This post describes the results of a comprehensive global Internet scan for the command and control servers of FinFisher’s surveillance software. It also details the discovery of a campaign using FinFisher in Ethiopia that may have been used to target individuals linked to an opposition group. Additionally, it provides examination of a FinSpy Mobile sample found in the wild, which appears to have been used in Vietnam.

SCMagazine has named Morgan Marquis-Boire on its honorable mention list of Influential IT security minds in 2012.

Archives of Citizen Lab Briefing newsletters we’ve sent. Subscribe to the Citizen Lab newsletter. Privacy Policy 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 2019 February 2019 – Citizen Lab researchers targeted, continued abuse of NSO technology in Mexico, and applications open for 2019 Citizen Lab Summer Institute 2018 November… Read more »

Research Reports Director Ron Deibert’s blog posts provide summaries and analysis of The Citizen Lab research reports and can be found here. John Scott-Railton, Rebekah Brown, Ksenia Ermoshina, and Ron Deibert. “Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe,” The Citizen Lab Report No. 177, University of Toronto, August 14, 2024…. Read more »

Microsoft’s Digital Crimes Unit takes legal action to dismantle Russia-based threat actor COLDRIVER following a joint investigation by The Citizen Lab and Access Now. In August, The Citizen Lab, jointly with Access Now, in collaboration with First Department, Arjuna Team, and RESIDENT.ngo, published a report that uncovered two distinct spear-phishing campaigns targeting members of Russian… Read more »

We are excited to announce a new book, Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy, by Ronald Deibert, director and founder of The Citizen Lab, will hit shelves on February 4, 2025.

In a joint investigation with Access Now, we found that seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted and/or infected with NSO Group’s Pegasus mercenary spyware.

Between May and September 2023, former Egyptian MP Ahmed Eltantawy was targeted with Cytrox’s Predator spyware via links sent on SMS and WhatsApp after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections. As Egypt is a known customer of Cytrox’s Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the attack to the Egyptian government with high confidence.

Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.