The emergence of Pegasus and Predator spyware over the past several years has transformed the landscape of mobile device security.<\/p>\n
These advanced malware strains\u2014deployed by sophisticated threat actors for surveillance<\/a> and espionage\u2014have repeatedly demonstrated their ability to exploit zero-click vulnerabilities, leaving high-profile individuals and at-risk communities exposed.<\/p>\n Critical forensic analysis has long relied on remnants within iOS system logs, particularly the shutdown.log file, to discern traces of such infections even after the malware attempts to erase itself.<\/p>\n With the release of iOS 26, forensic methodologies face an unprecedented setback. iVerify analysts identified<\/a> that Apple\u2019s latest OS version now overwrites the shutdown.log file upon each device reboot, instead of appending new log entries.<\/p>\n This seemingly innocuous change\u2014whether intentional or inadvertent\u2014has significant consequences for digital evidence preservation.<\/p>\n Any device updated to iOS 26 that is subsequently restarted will see all prior shutdown.log content erased, destroying potential indicators of compromise linked to Pegasus, Predator, or similar threats.<\/p>\n Previously, sophisticated spyware like Pegasus<\/a> would attempt to purge or tamper with shutdown.log as part of its anti-forensics tactics, a process that still left behind subtle indicators for vigilant analysts.<\/p>\n iVerify researchers have detailed that this \u201cdouble erasure\u201d\u2014malware deletion followed by OS-level overwriting\u2014now fully sanitizes this critical artifact, hampering investigations and masking successful compromises far more effectively than previous tactics.<\/p>\n Inspection of historic shutdown.log entries revealed unique markers left by Pegasus in past infections, such as references to processes like Since iOS 26, such forensic signals are not merely buried\u2014they are irretrievably deleted on the next boot.<\/p>\n Boot and reboot events (Source \u2013 iVerify)<\/p>\n The log\u2019s prior structure, which appended each shutdown entry, offered investigators a chronological view vital for tracing infection timelines.<\/p>\n The technical transition to full overwriting shows a before-and-after comparison of the shutdown.log behavior after reboot.<\/p>\n This system-level change, reported by iVerify as the foremost group uncovering this development, alters the balance between attackers and defenders, raising urgent questions about digital evidence, user protection, and malware<\/a> accountability.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post iOS 26 Deletes Pegasus and Predator Spyware Infection Evidence by Overwriting The \u2018shutdown.log\u2019 file on Reboot<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism and Evidence Erasure in iOS 26<\/strong><\/h2>\n
com.apple.xpc.roleaccountd.stagingcom.apple.WebKit.Networking<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0MoBUwwWFukZgEGfp_fl1Q8uE-usNEjCXnCrm1EtQzalhnZDakinDmw2Gmq7lrIb6ypvAEedu2XtvdGkzsbUXtfWf0-xh_2M06eDXyF4gh-2OKrYvijmgFXO_RWqnvBS0bmYggvyYG1HbPc_t6AocRajFXRQw517TGTOBAEYql3d50ZG6_u076959o2E\/s16000\/Boot%2520and%2520reboot%2520events%25209Source%2520-%2520iVerify%29.webp?ssl=1\")
<\/figure>\n