Security News > 2021 > September > Fake Amnesty International Pegasus scanner used to infect Windows
Threat actors are trying to capitalize on the recent revelations on Pegasus spyware from Amnesty International to drop a less-known remote access tool called Sarwent.
The malware looks and acts the part of a legitimate antivirus solution specially created to scan the system for traces of Pegasus traces and to remove them.
The lure used in past campaigns is not clear at the moment but researchers at Cisco Talos spotted a new attack recently where Sarwent was delivered through a fake Amnesty International website advertising Anti-Pegasus AV. The threat actor made an effort to make the malware look like a legitimate antivirus by created an appropriate graphical user interface.
It is unclear how the actor lures visitors to the fake Amnesty International website but an analysis of the domains in this campaign "Shows that the initial domains are being accessed worldwide," although there is no indication of a large-scale campaign.
They also found a similar backend being used since 2014, suggesting either that the malware is much older than initially thought or that a different actor used it before.
Cisco Talos researchers believe that the graphical user interface disguising Sarwent into an antivirus solution indicates that the threat actor behind it has access to the malware source code.