Advanced mobile spyware has crossed a new threshold. A modular, cross-platform implant recovered from compromised iOS and Android devices represents a qualitative leap over prior NSO/Candiru-generation tooling. It does not merely exploit a single vulnerability: it orchestrates a full five-phase kill chain from zero-click media parser exploitation through kernel R/W primitive establishment, dylib/.so injection, stealth persistence, and AI-augmented polymorphic exfiltration - all within the trust boundary of a messaging application.

This talk presents the full reverse-engineered architecture of NSO-based on forensic artifacts, memory dumps, disassembled payloads, and C2 telemetry. We dissect the dual-platform exploit chain (iOS CoreGraphics heap overflow + ARM64 ROP; Android Image Codec OOB write + SELinux bypass), the modular C/Rust/ObjC/Kotlin polyglot implant core, and the first documented evidence of an LLM-integrated C2 server performing server-side dynamic exploit variant generation - a development with profound implications for the future of evasion-by-design.