New Citizen Lab Report: CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru

Key Findings

• The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware.
• At least 63 were targeted or infected with Pegasus, and four others with Candiru. At least two were targeted or infected with both.
• Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations. Family members were also infected in some cases.
• We identified evidence of HOMAGE, a previously-undisclosed iOS zero-click vulnerability used by NSO Group that was effective against some versions prior to 13.2.
• The Citizen Lab is not conclusively attributing the operations to a specific entity, but strong circumstantial evidence suggests a nexus with Spanish authorities.
• We shared a selection of Pegasus cases with Amnesty International’s Tech Lab, which independently validated our forensic methodology.