Pegasus //

[Bunny & pegasus]

Forensic Alert: Hijacked Use of group.com.apple.PegasusConfiguration on iPhone (iOS 18.5)

I'm investigating persistent spyware behavior on an iPhone and found unauthorized use of Apple’s internal PegasusConfiguration container. While this is normally used for Picture-in-Picture (PiP), logs confirm it's being abused for non-video daemons and behavioral telemetry.

Confirmed Findings:​

• Legitimate:
  • PGPictureInPictureController, SpringBoard: Used PegasusConfiguration for video overlay — expected.
• Suspicious (and Active in Logs):
  • parsecd (PegasusKit): Behavioral analysis framework, invoked proxy task (AegirPoster).
  • NanoUniverse.AegirProxyApp: Unknown service gaining SpringBoard assertions.
  • biomed, healthd, contextstored, siri: Running with Pegasus-level privileges — biometric and behavioral telemetry.
  • RunningBoard: Granted KeepAlive, RBSCPUAccessGrant, JetsamPriority to these daemons — typical of spyware persistence patterns.

Technical Indicators:​

• Container: group.com.apple.PegasusConfiguration
• Interfaces: utun0–utun3 present (stealth VPN tunnels)
• Assertion logs confirm non-media services were treated as privileged Apple processes
• triald and cloud.llm logs confirm targeting/experimentation active on device

Request:​

Looking for insight from iOS reverse engineers or security professionals:
This is persistent has followed me around locations and new devices ( I have experience things highly abnormal ) all this are with the phone in airplane mode not use but actually when attempt to check for spyware with imazing, this is the console inside of the process real time the one that said wtf happened in a moment I was not fully dress and I saw how the screen was like charging so many process at the time

• Is this a known internal telemetry system?
• Has anyone seen hijacking of PegasusConfiguration outside PiP?
• Can this be abused for sandbox escape or biometric profiling?