3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
LULU

LULU

ID: 10638edc04936833c872461c8dfb5def93019
Crimeware Spyware/Stealer
Threat types: Malware
Bahrain BHR, QAT, GBR
Updated: 2026-04-12
Created: 2026-04-02
Progress: 78% Completeness: 73% Freshness: 90%
Operation zone: Bahrain, Qatar, United Kingdom
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

LULU is a Pegasus operator attributed with high confidence to the Government of Bahrain and linked to targeted iPhone compromises of Bahraini activists between June 2020 and February 2021 using zero-click iMessage exploit chains including KISMET and FORCEDENTRY.


Technique Technique name Tactics Evidence
T1203 Exploitation for Client Execution TA0002
  • 2021-08-24 — Citizen Lab described zero-click exploitation of iMessage processing logic via KISMET and FORCEDENTRY in Bahraini Pegasus cases. · ref
T1566.002 Spearphishing Link TA0001
  • 2021-08-24 — A target that upgraded to iOS 14 received an SMS Pegasus lure tied to LULU infrastructure, consistent with spearphishing link delivery. · ref
T1583 Acquire Infrastructure TA0042
  • 2021-08-24 — Citizen Lab documented operator-linked infrastructure including hooklevel[.]com and api1r3f4.redirectweburl[.]com plus associated IPs. · ref
T1071 Application Layer Protocol TA0011
  • 2021-08-24 — Pegasus connected to operator-controlled internet infrastructure for command and control during victim monitoring. · ref
T1005 Data from Local System TA0009
  • 2021-08-24 — Pegasus capability class inherently supports data collection from the infected handset; case reporting frames the operation as covert intelligence collection. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-12T20:22:00+00:00
LULU

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Mercenary Spyware / Government Pegasus Operator

Assessed Origin: Bahrain (high-confidence attribution to the Government of Bahrain)


Executive Summary

LULU is the name assigned by Citizen Lab to a Pegasus operator attributed with high confidence to the Government of Bahrain. Public forensic reporting indicates that this operator successfully hacked the iPhones of at least four Bahraini activists between June 2020 and February 2021 and was part of a broader wave in which nine Bahraini activists were confirmed as Pegasus victims during that period. The cases are strategically significant because they show sustained government-linked use of NSO Group’s spyware against civil-society and political-opposition targets, including members of Waad, the Bahrain Center for Human Rights (BCHR), exiled dissidents, and an Al Wefaq member.


The operator’s tradecraft was consistent with high-end mobile surveillance rather than broad cyber disruption. Public reporting tied LULU activity to Pegasus delivery infrastructure and to zero-click iMessage exploitation chains, including KISMET in 2020 and FORCEDENTRY in 2021. At least one case also showed an operational fallback to one-click SMS delivery after an iOS upgrade appears to have reduced the effectiveness of the prior zero-click chain. This pattern indicates an operator focused on persistent intelligence collection against specific individuals rather than broad criminal monetization or destructive impact.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — LULU

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — LULU

Scope: This playbook is designed for organizations protecting high-risk iPhone users and for DFIR / threat hunting teams conducting retrospective checks for Bahrain-linked Pegasus activity associated with the operator designated LULU. It focuses on forensic triage, mobile telemetry review, and external infrastructure correlation rather than traditional Windows / Linux endpoint hunting.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-12T20:23:49+00:00

IOC Appendix — LULU (TLP:WHITE)

Scope & Caveats. LULU is a government-linked Pegasus operator rather than a conventional malware family with stable public samples and broad reusable indicators. As a result, the most defensible indicators are historical infrastructure elements, forensic strings, exploit-era behavioral patterns, and victimology-linked context from Citizen Lab’s reporting. Many items below are best used for retrospective hunting and case enrichment rather than durable blocking. Historical Pegasus infrastructure also churns quickly, and some domains / IPs may no longer be under actor control.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-12T20:24:10+00:00

OSINT Library — LULU


2021-08-24 — Citizen Lab — “From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.