Cyber Threat Actor: Moroccan authorities
| Actor Type | Location | Known Incidents |
Nation State
|
Morocco
|
1 incident |
|---|
Profile
The threat actor known as Moroccan authorities operates from within the Kingdom of Morocco and is also referenced by that alias in open‑source reporting. Public sources describe the entity as a state‑linked organization that has been observed using commercial surveillance tools against individuals perceived as opponents of the government. The actor’s activity has been noted in the context of domestic security operations where state measures are employed to monitor dissent. No additional aliases or geographic bases are indicated in the available material.
In the incident dated 1 October 2017, the actor targeted human rights defenders, including a prominent academic and a lawyer who had been involved in defending protesters from a social justice movement. The targeting was carried out through malicious SMS messages and suspected network injection attempts designed to deliver surveillance software to the victims’ mobile phones. The described purpose of these actions was to conduct surveillance that resulted in unlawful privacy violations and that contributed to a broader environment limiting the freedoms of expression, association, and peaceful assembly for activists. This case is presented as an illustration of a recurring pattern in which the actor deploys intrusive spyware against dissident voices.
The surveillance tool employed in the observed operation is the Pegasus spyware developed by the NSO Group, which is capable of extracting data from compromised smartphones. Initial access was achieved via SMS‑based lures that either contained malicious links or facilitated network‑level injection of the payload. No other malware families or toolsets are mentioned in the reporting for this actor. The actor’s tooling style appears focused on leveraging commercial mobile espionage platforms to gain persistent access to personal devices.
Attribution to the Moroccan state is drawn from the actor’s alias and the contextual description of the operations as being carried out by Moroccan authorities during periods of state repression. No public linkage to criminal consortia or non‑state groups is provided in the source material. The 2017‑10‑01 operation targeting human rights defenders is cited as a representative example of the actor’s use of spyware to monitor individuals engaged in advocacy work. The reporting notes that despite the NSO Group’s assertions of lawful use, the deployments observed in Morocco have been associated with violations of privacy and restrictions on civil liberties.
