Cache Me If You Can: Modern iOS Spyware and the Vanishing Forensic Trai

The proliferation of commercial spyware has created a need for continuous evolution among its vendors. This evolution is largely shaped by the deployment of advanced hardware and software security mechanisms. In response to these defenses, innovation within the commercial spyware ecosystem yields increasingly sophisticated techniques for mobile device exploitation.

Research groups such as Citizen Lab, Amnesty International, and Google's Threat Intelligence Group – among others – have played a critical role in uncovering these spyware variants through meticulous investigative efforts. Their insights have unveiled the nature of commercial spyware and detailed its capabilities, deployment methods, and operational infrastructure.

Despite these efforts, the process of uncovering and analyzing spyware remains labor-intensive and heavily reliant on expert-driven forensic techniques. Tools such as the Mobile Verification Toolkit (MVT) depend on time-consuming workflows involving device backups and the manual analysis of under-documented information. Moreover, these tools operate on indicators of compromise (IOCs) derived from campaigns exposed in 2023 or earlier, leaving them poorly suited to detect evolving or previously unknown threats. In recognition of these investigative methodologies, commercial spyware vendors have developed increasingly effective countermeasures aimed at undermining or altogether evading traditional forensic and detection capabilities.

This presentation highlights the low-level implementation of adversarial tactics, techniques, and procedures observed in a modern iOS spyware sample, attributed to an evolving threat actor likely distinct from both Cytrox and NSO Group. Through a detailed code walkthrough, we examine the binary's rigorous cleanup mechanisms, which appear designed to counter the forensic methods employed by Citizen Lab – with a sledgehammer, and by name. Additionally, we analyze how this spyware variant deliberately circumvents contemporary hardware and software security features present on modern Apple devices, noting specific techniques that are likely to evade traditional forensic methodologies. Where possible, we provide indicators of compromise (IOCs) to support broader community awareness and detection of this emerging threat.