article featured image


The spyware mimics the behavior pattern of a real antivirus program designed to check the system for Pegasus traces and remove them.

Sarwent-based assaults have been active since at least January of this year, and have targeted a wide range of victim profiles in a number of countries.

What Happened?

The bait employed in previous attacks is unknown at this time, however, Cisco Talos researchers recently discovered a new assault in which Sarwent was delivered via a phony Amnesty International website selling Anti-Pegasus AV.

By creating a suitable graphical user interface, the threat actor attempted to make the infection appear to be a real antivirus.

The actor’s decision of disguise suggests that he is attempting to deceive people concerned about Pegasus malware infiltrating their devices.

Although there is no sign of a large-scale effort, a study of the domains in this campaign “shows that the first domains are being accessed worldwide,” according to an analysis of the domains in this campaign.

Looking at the C2 [command and control] domains’ volume, we can see a much narrower distribution country-wise, with an even lower volume.


The virus primarily targeted users in the United Kingdom, according to data from the administrator panel of a Sarwent command and control (C2) server that was operational during the inquiry.

BleepingComputer reports the fact that the researchers have high confidence that the latest Sarwent assaults were carried by a Russian-speaking person.

They also discovered a backend that has been utilized since 2014, implying that the virus is considerably older than previously assumed or that it was previously employed by a different attacker.

Sarwent is a rare find in the wild since it is written in Delphi. It has functions similar to those found in a remote access tool (RAT), and it allows the user to access the infected system.

It is able to allow direct access to the machine by activating the remote desktop protocol (RDP) or via the Virtual Network Computing (VNC) system. However, other methods exist through its shell and PowerShell execution capabilities.

This level of familiarity also supports our earlier finding that the actor had been using the Sarwent malware since as early as 2014. This access is especially interesting given that we were unable to find anyone selling access or builders for this malware.


Sarwent’s operator registered the following domains to mimic Amnesty International in addition to generating false versions of the organization’s website:

  • amnestyinternationalantipegasus[.]com
  • antipegasusamnesty[.]com • amnestyvspegasus[.]com

The researchers are unable to characterize the Sarwent threat actor based on the data obtained. They appear to be someone searching for quick cash on the surface.

However, some of the data appear to point to a more evolved enemy who isn’t motivated by money. The minimal number of victims and the high level of customization in the campaign are two indications that support this view.

How to Stay Safe

With Heimdal™ Threat Prevention you can easily leverage a Host-Based Intrusion Prevention System (HIPS), augmented by a highly intelligent threat detection technology powered by AI.

Our innovative AI will detect and block the infected domains, allowing you to enjoy peace of mind when thinking about your business ecosystem.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *