A curated set of NSO Group internal documents, product materials and sworn testimony that entered the public record in WhatsApp Inc. and Meta Platforms, Inc. v. NSO Group Technologies Limited and Q Cyber Technologies Limited, Case No. 4:19-cv-07123-PJH (US District Court, Northern District of California).
This repository accompanies a technical analysis Inside Pegasus: The evolution of the world's most notorious spyware system, pubblished by Amnesty International's Security Lab in it's role as technical partners to a new collaborative investigation coordinated by Forbidden Stories Pegasus Project: Inside Morocco’s Spying Machine.
Every file here is an extract from documents filed on the public court
docket. Each page carries the court's filing stamp (Case 4:19-cv-07123-PJH … Filed …) and the parties' Bates numbers
(NSO_WHATSAPP_…, WA-NSO…), so any extract can be traced back to its source
filing and page.
All documents in this repository are now in the public domain as public court exhibits. Some carry a "HIGHLY CONFIDENTIAL – ATTORNEYS' EYES ONLY" stamp. That was their designation during the litigation, before the court ordered them filed publicly; the stamp is a record of that history and has no bearing on their status now.
Due the volume of material, automated tooling was used to identify and extract key documents from the extensive court filings, and to build this index. All documents cited in the accompanying research breifing have been manually reviewed and references.
| Docket | Filed | Filed by | What it is |
|---|---|---|---|
| Dkt. 796 | 15 September 2025 | NSO / Q Cyber (Defendants) | Notice of Public Filing of Previously-Sealed Exhibits. The primary source, with 20 attachments containing depositions, expert reports and NSO's own internal product and engineering documents. |
| Dkt. 679-6 | 4 April 2025 | WhatsApp / Meta (Plaintiffs) | Exhibit 6 to Plaintiffs' Notice of Filing of the sanctions briefing: 139 pages of NSO documents produced in discovery (revenue, targeting, sales materials). |
| Dkt. 674 | 4 April 2025 | NSO / Q Cyber (Defendants) | Notice of Public Filing of Exhibits in support of NSO's opposition to Plaintiffs' sanctions motion. |
| Dkt. 320 | 26 June 2024 | WhatsApp / Meta (Plaintiffs) | Motion for issuance of a letter rogatory. Its Exhibit 11 reproduces the original October 2019 complaint and its attachments, including the NSO–Ghana reseller agreement filed as Document 1-1. |
| Dkt. 825 | 26 December 2025 | NSO / Q Cyber (Defendants) | Excerpts of record for NSO's Ninth Circuit appeal (No. 25-7380), reproducing previously-sealed exhibits including a 2018 Q Cyber customer licence agreement (originally Dkt. 813-4). |
Each attachment of Dkt. 796 is one exhibit. Some attachments bundle several
exhibits; the "Pages" column below always gives the page range within the
cited attachment, matching the Page X of Y stamp printed on every page.
Every entry links to the curated PDF in this repository (left) and to the source filing on CourtListener (right).
The three successive zero-click vectors NSO built to install Pegasus through WhatsApp, and the server that drove them.
| Document | Summary | Source |
|---|---|---|
| heaven-system-architecture-spec.pdf | "Heaven System Architecture Specification – DRAFT" (November 2017). Defines Heaven as "a zero-click installation process based on vulnerabilities in WhatsApp, initially implemented for Android phones", and specifies the new "WIS" service, the backend, the honeypot and the installation-with-fingerprint-server flow. | Dkt. 796-16, pp. 16-19 |
| heaven-full-prd.pdf | Heaven Full Product Requirements Document ("Pegasus 2 – Heaven"), issue date 27 December 2017: workflow and requirements, deployment requirements and compliance matrix. | Dkt. 796-16, pp. 4-9 |
| wis-refactoring-heaven-separation.pdf | "Pegasus 3 – WIS Refactoring (Heaven Separation)" (April 2018). Moves Heaven business logic out of the Pegasus 3 server into an "enhanced WIS" / Android Backend Server (ABS); lists the Pegasus 3 server's role in issuing the installation key (iKey) and serving the payload zip ("exploits, PE, etc."). | Dkt. 796-16, pp. 11-14 |
| heaven-2.7.1-technical.pdf | Heaven 2.7.1 technical page. | Dkt. 796-16, pp. 21-24 |
| heaven-accounts-availability.pdf | Heaven WhatsApp-account availability page. | Dkt. 796-16, pp. 30-31 |
| how-to-create-abs-server.pdf | "How to create ABS server" (May 2019): runbook for deploying the Android Backend Server that "replace[s] the WIS server for Eden", via NSO's internal Jenkins; shows the config path attackVectors/heaven/config.json and the operator Support UI. |
Dkt. 796-16, pp. 33-35 |
| erised-system-architecture-spec.pdf | "Erised (Covert Android) System Architecture" specification (September 2019). Defines Erised as "a covert Android installation vector"; covers potential targets, OpSec changes, a new ABS "Next Credential" status code and a longer installation timeout. | Dkt. 796-17, pp. 13-44 (Exhibit 50) |
| erised-deviate-installations-log.pdf | Erised "Deviate installations on white environment – from 12/01/2020" log, reproduced inside the Youssef expert report: a table of Erised (ER-xx) test installations against Samsung handsets with WhatsApp version, kernel and installation-instance IDs. |
Dkt. 796-3, pp. 141-161 |
| erised-installation-dashboard.pdf | Stand-alone exhibit version of the same Erised installation dashboard (from 12 January 2020). | Dkt. 796-12, pp. 1-31 (Exhibit 21) |
| eden-covert-vector-pages.pdf | Confluence pages on the Eden covert vector (April 2019 – March 2020): "Installation Vectors / Eden – Archive only" with the Hummingbird operational guidelines (installation-failure conditions, max calls per target, daily-attempt and rate limits, "Hummingbird Vector is currently NOT operational!"), and "Covert (Eden) Config". | Dkt. 796-17, pp. 2-11 (Exhibits 46-49) |
| devices-for-sales-environment.pdf | "Devices for Sales environment": a test-device inventory table listing NSO IDs, phone numbers and the Samsung and LG handset models (and Android versions) used to validate installations. | Dkt. 796-13, p. 2 (Exhibit 22) |
| heaven-emulators-deployment.pdf | "Emulators environment installation" runbook: deploying the Heaven WIS-EMULATORS environment (WIS-MNG server from OVF with Frida, DHCP, ADB and the Orchestrator), the emulator setup used to develop the Heaven vector against WhatsApp. | Dkt. 796-13, pp. 4-5 (Exhibit 23) |
| Document | Summary | Source |
|---|---|---|
| pegasus-3-introduction.pdf | "Pegasus 3 – Introduction": Q Cyber Technologies product deck introducing the Pegasus 3 system. | Dkt. 796-13, pp. 7-30 (Exhibit 24) |
| pegasus-system-roles.pdf | "Pegasus System Roles": Q Cyber Technologies product deck introducing Pegasus system roles. | Dkt. 796-13, pp. 32-45 (Exhibit 25) |
| pegasus-product-description-2018.pdf | Pegasus product description (2018): capabilities overview presentation. | Dkt. 796-15, pp. 2-36 (Exhibit 32) |
| mobile-endpoint-product-description.pdf | "Mobile Endpoint – Product Description". | Dkt. 796-15, pp. 38-59 (Exhibit 33) |
| mobile-endpoint-solutions.pdf | Mobile end-point solutions overview. | Dkt. 674, pp. 25-28 |
| endpoint-agent.pdf | Endpoint agent page. | Dkt. 674, p. 32 |
| active-data-collection-slides.pdf | "Active data collection" presentation. | Dkt. 796-14, pp. 2-37 (Exhibit 26) |
| active-data-collection-training.pdf | Active data collection training deck. | Dkt. 796-14, pp. 49-87 (Exhibit 28) |
| covert-vectors-guidelines.pdf | Covert-vectors guidelines (the Hummingbird covert-vector guide). | Dkt. 796-14, pp. 39-47 (Exhibit 27) |
| nso-intelligence-capabilities-deck.pdf | NSO capabilities presentation ("Data to Intelligence"): the collection challenges NSO frames its product against (end-to-end encryption, device security layers, cloud data, switching devices) and the Pegasus 3 (PGS3) cloud-extraction and investigation capabilities. | Dkt. 674, pp. 17-23 (Exhibit 13) |
| Document | Summary | Source |
|---|---|---|
| pegasus-2.50-android-release-notes.pdf | Pegasus 2.50 (Android) release note, 25 January 2018: "Heaven – the first 0-clicks installation vector for Broad Android devices." Coverage: WhatsApp 2.17.395 / 2.17.427 / 2.18.9; Android 5.0-7.X; 32- and 64-bit; "no support for device with kernel version 4.4"; "no support for Samsung Galaxy S8, S8+, Note 8". | Dkt. 796-19, p. 13 |
| pegasus-2.65-release-notes.pdf | Pegasus 2.65 (iOS, Android, P2) release note, April 2018: iOS collection/exfiltration speed-ups; Heaven now supports Galaxy S8/S8+/Note 8 and WhatsApp 2.18.92; adds Snapchat collection. | Dkt. 796-19, p. 17 |
| pegasus-2.70-component-versions.pdf | Pegasus 2.70 release/component-version summary (Android package, UI, Pegasus Server and Installation Server versions; upgrade scripts). | Dkt. 796-19, p. 23 |
| android-device-exploit-support.pdf | "Android device requests": internal tracker of specific Android handsets and OS versions and whether the privilege-escalation exploits (code-named "scarab", "octopus", "peter") work on each. | Dkt. 796-19, p. 10 |
| pegasus-2.65-technical-summary.pdf | Pegasus 2.65.0 technical summary (Confluence page): iPhone executive summary and task list for the release. | Dkt. 796-19, pp. 20-24 (Exhibit 70) |
| pegasus-2.66-android-release-notes.pdf | Pegasus 2.66.0 (Android) release notes (Confluence page). | Dkt. 796-19, pp. 32-33 (Exhibit 73) |
| pegasus-2.67.1-android-release-notes.pdf | Pegasus 2.67.1 (Android) release notes (Confluence page), including a note to replace the attached exploit-group configuration and a QA-test checklist. | Dkt. 796-19, pp. 35-38 (Exhibit 74) |
| pegasus-2.70-android-release-planning.pdf | The Pegasus 2.70 (Android & P2 Platform) release-planning bundle: Confluence "Released Versions", "Android Agent Release Notes" and "2.70 (Android)" pages carrying the Heaven feature-priority roadmap (WIS improvements, partial-fingerprint, 64-bit indication, Samsung S8 Oreo kernel support, LG G5 / OnePlus 3), abuse-prevention updates and per-feature required-FR tables; references SilentExploitGroupsMapping.xml and PS settings.config. |
Dkt. 796-20, pp. 2-48 (Exhibits 76-90) |
| pegasus-2.52-android-release-notes.pdf | Pegasus 2.52 (Android) release note (approved 15 February 2018): adds support for the then-latest WhatsApp version 2.18.46 and further Heaven enhancements. | Dkt. 796-19, p. 15 (Exhibit 68) |
| pegasus-2.65-release-highlights.pdf | Pegasus 2.65.0 (Android, P2 Platform) release highlights: collection speed "more than tripled" and exfiltration speed "multiplied by 6", post-installation sleep-prevention, and stability fixes; points to the "2.65 release meeting" presentation. A fuller-detail companion to the 2.65 release note above. | Dkt. 796-19, pp. 26-27 (Exhibit 71) |
| pegasus-2.66-heaven-beta-release-note.pdf | Pegasus 2.66 (Android) release note (17 April 2018): approved for production for Heaven beta clients and positioned as the candidate Heaven GA (general-availability) version, with enhancements to the Heaven installation flow. An earlier-revision companion to the 2.66.0 note above. | Dkt. 796-19, pp. 29-30 (Exhibit 72) |
| pegasus-2.67.1-android-release-highlights.pdf | Pegasus 2.67.1 (Android) release highlights (revised 23 May 2018, release 14 May): Android OpSec enhancements including Heaven caller-number sanitizing (the agent changes the caller number to an invalid number), agent-lite logging and watchdog additions, and a note that call recording is unsupported on Wiko. A later-revision companion to the 2.67.1 technical summary above. | Dkt. 796-19, pp. 40-41 (Exhibit 75) |
| pegasus-2.70-abuse-prevention-updates.pdf | Pegasus 2.70 (Android & P2 Platform) "Abuse Prevention & White list updates" page (released 31 May / 7 June): the abuse-prevention and whitelist changes shipped with the 2.70 release. | Dkt. 796-19, pp. 2-3 (Exhibit 63) |
| pegasus-3-pony-whatsapp-agent.pdf | Pegasus 3 Pony (WhatsApp Agent) Support Specification (Confluence page). | Dkt. 796-18, pp. 2-5 |
| Document | Summary | Source |
|---|---|---|
| opsec-rule-engine-prd.pdf | "Opsec Rule Engine – PRD" (March 2020): requirements for a rules engine that enforces operational-security limits (quantity and time limits, cool-downs, installation limitations) so that operations "are performed at minimal risk of exposure". | Dkt. 796-18, pp. 14-20 |
| opsec-alerts.pdf | OpSec alerts page. | Dkt. 796-18, pp. 22-23 |
| system-bill-of-materials.pdf | "Bill of Materials (BOM) for System Installation Hardware": the Dell PowerEdge server hardware shipped to a customer to run a Pegasus installation. | Dkt. 796-15, pp. 61-67 (Exhibit 35) |
| opsec-home.pdf | The "OpSec Home" Confluence landing page for NSO's operational-security space. | Dkt. 796-19, p. 5 (Exhibit 64) |
| opsec-field-learning-cases.pdf | "'Field learning' cases": OpSec Confluence page collecting operational lessons and abuse-prevention QA test cases (e.g. testing Erised against the abuse-prevention limits). | Dkt. 796-19, pp. 7-8 (Exhibit 65) |
| Document | Summary | Source |
|---|---|---|
| nso-q2-2018-board-meeting.pdf | NSO Q2 2018 board-meeting slides, entered as an exhibit during the Gazneli deposition; references customer code names and the Storm and Nighthawk vectors. | Dkt. 796-5, pp. 110-113 |
| customer-revenue-list.pdf | Per-account Pegasus revenue table (2018-2020), broken down by product and by whether covert/triggered iOS and Android were provided (the basis for the damages and relevant-revenue analysis). | Dkt. 679-6, pp. 104-117 |
| whatsapp-targets-per-country.pdf | Table of NSO command-and-control infrastructure and per-country targeting linked to the WhatsApp VoIP vector (heavily redacted in the public version). | Dkt. 679-6, pp. 119-129 |
| pitch-happy-flow.pdf | "Happy Flow" sales walk-through / demonstration material. | Dkt. 679-6, pp. 94-102 |
| nso-ghana-agreement.pdf | The 2015 reseller agreement (17 December 2015) between Infraloks Development Limited (Ghana) and the National Communication Authority of the Republic of Ghana, reselling NSO Group cyber-intelligence solutions — the licence to use "the System", with "Exhibit C – Installation Requirements". Filed as Document 1-1 to WhatsApp's original October 2019 complaint and reproduced here from the letter-rogatory motion. | Dkt. 320, pp. 111-156 (Exhibit 11, Document 1-1) |
| qcyber-customer-agreement-2018.pdf | A Pegasus customer licence agreement (1 November 2018) between Q Cyber Technologies SARL (Luxembourg) and a redacted End-User: definitions, the System/Licence terms and Exhibits A-F (Description of System and Services, Consideration, Installation Requirements, Security Guidelines, Form of End-User Certificate, Service Level Agreement). | Dkt. 825, pp. 58-78 (originally Dkt. 813-4) |
Sworn testimony comes from two different sources, kept separate below: the deposition designations Meta published on its newsroom, and extracts from the court docket itself.
Deposition video-transcript designations for four senior NSO Group executives — the excerpts of each witness's recorded deposition that the parties designated to play at trial (marked P's Narrowed / D's Counters). Meta published these as unofficial transcripts in its 6 May 2025 newsroom post "Winning the Fight Against Spyware Merchant NSO", "so that these records are available to researchers and journalists"; Meta notes it intends to add the official court transcripts once they are available.
| Document | Summary | Source |
|---|---|---|
| WhatsApp-v-NSO-Shohat-Transcrips_Case-4-19-cv-07123-PJH.pdf | Yaron Shohat, NSO Group CEO (deposed 29 August 2024). Read the release note into the record that "Pegasus 2.5 is officially approved for production" and that "This version introduces Heaven, the first zero clicks installation vector for broad Android devices." | Meta Newsroom, 6 May 2025: post · original PDF |
| WhatsApp-v-NSO-Gazneli-Transcrips_Case-4-19-cv-07123-PJH.pdf | Tamir Gazneli, NSO VP of Research & Development (deposed 4 September 2024). Testimony on the team he led that built the WhatsApp installation vectors and on how a vector reaches the target device. | Meta Newsroom, 6 May 2025: post · original PDF |
| WhatsApp-v-NSO-Gil-Transcrips_Case-4-19-cv-07123-PJH.pdf | Sarit Bizinsky Gil, NSO VP of Global Business Operations (deposed 6 September 2024). Testimony on which customers obtained the right to use the spyware, the consideration NSO received, and how much extra customers paid for the covert vectors. | Meta Newsroom, 6 May 2025: post · original PDF |
| WhatsApp-v-NSO-Eshkar-Transcrips_Case-4-19-cv-07123-PJH.pdf | Ramon Eshkar, NSO VP (deposed 27 August 2024), relevant to NSO's "White Services" department, which generated the WhatsApp accounts used in attacks. | Meta Newsroom, 6 May 2025: post · original PDF |
These trial-designation excerpts come from the same depositions whose fuller transcripts appear in Dkt. 796 — for example Shohat at 796-2 / 796-10 and Gazneli at 796-4 / 796-5. For Eshkar that fuller transcript is extracted below as eshkar-deposition.pdf.
