Colleagues of slain Javier Valdez Cárdenas, known for investigating drug cartels, were targeted just days after his death.

The notorious state actor mobile spyware known as Pegasus has resurfaced, targeting the colleagues of a slain Mexican journalist who lived – and died – investigating drug cartels.

Journalist Javier Valdez Cárdenas, founder of Río Doce, a Mexican newspaper known for investigating the narco trade, was gunned down near his office in Sinaloa in May 2017. Just days later, Río Doce’s director and a colleague started receiving text messages with a “news alert” that Cárdenas’ killers had been identified.

According to a Tuesday report by Citizen Lab, the message – and the several others that followed – were all Pegasus infection attempts by a Mexican government-linked APT dubbed RECKLESS-1.

Of six messages analyzed (though more were received), several contained links shortened with bit.ly that ultimately pointed to known exploit URLs, while others included links directly containing previously–identified NSO Group exploit domains.

“Based on prior Citizen Lab analysis of NSO Group exploit servers, we conclude that clicking on any of the links would have resulted in the silent infection of the device with Pegasus spyware,” Citizen Lab said.

RECKLESS-1 has been seen in the past, targeting Mexican journalist Rafael Cabrera in 2016 and a range of health advocates in 2017 (the latter apparently on behalf of a commercial interest in the soft-drink industry, according to the firm).

Overall, Citizen Lab and its Mexican collaborators have previously disclosed 22 targets of Pegasus in Mexico, so the total now stands at 24.

“By the time Villarreal and Bojórquez were targeted by RECKLESS-1 in May 2017, it had been clear for almost eight months that Pegasus was being abused in Mexico,” Citizen Lab noted in a breakdown of the attacks. “The case had even made two front-page New York Times stories,” Citizen Lab said. “Despite the attention, the Mexican government-linked operator did not appear to have felt sufficient pressure to stop targeting civil society. Nor did it appear that NSO Group, its supplier, stopped their client from continuing to abuse Pegasus.”

Pegasus contains a host of spy features, which can be used to infect the user’s smartphone, track keystrokes, take control of the phone’s camera and microphone, and access contact lists.

“As for surveillance, let’s be clear: We’re talking total surveillance,” Kaspersky Lab said in a 2017 overview of the spyware. “Pegasus is modular malware. After scanning the target’s device, it installs the necessary modules to read the user’s messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on and so forth. Basically, it can spy on every aspect of the target’s life. It’s also noteworthy that Pegasus could even listen to encrypted audio streams and read encrypted messages — thanks to its keylogging and audio recording capabilities, it was stealing messages before they were encrypted (and, for incoming messages, after decryption).”

Pegasus was developed by Israel-based NSO Group, which has long been suspected to be part of an ethically grey-scaled world of cyber-arms/defense-dealing that also includes groups like FinFisher, Hacking Team, Vupen and Zerodium. These businesses specialize in acquiring zero-day exploits and developing hacking tools – often for quite a bit of money – and then selling them off.

Like its rivals, NSO Group has maintained that it’s choosy about its buyers, and recently told Amnesty International that Pegasus “is intended to be used exclusively for the investigation and prevention of crime and terrorism.”

However, Citizen Lab has tracked it being used by repressive governments to spy on human rights defenders, journalists and dissidents. In Mexico alone, previous investigations identified infection attempts against multiple journalists, lawyers, international investigators, public health practitioners, senior politicians and anti-corruption activists.

“While there is very little publicly-available information on NSO Group’s oversight practices, the continued use of Pegasus in Mexico suggests that their current procedures are problematic both substantively and in their implementation and application,” Citizen Lab said.

As for attribution, the firm said that immediately prior to the initial infection attempts on Cárdenas’ colleagues, the Criminal Investigation Agency (Agencia de Investigación Criminal), which is part of the Mexican Office of the Attorney General (Procurador General de la República or PGR), had arrived to investigate the killing.

“Although our recent research has identified multiple current and former Pegasus deployments in Mexico (and by implication, NSO Group customers), the PGR is the only entity publicly identified as an NGO Group customer,” Citizen Lab said.