C9Lab

Abstract This case study examines Pegasus, a sophisticated spyware created by the Israeli company NSO Group. The Pegasus Project investigation exposed its widespread use for surveillance of journalists, activists, opposition politicians, and even heads of state. This document provides a publication-ready account of the incident, covering the spyware’s capabilities, confirmed infections, the resulting legal and political fallout, and the broader implications for democracy, privacy, and cybersecurity. Executive summary Pegasus is a zero-click spyware capable of compromising smartphones without user interaction. Once installed, it provides full access to calls, messages, photos, emails, microphones, and cameras. The 2021 Pegasus Project investigation revealed tens of thousands of phone numbers as potential targets, including high-profile figures worldwide. The scandal triggered lawsuits against NSO Group, global debates on surveillance abuse, and calls for stronger international regulatio...

This case study presents a reproducible, ethical OSINT investigation of a ransomware incident against a mid-sized organization. The narrative is anonymized and synthesizes techniques and findings commonly observed in real-world incidents (notably Conti, DarkSide/Colonial Pipeline, and Avaddon investigations) to provide a publication-ready report that security teams, researchers, and policymakers can use as a reference. Abstract  This case study presents a reproducible, ethical OSINT investigation of a ransomware incident against a mid-sized organization. The narrative is anonymized and synthesizes techniques and findings commonly observed in real-world incidents (notably Conti, DarkSide/Colonial Pipeline, and Avaddon investigations) to provide a publication-ready report that security teams, researchers, and policymakers can use as a reference. The focus is on open-source collection, timeline construction, infrastructure clustering, and evidence preservation for handoff to CERT and ...

Cybercrime in India is growing at an alarming pace. From ransomware attacks on hospitals to data breaches in fintech startups, cyber threats are no longer limited to large enterprises. Today, small and medium businesses are the most targeted because attackers know they lack strong security testing. This is where Vulnerability Assessment and Penetration Testing (VAPT) has become mandatory rather than optional. What Is VAPT? VAPT is a cybersecurity testing process that identifies vulnerabilities in your website, applications, servers, APIs, and networks before hackers can exploit them. Vulnerability Assessment (VA) scans your systems to find weaknesses Penetration Testing (PT) simulates real cyberattacks to verify what can actually be breached Together, VAPT gives you a clear picture of your real cyber risk. Why Indian Businesses Must Perform VAPT in 2026 1. RBI, CERT-In and DPDP Compliance Indian regulations now strongly recommend and enforce periodic security audits: RBI ...

Every business today runs on data. Client records, financial files, emails, project documents, designs, databases. When that data is safe, operations run smoothly. When it is lost, everything slows down or even stops. Many professionals use the terms Data Recovery and Data Backup as if they mean the same thing. They do not. Understanding the difference is not just technical knowledge. It is a basic business responsibility. Let’s break it down in a clear and practical way. What is Data Backup? It is the process of creating a copy of your data and storing it in another location. This copy can be used later if the original data is lost, damaged, or deleted. Backups can be stored: On external hard drives On local servers On cloud platforms In offsite data centers   The purpose is simple. If something goes wrong, you restore your files from the backup copy. Businesses use data backup solutions to automate this process. Modern systems can schedule daily or even real-time backups so that ...

Bug bounty programs have fundamentally changed how organizations approach security. Instead of relying only on internal teams, companies now collaborate with ethical hackers across the globe to identify vulnerabilities before they can be exploited. This model has proven effective in uncovering critical security gaps early. At the same time, bug bounty hunting has become increasingly competitive. Today, multiple researchers often test the same application, targeting similar areas using similar approaches. In such an environment, relying only on conventional manual testing is usually not enough to consistently find unique or high-impact vulnerabilities. This is where fuzzing becomes highly relevant. Fuzzing introduces scale and depth into testing by allowing researchers to go beyond predictable inputs and explore how systems behave under unexpected conditions. When applied correctly, it can significantly improve both the quality and impact of bug bounty findings. This blog explores how f...