This is dumb - now that this is known, attackers will make sure that they edit the shutdown.log file to be perfectly byte for byte identical to an uninfected device.
> Researchers have noted instances where devices known to be active had their shutdown.log cleared, alongside other IOCs for Pegasus infections. This led to the conclusion that a cleared shutdown.log could serve as a good heuristic for identifying suspicious devices.
Which is why the article is pointing out that a cleared `shutdown.log` is no longer an indicator of Pegasus infections (because it now happens every boot.)
So the log has no value