Israeli spyware vendor NSO Group deployed at least three new “zero-click” exploits against iPhones last year in attacks targeting Mexican human rights defenders, digital security and human rights watchdog Citizen Lab says.

Citizen Lab identified three different “zero-click” exploits (meaning they did not require any interaction by the target) by analyzing several phones that were suspected to have been hacked with NSO’s Pegasus spyware. The attacks targeted phones running iOS 15 and early versions of iOS 16 operating software.

“Our ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world,” the researchers said.

The latest 2022 exploit, dubbed “PWNYOURHOME,” was deployed against iOS 15 and iOS 16 starting in October 2022. PWNYOURHOME appears to be a novel two-step zero-click exploit chain targeting HomeKit and iMessage. In this case the attacked device was able to detect the exploitation in real time, thanks to Lockdown Mode, a new Apple security feature designed to reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, and websites.

The researchers shared their findings with Apple in October 2022, and in January 2023 the iPhone maker released security updates to address the vulnerabilities targeted by this exploit.

The second zero-click, “FINDMYPWN,” was deployed against iOS 15 beginning in June, 2022. It also appears to be a two-step attack, in this case, using the Find My feature instead of HomeKit followed by iMessage. It’s unclear what security vulnerabilities FINDMYPWN has been abusing, it may be possible that the attack chain involved CVE-2022-42827, a remote code execution bug in the OS kernel.

Further investigation led to the discovery of the third zero-click, “LATENTIMAGE,” which was found to be active in January 2022 on iOS 15. This exploit may also have involved the iPhone’s Find My feature, but is a different exploit chain than FINDMYPWN, the researchers say.

“NSO Group’s Pegasus spyware remains a threat, and their attack techniques continue to evolve. PWNYOURHOME and FINDMYPWN are the first zero-click exploits we have observed that makes use of two separate remote attack surfaces on the iPhone,” Citizen Lab concluded. “It is clear that modern exploit mitigations like pointer authentication codes (PAC) significantly reduce attacker freedom to execute arbitrary code on a device, but as PWNYOURHOME demonstrates, real-world attackers can (and do) find practical ways around these mitigations, such as by repurposing signed pointers located at known offsets in the iOS shared cache. Further work should focus on improvements to legacy code to add meaningful context values to safeguard these pointers.”

According to a recent report from cybersecurity firm Jamf Threat Labs, users in multiple countries have been impacted by spyware previously linked with NSO Group’s Pegasus malware over the past six months.

The report analyzes two sophisticated spyware attacks, one of which affected an iPhone 12 Pro Max used as the daily communications tool by a Middle East-based human rights activist, and the second targeted an iPhone 6s (no longer receiving the latest Apple updates) belonging to a journalist in Europe working for a global news agency.