U.S. Ruling on NSO Sends Warning as Pegasus Targets Ugandan Journalists

By Noelyn Nassuuna | 8 May 2025

In a historic decision on May 6, 2025, a U.S. jury in California ordered NSO Group to pay $168 million in damages for deploying its Pegasus spyware to hack WhatsApp’s infrastructure. This unprecedented verdict—$447,719 in compensatory damages and over $167 million in punitive damages—marks the first time the notorious Israeli spyware company is held financially accountable in court for its hacking operations.

This ruling is a major victory for global digital rights defenders and a critical warning to companies enabling unlawful surveillance. For years, NSO Group’s Pegasus spyware has been linked to grave human rights violations, including the targeting of journalists, activists, and dissidents worldwide. Meta, the parent company of WhatsApp, pursued a six-year legal battle to expose these abuses and protect its users. The judgment follows a landmark January 2025 summary ruling that found NSO guilty of violating U.S. and California hacking laws and breaching WhatsApp’s Terms of Service.

“This verdict sends a clear message to spyware companies that targeting people through U.S.-based platforms will come with a high price,” said Michael De Dora, U.S. Policy and Advocacy Manager at Access Now.

But while the courtroom victory occurred in the United States, its impact reverberates far beyond. Just days before the judgment, Ugandan investigative journalist Canary Mugume took to X (formerly Twitter) to reveal that Pegasus spyware had attempted to infiltrate his device. His post sent shockwaves through Uganda’s media and civil society sectors, especially as the nation edges closer to its 2026 general elections.

This is not the first time Pegasus has been used to target journalists globally. In Uganda, such incidents signal a chilling escalation in the digital threats facing the press. The implications are grave: surveillance software like Pegasus doesn’t just spy on individuals—it compromises entire newsrooms, sources, and the right to information.

“Apple sent this notification to me indicating that I am being targeted by a mercenary spyware. Most of these are used by Governments to hack into phones of journalists, high-profile figures and activists. They last sent this in 2021, there’s a pattern – electoral season.”

In past years, several journalists and human rights defenders in Uganda have reported suspicious digital intrusions, but rarely with hard evidence pointing to a tool as sophisticated and invasive as Pegasus. The spyware is known for its ability to silently infiltrate phones, access messages, camera, microphone, and more—all without the user’s knowledge.

At Defenders Protection Initiative (DPI), we continue to raise alarm and awareness over the growing use of surveillance technologies to intimidate, silence, or endanger the work of journalists, activists, and civil society organizations. The risks are particularly heightened during politically sensitive periods such as elections, where access to reliable information and protection of press freedom are critical for democratic integrity.

The recent U.S. court ruling is a reminder: accountability is possible. It is also a call to action for governments, tech companies, and civil society in Uganda and across Africa to:

  • Strengthen digital security protocols for journalists and human rights defenders
  • Demand transparency and oversight over surveillance technologies
  • Challenge spyware vendors through legal, policy, and public channels

We stand in solidarity with journalists like Canary Mugume and urge all media professionals to report digital threats and seek expert support. DPI remains committed to supporting journalists and human rights defenders through digital security trainings, emergency response, and legal support.

As elections approach, the protection of digital rights is not just a tech issue—it is a human rights imperative.

The Guardians of Peace: The Crucial Role of Human Rights Defenders in Building a Peaceful World

By Noelyn Tracy Nassuuna

International Peace Day has come and gone, but the mission of building and sustaining peace continues every single day, especially for human rights defenders (HRDs) around the world. These courageous individuals are often on the front lines, advocating for justice, equality, and human dignity in the face of adversity. Their work is crucial in addressing the root causes of conflict and promoting long-lasting peace.

Holding Regulators Accountable for Data Privacy and Protection in Uganda’s NGO Sector -DPI

By Helen Namyalo Kimbugwe and Noelyn Tracy Nassuuna

As Uganda heads toward a pivotal election season, the release of sensitive financial statements for Non-Governmental Organizations (NGOs) like Chapter Four Uganda has sparked intense debate. These disclosures carry significant implications for donors, NGOs, and the public, shaping trust, transparency, and operational stability.

What does this mean for NGOs operating in Uganda, their donors, and the communities they serve? How can transparency be balanced with protection in such politically charged times?

To delve deeper into these issues, download the full article now and stay informed about the future of civil society in Uganda.

delayed-phishing

What you need to know about Delayed Phishing/ Post-Delivery Weaponized URL

Truth is, most of us have ever been a victim of phishing before and with the abundant resources online and trainings that we have so far had, we have become sort of immune to phishing.

Click here to as well look at our blog post about phishing and what you need to know

Our immunity against phishing has so far been boosted by e-mail service providers, mail gateways and even browsers that we use which has all embedded in their systems anti-phishing filters and malicious address scanners.

With all these above, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.

Delayed phishing is an attempt to lure a victim to a malicious or fake site using a technique known as Post-Delivery Weaponized URL.

“As the name suggests, the technique essentially replaces online content with a malicious version after the delivery of an e-mail linking to it. In other words, the potential victim receives an e-mail with a link that points either nowhere or to a legitimate resource that may already be compromised but that at that point has no malicious content. As a result, the message sails through any filters. The protection algorithms find the URL in the text, scan the linked site, see nothing dangerous there, and allow the message through.”

Effecting the malicious link

Attackers operate on the assumption that their victim is a normal worker who sleeps at night. Therefore, delayed phishing messages are sent after midnight (in the victim’s time zone), and become malicious a few hours later, closer to dawn.

If cybercriminals find a specific person to attack, they can study their victim’s daily routine and activate the malicious link depending on when that person checks mail.

Technology behind Delayed Phishing

For delayed phishing to be effective, hackers use at least one of these 2 common methods:

  1. Simple link: In this case, the hackers are the ones who are controlling the target site in that at the time of delivery, the site is safe so it can go through the several security levels it is scanned before it is delivered to your mailbox. At the time of delivery, the link leads to either a meaningless stub or (more commonly) a page with an error 404 message and the malicious version of the site is activated after delivery.
  2. Short-link switcheroo: Several sites offer link shortening services to the world, with this you can get alternative links that are easy to remember and short instead of long and boring links. However, some of this services allow you to alternate the link behind these short links. So the cybercriminals take advantage of this in that, by the time they are sending the email, the short link it pointing to a legitimate site and is swapped to the malicious site after delivery.

Although there is a third technology that is not so common which includes a randomized and short link where there is a probabilistic redirection. That is, the link has a 50% chance of leading to google.com and a 50% chance of opening a phishing site. The possibility of landing on a legitimate site apparently can confuse crawlers (programs for automatic information collection).

Spotting & fighting Delayed Phishing

Ideally, there is need to prevent the phishing link from getting to the user, so rescanning the inbox would seem to be the best strategy.

In some cases, that is doable: for example, if your organization uses a Microsoft Exchange mail server. Kaspersky Security for Microsoft Exchange Server is also included in our Kaspersky Security for Mail Servers and Kaspersky Total Security for Business solutions.

DSC_6080

The Digital Security Conference 2017

Defenders protection initiative is committed to re-enforcing the resilience of Human Rights Defenders against digital/cyber attacks. Following a survey to assess the digital security posture of civil society organisations in Uganda, DPI organised #DigiSecCon17; The Digital Security Conference 2017, themed,  “Why should Civil Society in Uganda Worry” that was held in Kampala at the Serena Conference Centre, on the 8th of September 2017.