The advanced Graphite mercenary spyware, developed by Paragon, targets journalists through a sophisticated zero-click vulnerability in Apple\u2019s iOS.<\/p>\n
At least three European journalists have been confirmed as targets, with two cases forensically verified.\u00a0The spyware exploited a zero-day vulnerability in iOS that allowed attackers to compromise devices without any user interaction.<\/p>\n
The attack leveraged a previously unknown vulnerability in iOS (CVE-2025-43200) that enabled the Graphite spyware to infiltrate devices through iMessage.\u00a0<\/p>\n
iOS Zero-Click Vulnerability (CVE-2025-43200) Exploited<\/strong><\/h2>\nForensic analysis revealed that an iMessage account, referred to by researchers as \u201cATTACKER1,\u201d was used to deploy the zero-click exploit<\/a> against multiple targets.\u00a0<\/p>\nThe sophisticated nature of this attack meant victims had no way of detecting the infection, as it required no user interaction to execute.<\/p>\n
\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiHF6hb6_1n-jsaNvE-6Q0dmPMUlVorrIwYnOt2PLHNJpjj_qvobx5dXv4K1l-ZPwzNJo_v6bcTAbngTHv37-UpTcTiOB7t6VBpY-9iFTgJVpkP_CtxIhMXPbWCgoB-fG0ShtH4DV24RPt_GRkmgYYTARt4QI41N6dnA3FGT9KbWDFv5gd0li0CW0U14PAf\/s16000\/iOS%2520Zero-Click%2520Vulnerability%2520%28CVE-2025-43200%29%2520Exploited.webp?ssl=1\")
Apple iOS infections<\/figcaption><\/figure>\n<\/div>\nTechnical analysis of the compromised devices showed connections to a server with IP address 46.183.184[.]91, which researchers have linked to Paragon\u2019s Graphite spyware infrastructure.<\/p>\n
The server was hosted on VPS provider EDIS Global and continued matching Citizen Lab\u2019s \u201cFingerprint P1\u201d identifier until at least April 12, 2025.\u00a0<\/p>\n
\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXedqrFmRBEsZ1LM8qe55iM_z9drApcxfvIWLP3HM75FNZvbnzcYJP7NbPzE8sxb_6k7sOmsKZayObwQaD64_W_WuDASoP4s5gdn_WiCjpz74Sj5Fz3ofzAUCITukSHSiZjSxxcr7Q?key=_b4c7BJrVnbj3rIGarAVQg\")
<\/figure>\n<\/div>\nNotably, Apple has confirmed the vulnerability was patched in iOS 18.3.1, but devices running earlier versions remained vulnerable through early 2025.<\/p>\n
\u201cThe zero-click attack deployed here was mitigated as of iOS 18.3.1,\u201d notes the Citizen Lab report, highlighting the critical importance of keeping devices updated against such sophisticated threats.<\/p>\n
Targeted Journalists and News Organizations<\/strong><\/h2>\nAmong the confirmed targets are a prominent European journalist who requested anonymity and Italian journalist Ciro Pellegrino, head of the Naples newsroom at Fanpage[.]it.\u00a0<\/p>\n
Both received notifications from Apple on April 29, 2025, alerting them to potential advanced spyware compromises. Subsequent forensic analysis confirmed the presence of Graphite spyware artifacts on their devices.<\/p>\n
Francesco Cancellato, another journalist at Fanpage[.]it, was similarly notified by WhatsApp about being targeted with Paragon\u2019s spyware<\/a>.\u00a0<\/p>\nThe targeting of multiple journalists from the same news organization suggests a deliberate effort to compromise Fanpage.it\u2019s operations.\u00a0<\/p>\n
\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXf_OHM16sOW-j55BZLzLwvkdncaDMudDEpadxT1wqsPZDiVQ41oEW96j9em56CTsIol2NJraGsxTwt6-J160P5qxiYR4yHwIUtStAi5z3K-wT_mYZedMBevP1k6tLQJYoCcWM9x?key=_b4c7BJrVnbj3rIGarAVQg\")
<\/figure>\n<\/div>\nCitizen Lab researchers noted<\/a>, \u201cThe identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization.\u201d<\/p>\nThe spyware could potentially access messages, location data, photos, and activate microphones and cameras without the victim\u2019s knowledge, posing severe privacy and security risks to the journalists\u2019 sources and work.<\/p>\n
The Italian government\u2019s parliamentary committee overseeing intelligence services (COPASIR) published a report on June 5, 2025, acknowledging the use of Paragon\u2019s Graphite spyware against certain individuals, but denied knowledge of who targeted Cancellato.\u00a0<\/p>\n