Unlike the designations above, these are extracts from Dkt. 796 filed on the public docket, cited to attachment and page like every other document in this repository. Eshkar is an NSO executive, and the same deposition of his appears in the designations above in a much shorter cut; Shaner sold NSO products in the United States for NSO's US affiliate, and Vance is an expert retained by the plaintiffs.
| Document | Summary | Source |
|---|---|---|
| eshkar-deposition.pdf | Ramon Eshkar, NSO VP (deposed 27 August 2024) — the fuller docket extract of the deposition designated above. Names the covert WhatsApp installation vectors from the customer-facing side: asked for the name of the WhatsApp zero-click vector that came online around 2018, he answered "internal names were like Eden, or Heaven", added Erised as a third, and described Hummingbird as "an umbrella name for the family of such covert vectors" that NSO used externally. Dates the first covert installation involving WhatsApp to "around summer 2018", and says the vectors were Android-only. On NSO's "white services" department, which reports up to him today but, he testified, was not under his responsibility in 2018 or 2019: "a department responsible for creating accounts and purchasing other services that we need", set up "in an anonymized way" so they cannot be linked "to either the customer or NSO", using "financial means which are not directly related to the customer or to the company" — for example "a credit card" in someone else's name. | Dkt. 796-5, pp. 72-85 (Exhibit 7) |
| shaner-deposition.pdf | Joshua Shaner, a former employee of WestBridge Technologies, NSO's US sales affiliate (deposed 17 September 2024). Testimony on WestBridge's sales and demonstrations of NSO products, and on the relationship between WestBridge and NSO. Asked which vectors he used when demonstrating zero-click installation on Android, he answered: "From what I remember, Eden would be one of them." | Dkt. 796-5, pp. 115-143 (Exhibit 27) |
| vance-expert-report.pdf | Expert Report of Anthony Vance (Plaintiffs' expert), 30 August 2024. Opines that the May 2019 attacks were carried out with NSO malware and that Pegasus/Phantom was installed on the target devices. Identifies "Heaven" as "the code name for a covert or 'zero-click' installation vector related to Pegasus that worked by exploiting WhatsApp", and "Hummingbird" as "an umbrella name that NSO uses for the family of installation vectors that use WhatsApp, including the Heaven attack vector". Quotes NSO's internal messages pausing Heaven and Hummingbird installations after WhatsApp's remediation. | Dkt. 796-6, pp. 2-18 (Exhibit B) |
The remaining expert reports (David Youssef, Terrence McGraw) sit in the
attachments of Dkt. 796; see dockets/ for the full map.
| Image | What it shows |
|---|---|
| pegasus-operator-installations-dashboard.png | The Pegasus operator console ("Installations / Targets"), April 2019, listing live targets on Apple iPhone X and iPhone 7 running iOS 12.1.4 and Samsung Galaxy handsets running Android 7.0 / 7.1.1. |
| pegasus-operator-installation-status-peru.jpg | The Pegasus "Installation Status" screen for a covert installation against a Peruvian target (2 May 2019), with cover-story location "Country: Peru, Network: Movistar". |
| wis-emulators-vectors-page1.png / page2.png | NSO internal note (10 July 2018) on the "WIS-EMULATORS" environment: Android emulators running WhatsApp under Frida instrumentation, used to build the Heaven vector. |
.
├── README.md ← this catalogue
├── documents/ ← the curated, renamed exhibit extracts
│ ├── heaven-eden-erised/
│ ├── products-and-capabilities/
│ ├── releases-and-versions/
│ ├── operations-and-opsec/
│ ├── business-and-customers/
│ └── testimony/
├── media/ ← operator-console screenshots and evidence images
└── dockets/ ← index of the source court filings (raw PDFs
referenced via CourtListener, not committed)
WhatsApp and Meta sued NSO Group in October 2019 after NSO Group customers used a WhatsApp zero-click exploit to target roughly 1,400 devices with Pegasus in April-May 2019. In December 2024 the court granted summary judgment against NSO on liability under the Computer Fraud and Abuse Act and California's Comprehensive Computer Data Access and Fraud Act, and in May 2025 a jury awarded damages. The documents in this repository were unsealed and filed publicly during the sanctions and summary-judgment stages of that litigation.
Cite the original filing, not this repository, as the primary source. Each page
carries the citation you need: the case number, the docket and attachment
(Document 796-16), the page (Page 16 of 35). A public archive of the original
dockets and exhibits is avialable on CourtListener, linked throughout this catalogue
and indexed in dockets/.