Pegasus Detection & Spyware Forensics
Professional-grade forensic scanning that detects Pegasus, Predator, Hermit, QuaDream, FinFisher, and commercial stalkerware. Built on research by Citizen Lab and Amnesty International's Mobile Verification Toolkit.
Threat Database
Surveillance Tools We Detect
Our database includes indicators for all major government and commercial spyware families.
Pegasus
NSO Group
The most sophisticated commercial spyware. Costs $8M per deployment. Found on devices of journalists and heads of state.
Predator
Cytrox / Intellexa
Linked to surveillance campaigns against journalists and politicians in multiple countries.
Hermit
RCS Lab
Used by government agencies. Deployed via modified carrier apps and fake messaging applications.
FinFisher
FinFisher GmbH
Marketed to law enforcement but documented in use against dissidents and journalists.
QuaDream
QuaDream Ltd.
Rival to NSO Group. Uses ENDOFDAYS exploit targeting Apple devices via invisible calendar invitations.
Stalkerware
Various (mSpy, FlexiSPY, Cocospy, Spyic, Cerberus)
Consumer-grade surveillance apps often used for domestic abuse. Installed by someone with physical device access.
Scan Options
Choose Your Scan Depth
From a quick 60-second check to a full forensic backup analysis.
Quick Scan
~1 minute
Basic IOC check against known spyware indicators. Checks running processes and installed packages.
Standard Scan
~5 minutes
Includes Quick Scan plus iOS shutdown.log analysis, network connection audit, and certificate chain validation.
Deep Scan
~30 minutes
Full forensic analysis: YARA rules, behavioral anomaly detection, file system inspection, persistence mechanism checks.
Backup Analysis
~1 hour
Complete iOS backup parsing. Examines sysdiagnose, DataUsage.sqlite, configuration profiles, and all system artifacts.
Detection Methodology
How OrbGuard Detects Pegasus
A 6-stage forensic pipeline combining indicator matching, behavioral analysis, and real-time threat intelligence.
IOC Matching
Compare device artifacts against 20,000+ known indicators of compromise from Citizen Lab, Amnesty MVT, and OrbGuard Lab.
Behavioral Analysis
ML-powered anomaly detection monitors battery drain, CPU spikes, network traffic, and background process activity.
Shutdown.log Forensics
iOS-specific analysis of system shutdown logs for Pegasus process indicators (roleaccountd, bh, laaboratoryd).
YARA Rule Scanning
Custom YARA rules scan the file system for malware signatures, suspicious binaries, and persistence mechanisms.
Certificate Analysis
Detect MITM proxy certificates, unauthorized root CAs, and SSL pinning bypasses used by surveillance tools.
Cloud Intelligence
Cross-reference findings with real-time threat intelligence from 20+ feeds updated hourly.
On-Device Processing
Every stage of this pipeline runs locally on your device. The threat intelligence database is cached and updated periodically. Your forensic data never leaves your device.
Remediation Guide
What Happens If Spyware Is Found?
Don't panic. Follow these steps to isolate, document, and recover safely.
Isolate the Device
Enable airplane mode immediately. Do not factory reset yet — forensic evidence may be needed for legal proceedings or investigations.
Document Everything
Export the OrbGuard forensic report. Take screenshots and note the infection timeline. This evidence may be critical for legal action.
Secure Wipe & Recovery
Perform a full factory reset from recovery mode (not settings). Set up as a new device — do not restore from backup as it may contain persistence mechanisms.
Harden Your Device
Enable Lockdown Mode (iOS). Update to latest OS version. Install OrbGuard for continuous monitoring. Avoid clicking links from unknown sources.
Frequently Asked Questions
Can OrbGuard detect Pegasus?+
How does the shutdown.log analysis work?+
Is my data sent to your servers during scanning?+
What happens if spyware is found?+
Can OrbGuard detect unknown/zero-day spyware?+
How often is the threat database updated?+
Is Your Device Clean?
Run your first forensic scan in under 60 seconds. Pegasus detection included with OrbGuard Pro.