Malware

Chrysaor

Also known as: JigglyPuff · Pegasus

IoCs CSV 1 YARA rule

Indicators of Compromise 1

MITRE ATT&CK TTPs 2

YARA Detection Rules

Chrysaor_YARA_Detection
yara ai_generated
rule Chrysaor_Detection {
    meta:
        description = "Detects indicators associated with Chrysaor (Pegasus) spyware targeting iOS devices via HomeKit vulnerability (PWNYOURHOME)"
        author = "AI Generated"
        reference = "IOCs and TTPs linked to Pegasus targeting EU officials and journalists"
        ttp = "T1190, T1203"
        date = "2024-07-01"

    strings:
        $s1 = "rauharepo888@gmail.com" ascii wide
        $s2 = "com.apple.homekit" ascii wide
        $s3 = "/private/var/mobile/Library/Caches/.cache" ascii wide
        $s4 = "PwnYourHome" ascii wide
        $s5 = "iOSPwn" ascii wide
        $s6 = "MobileInstallation" ascii wide
        $s7 = "launchd_sim" ascii wide
        $s8 = "kCFCoreFoundationVersionNumber" ascii wide
        $s9 = "CVE-2022-32894" ascii wide
        $s10 = "Pegasus" nocase ascii wide
        $s11 = "libmis.dylib" ascii
        $s12 = "com.saurik.Cydia" ascii wide
        $s13 = "amfid" ascii wide
        $s14 = "task_for_pid" ascii wide
        $s15 = "jailbreak" nocase ascii wide

    condition:
        $s1 or 
        (any of ($s2, $s3, $s4, $s5, $s6, $s7, $s8, $s9, $s10, $s11, $s12, $s13, $s14)) and 
        (uint16(0) == 0x504D or uint16(0) == 0x4D5A or filename matches /(?i)\.(dylib|mobileconfig|plist|bin)$/ or container is "iOS")

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles