple to protect users against zero-click intrusions such as these. <\/p>\n<p>According to Citizen Lab\u2019s report, Kismet was used from July to September 2020 and was launched against devices running at least iOS 13.5.1 and 13.7. It was likely not effective against the iOS 14 update in September. Then, in February 2021, the NSO Group started deploying the zero-click exploit that managed to circumvent BlastDoor, which Citizen Lab calls ForcedEntry. Amnesty Tech, a global collective of digital rights advocates and security researchers, also observed zero-click iMessage exploit activity during this period and referred to it as <a href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2021\/07\/forensic-methodology-report-how-to-catch-nso-groups-pegasus\/\" target=\"_blank\" rel=\"noopener\">Megalodon<\/a>. <\/p>\n<p><span class=\"body-subhead-title\">Diving into ForcedEntry<\/span><\/p>\n<p>According to the report from Citizen Lab, when the ForcedEntry exploit was launched against the victim\u2019s device, the device logs showed two types of crashes. The first crash apparently happened when invoking ImageIO\u2019s functionality for rendering Adobe Photoshop PSD data. <\/p>\n<p>Our analysis focuses on the second crash, which is detailed in Figure 1. This crash happened when invoking CoreGraphics\u2019 functionality for decoding JBIG2-encoded data in a PDF file. This analysis is solely based on samples from Citizen Lab; no new samples were obtained. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Forced%20Entry%20Figure%201.png\" alt=\"Image from Citizen Lab shows a Symbolicated Type Two crash for ForcedEntry on an iPhone 12 Pro Max running iOS 14.6. The red highlights from Trend Micro Research.\"><figcaption>Figure 1. This image from Citizen Lab shows a Symbolicated Type Two crash for ForcedEntry on an iPhone 12 Pro Max running iOS 14.6. The red highlights from Trend Micro Research.<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"37.077142857143\">\n<div readability=\"20.49\">\n<p>From this crash log, we can deduce three interesting points: First, the zero-click attack is dependent on iMessage attachment parsing. Next, the slide of dyld_shared_cache is 0, which means all the system modules are loaded into a fixed address. Lastly, the crash point 0x181d6e228 is not the first place of vulnerability exploitation. We discuss the details of these conclusions in the following sections.<\/p>\n<p><b>Root cause of CVE-2021-30860<\/b><\/p>\n<p><a>The vulnerability<\/a> is inside the function <b>JBIG2Stream::readTextRegionSeg<\/b> of CoreGraphics.framework The crash point <b>0x181d6e228<\/b> (as seen in box 3 in the preceding figure) is at line 161 of the function JBIG2Stream::readTextRegionSeg of the following screenshot:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Fig2-forcedentry.png\" alt=\"Screenshot of the function JBIG2Stream::readTextRegionSeg showing the crash point\"><figcaption>Figure 2. Screenshot of the function JBIG2Stream::readTextRegionSeg showing the crash point<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>First, it calculates the <i>numSyms<\/i> according to the JBIG2SymbolDict segment:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Forced%20Entry%20C.png\" alt=\"ForcedEntry\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The type of <i>numSyms<\/i> is unsigned int, and the return type of function <i>seg->getSize()<\/i> is also unsigned int. Therefore, <i>numSyms<\/i> could be smaller than the size of one JBIG2Segment due to integer overflow. One example is <i>numSyms=1=(0x80000000+0x80000001) < 0x80000000.<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Then, it allocates the heap buffer <b>syms<\/b>, with the size <b>numSyms * 8<\/b> :<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Forced%20Entry%20D.png\" alt=\"ForcedEntry\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Finally, it fills the <i>syms<\/i> with the value from bitmap:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Forced%20Entry%20E.png\" alt=\"ForcedEntry\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The loop times are dependent on the JBIG2Segment size, which could be larger than the buffer <i>syms<\/i> size. This leads to the out-of-bounds write access for the heap buffer <i>syms<\/i>.<\/p>\n<p><b><span class=\"body-subhead-title\">Looking at Apple\u2019s fix<\/span><\/b><\/p>\n<p>Apple patched the function in iOS 14.8:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Fig3-forcedentry.png\" alt=\"ForcedEntry\"><figcaption>Figure 3. Screenshot of the same function JBIG2Stream::readTextRegionSeg with fixes in place<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.73116089613\">\n<div readability=\"32.798370672098\">\n<p>We can see that Apple adds two new boundary checks (the red box in Figure 3), to avoid overflowing the <i>syms <\/i>buffer.<\/p>\n<p><b><span class=\"body-subhead-title\">On the Pegasus spyware exploitation<\/span><\/b><\/p>\n<p><b><i>Disabling ASLR<\/i><\/b><\/p>\n<p>The <b>dyld_shared_cache<\/b> of version iOS 14.6 (18F72) was loaded into IDA Pro for static analysis, after which a surprising result emerged. We were able to go to the addresses on the call stack directly without rebasing the segment.<\/p>\n<p>As deduced from the screenshot in Figure 1 (see box 2), the slide of dyld_shared_cache is <b>0<\/b>. However, in common crash scenarios, these addresses should be in <a><b>slide.<\/b><\/a><\/p>\n<p>If the screenshot of the original crash log has not been modified, then the conclusion is worrying. It should be noted that Pegasus already disabled Address Space Layout Randomization (ASLR) before its exploitation.