3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
PEARL

PEARL

ID: 1d59b3c4c31db1cf1cc94c1c1445509784420
Crimeware Spyware/Stealer State-Sponsored
Threat types: Malware, Spyware, Pegasus Operator
Bahrain BHR, QAT
Updated: 2026-04-12
Created: 2026-04-02
Progress: 78% Completeness: 73% Freshness: 90%
Operation zone: Bahrain, Qatar
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

PEARL is a Citizen Lab-designated Pegasus operator historically associated with surveillance focused on Bahrain and Qatar and assessed as part of a Bahrain-linked government spyware customer environment.


Technique Technique name Tactics Evidence
T1583 Acquire Infrastructure TA0042
  • 2018-09-18 — Citizen Lab identified historical Pegasus operator infrastructure through scanning and clustering. · ref
T1589 Gather Victim Identity Information TA0043
  • 2021-08-24 — INFERENCE: politically sensitive individuals linked to Bahraini opposition and civil society were likely curated before targeting. · ref
T1105 Ingress Tool Transfer TA0011
  • 2018-09-18 — INFERENCE: Pegasus payload delivery and operator-controlled communications are consistent with ingress tool transfer via spyware infrastructure. · ref
T1071 Application Layer Protocol TA0011
  • 2018-09-18 — Operator-controlled Pegasus infrastructure implies application-layer communications between device and backend systems. · ref
T1005 Data from Local System TA0009
  • 2021-08-24 — INFERENCE: successful Pegasus surveillance would provide access to device-resident content relevant to intelligence collection. · ref
T1119 Automated Collection TA0009
  • 2021-08-24 — INFERENCE: PEARL’s likely mission included automated and operator-tasked collection from compromised iPhones. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-12T20:05:42+00:00
PEARL

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Mercenary Spyware / Government Pegasus Operator

Assessed Origin: Bahrain (high-confidence analytical linkage to a Bahraini government Pegasus customer environment)


Executive Summary

PEARL is the name assigned by Citizen Lab to an earlier Pegasus operator associated with surveillance activity focused on Bahrain and Qatar. Public reporting places the operator active since at least July 2017 and identifies it as part of the wider NSO Group Pegasus ecosystem discovered through Internet scanning, clustering, and DNS cache probing. Unlike overt criminal or hacktivist groups, PEARL had no public brand, manifesto, or leak identity; its relevance lies in selective surveillance, state-linked targeting patterns, and the political sensitivity of its apparent victim environment.


PEARL is analytically significant because it appears to represent an early Bahrain-linked Pegasus operational cluster preceding, and potentially overlapping with, the later LULU operator. Public reporting indicates that PEARL spied exclusively in Bahrain and Qatar and was active during a period of intensifying repression against opposition political societies, activists, journalists, lawyers, and civil-society voices in Bahrain. The target environment described in later reporting includes members of Waad and Al Wefaq, both politically sensitive groups in the Bahraini context.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — PEARLClassification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITEThreat Type: Government Pegasus operator / mercenary spyware customer clusterWhat happenedPEARL is the designation assigned to an earlier Pegasus operator associated with surveillance activity focused on Bahrain and Qatar. Public reporting places the operator active since at least July 2017 and links it to the broader Bahrain-linked Pegasus customer environment

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — PEARL

Scope: This playbook is oriented to high-risk-person defense, mobile threat monitoring, proxy/DNS telemetry review, and incident-response support for suspected Pegasus-style surveillance linked to PEARL. It is not a generic enterprise ransomware or Windows intrusion playbook.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-12T20:12:22+00:00

IOC Appendix — PEARL

PEARL is a historical Pegasus operator designation, not a public malware family or branded criminal service. Public reporting provides strong analytical value around geography, surveillance purpose, and operator lineage, but relatively sparse PEARL-specific hard indicators compared with later operator reporting. Any operational use of indicators in this appendix should therefore emphasize hunting, enrichment, and contextual triage rather than simple blocking logic.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-12T20:12:41+00:00

OSINT Library — PEARL


2018-09-18 — Citizen Lab — "Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries"

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.