Malware
Chrysaor
Also known as: JigglyPuff · Pegasus
IoCs CSV
1 YARA rule
Indicators of Compromise 1
MITRE ATT&CK TTPs 2
YARA Detection Rules
Chrysaor_YARA_Detection
yara ai_generated
rule Chrysaor_Detection {
meta:
description = "Detects indicators associated with Chrysaor (Pegasus) spyware targeting iOS devices via HomeKit vulnerability (PWNYOURHOME)"
author = "AI Generated"
reference = "IOCs and TTPs linked to Pegasus targeting EU officials and journalists"
ttp = "T1190, T1203"
date = "2024-07-01"
strings:
$s1 = "rauharepo888@gmail.com" ascii wide
$s2 = "com.apple.homekit" ascii wide
$s3 = "/private/var/mobile/Library/Caches/.cache" ascii wide
$s4 = "PwnYourHome" ascii wide
$s5 = "iOSPwn" ascii wide
$s6 = "MobileInstallation" ascii wide
$s7 = "launchd_sim" ascii wide
$s8 = "kCFCoreFoundationVersionNumber" ascii wide
$s9 = "CVE-2022-32894" ascii wide
$s10 = "Pegasus" nocase ascii wide
$s11 = "libmis.dylib" ascii
$s12 = "com.saurik.Cydia" ascii wide
$s13 = "amfid" ascii wide
$s14 = "task_for_pid" ascii wide
$s15 = "jailbreak" nocase ascii wide
condition:
$s1 or
(any of ($s2, $s3, $s4, $s5, $s6, $s7, $s8, $s9, $s10, $s11, $s12, $s13, $s14)) and
(uint16(0) == 0x504D or uint16(0) == 0x4D5A or filename matches /(?i)\.(dylib|mobileconfig|plist|bin)$/ or container is "iOS") ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.