In March 2021, we examined the phone of a Saudi activist who has
chosen to remain anonymous, and determined that they had been
hacked with NSO Group’s Pegasus spyware. During the course of the
analysis we obtained an iTunes backup of the device.
Recent re-analysis of the backup yielded several files with the
“.gif” extension in Library/SMS/Attachments that we determined
were sent to the phone immediately before it was hacked with NSO
Group’s Pegasus spyware.
Because the format of the files matched two types of crashes we
had observed on another phone when it was hacked with Pegasus, we
suspected that the “.gif” files might contain parts of what we are
calling the FORCEDENTRY exploit chain.
Citizen Lab forwarded the artifacts to Apple on Tuesday, September
7. On Monday, September 13, Apple confirmed that the files
included a zero-day exploit against iOS and MacOS. They designated
the FORCEDENTRY exploit CVE-2021-30860, and describe it as
“processing a maliciously crafted PDF may lead to arbitrary code
The files with the “.gif” extension weren’t actually GIF files — they were carefully-crafted malformed PSD and PDF files that triggered image processing bugs. What makes attacks like this particularly dastardly is that the victim apparently doesn’t even see anything. It’s invisible.