There is evidence that a) malware were planted in the devices of two Indian journalists, b) the malware was spyware Pegasus sold by Israeli company NSO, and c) Indian State had indeed bought the spyware.
These claims were made in his deposition before the Supreme Court appointed technical committee to inquire into the use of spyware Pegasus by the Indian Government. Cyber security expert Anand V. asserted that forensic examination of the data recovered from the devices of two Indian journalists–Siddharth Varadarajan and Sushant Singh– had revealed traces of Pegasus.
Three versions of the Pegasus have been sold since 2015 by NSO, he told the committee, each more sophisticated than the previous one. Malwares, he explained, had a ‘command and control’ mechanism, which could be automatic or operated manually. Once devices are compromised, this mechanism allows data to flow back to the ‘command and control server’, he informed.
The spyware used both IP addresses as well as domain names to reach its targets. Ever since the Pegasus user manual was leaked in 2016 by a competitor, enough literature was available in cyber security domain to allow forensic examinations. Since domain names are typically sold for a minimum period of one year, the spyware too was generally used to surveille a target for several months.