Pegasus worked as well as it did because it exploited a lot of “zero-day exploits”. To put it ELI5, 0-days are basically “god fucking dammit, we had this bullshit in our code? This exposes fucking everything. We need to patch it ASAP – and we woulda if somebody would tell us before”.

Please tone down my explanation for actual 5yos.

The thing is – it becomes more and more lucrative to just sit on the zero-days. The whole deal with the name is that you would sell the exploit and then other people would try to do their best in a tight window of time – hence 0-day. But recently some groups just aren’t all-in on insta profit, and that includes governments. There is no doubt that NSO Group already has replacements for their exposed 0-days – but that is just my opinion.