<\/p>\n<p><b><i>Bypassing PAC<\/i><\/b><\/p>\n<p>By inspecting the address <b>0x181d6e20c<\/b> from Frame 1 of the call stack trace, we can see that register x0, the return value of function JBIG2Stream::findSegment, is a subclass of JBIG2Segment:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Forced%20Entry%20F.png\" alt=\"ForcedEntry\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>There are four kinds of subclasses that override the <b>getType() <\/b>virtual function, but the following code shows that they just return one of the enumerate values:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Forced%20Entry%20G.png\" alt=\"ForcedEntry\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>For example,<b> JBIG2SymbolDict::getType<\/b> just returns<b> jbig2SegSymbolDict=1:<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry-\/Fig5-forcedentry.png\" alt=\"ForcedEntry\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.817007534984\">\n<div readability=\"46.942949407966\">\n<p>Therefore, the <b>frame 1<\/b> should have called the virtual function <b>seg->getType()<\/b>. But in actuality, it was already subverted to the current function itself <b>(frame 0)<\/b>. <\/p>\n<p>This shows that the virtual functions table of the object <b>JBIG2Segment<\/b> had already been replaced, and the pointer authentication code (PAC) security feature was bypassed. This is significant because the PAC security mechanism was developed to <a href=\"https:\/\/www.vice.com\/amp\/en\/article\/pkd4kg\/apple-is-going-to-make-it-harder-to-hack-iphones-with-zero-click-attacks?__twitter_impression=true\" target=\"_blank\" rel=\"noopener\">help prevent zero-click hacking<\/a>. This also shows that the crash point is not the first place of the vulnerability exploitation. <\/p>\n<p><span class=\"body-subhead-title\">Conclusion and recommendations<\/span><\/p>\n<p>From the view of attack technologies used, we can see that Pegasus is quite an advanced threat for iOS users. However, it seems that these attacks are being launched on very specific targets, rather than common users.<\/p>\n<p>The information from the recent Pegasus attack is from the forensic analysis of Citizen Lab and Amnesty Tech, and we have not found Pegasus attack samples that are at large yet. We are actively searching and monitoring for these threats and will continue to share more details as our investigation continues.<\/p>\n<p>Essentially, this attack is a very common file format parsing vulnerability. We previously discovered <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-20-1238\/\" target=\"_blank\" rel=\"noopener\">CVE-2020-9883<\/a>, a vulnerability similar to ForcedEntry, which could be exploited to do the same as what Pegasus has done here. ForcedEntry\u2019s key point is the exploit technology as it is still unknown how it is able to bypass the PAC and disable ASLR.<\/p>\n<p>In the meantime, we strongly recommend<a> <\/a><a href=\"https:\/\/support.apple.com\/en-us\/HT212807\" target=\"_blank\" rel=\"noopener\">updating your device to iOS 14.8<\/a>. As stated previously, common iOS users are not the target for attacks using this spyware. However, there are simple security steps that users can take. For example, concerned users can block iMessages from unknown senders, while a more drastic step would be to disable the iMessage function completely in the device\u2019s Preferences.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Citizen Lab has released a report on a new iPhone threat dubbed ForcedEntry. This zero-click exploit seems to be able to circumvent Apple’s BlastDoor security, and allow attackers access to a device without user interaction. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":42853,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9581,9509,9624],"class_list":["post-42852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-mobile","tag-trend-micro-research-research","tag-trend-micro-research-threats"],"yoast_head":"\n<title>Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-15T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1107\" \/>\n\t<meta property=\"og:image:height\" content=\"339\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst\",\"datePublished\":\"2021-09-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/\"},\"wordCount\":1139,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Mobile\",\"Trend Micro Research : Research\",\"Trend Micro Research : Threats\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/\",\"name\":\"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png\",\"datePublished\":\"2021-09-15T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png\",\"width\":1107,\"height\":339},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/","og_locale":"en_US","og_type":"article","og_title":"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-09-15T00:00:00+00:00","og_image":[{"width":1107,"height":339,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst","datePublished":"2021-09-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/"},"wordCount":1139,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Mobile","Trend Micro Research : Research","Trend Micro Research : Threats"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/","name":"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png","datePublished":"2021-09-15T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst.png","width":1107,"height":339},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42852"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42852\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42853"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":42852,"date":"2021-09-15T00:00:00","date_gmt":"2021-09-15T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html"},"modified":"2021-09-15T00:00:00","modified_gmt":"2021-09-15T00:00:00","slug":"analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-the-forcedentry-zero-click-iphone-exploit-used-by-pegasus-threats-analyst\/","title":{"rendered":"Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus Threats Analyst"},"content":{"rendered":"