This has raised serious questions about oversight and accountability in the use of mercenary spyware.<\/p>\n
Paragon Solutions reportedly offered to assist in investigating the Cancellato case, an offer rejected by Italian authorities citing national security concerns.\u00a0<\/p>\n
The Department of Security Intelligence (DIS) stated that providing Paragon such access would damage Italy\u2019s reputation among international security services.<\/p>\n
This latest spyware campaign highlights the growing \u201cspyware crisis\u201d affecting journalists worldwide.\u00a0<\/p>\n
Researchers said that the lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat.<\/p>\n
It is recommended that individuals who receive spyware warnings from Apple, Meta, WhatsApp, or Google take them seriously and seek expert assistance from organizations like Access Now\u2019s Digital Security Helpline or Amnesty International\u2019s Security Lab.<\/p>\n
Automate threat response with ANY.RUN\u2019s TI Feeds\u2014Enrich alerts and block malicious IPs across all endpoints<\/strong>\u00a0->\u00a0Request full access<\/strong><\/a><\/strong><\/p>\nThe post Graphite Spyware Exploits Apple iOS Zero-Click Vulnerability to Attack Journalists<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
The sophisticated nature of this attack meant victims had no way of detecting the infection, as it required no user interaction to execute.<\/p>\n
Technical analysis of the compromised devices showed connections to a server with IP address 46.183.184[.]91, which researchers have linked to Paragon\u2019s Graphite spyware infrastructure.<\/p>\n
The server was hosted on VPS provider EDIS Global and continued matching Citizen Lab\u2019s \u201cFingerprint P1\u201d identifier until at least April 12, 2025.\u00a0<\/p>\n
<\/figure>\n<\/div>\nNotably, Apple has confirmed the vulnerability was patched in iOS 18.3.1, but devices running earlier versions remained vulnerable through early 2025.<\/p>\n
\u201cThe zero-click attack deployed here was mitigated as of iOS 18.3.1,\u201d notes the Citizen Lab report, highlighting the critical importance of keeping devices updated against such sophisticated threats.<\/p>\n
Targeted Journalists and News Organizations<\/strong><\/h2>\nAmong the confirmed targets are a prominent European journalist who requested anonymity and Italian journalist Ciro Pellegrino, head of the Naples newsroom at Fanpage[.]it.\u00a0<\/p>\n
Both received notifications from Apple on April 29, 2025, alerting them to potential advanced spyware compromises. Subsequent forensic analysis confirmed the presence of Graphite spyware artifacts on their devices.<\/p>\n
Francesco Cancellato, another journalist at Fanpage[.]it, was similarly notified by WhatsApp about being targeted with Paragon\u2019s spyware<\/a>.\u00a0<\/p>\nThe targeting of multiple journalists from the same news organization suggests a deliberate effort to compromise Fanpage.it\u2019s operations.\u00a0<\/p>\n
\n<\/figure>\n<\/div>\nCitizen Lab researchers noted<\/a>, \u201cThe identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization.\u201d<\/p>\nThe spyware could potentially access messages, location data, photos, and activate microphones and cameras without the victim\u2019s knowledge, posing severe privacy and security risks to the journalists\u2019 sources and work.<\/p>\n
The Italian government\u2019s parliamentary committee overseeing intelligence services (COPASIR) published a report on June 5, 2025, acknowledging the use of Paragon\u2019s Graphite spyware against certain individuals, but denied knowledge of who targeted Cancellato.\u00a0<\/p>\n
This has raised serious questions about oversight and accountability in the use of mercenary spyware.<\/p>\n
Paragon Solutions reportedly offered to assist in investigating the Cancellato case, an offer rejected by Italian authorities citing national security concerns.\u00a0<\/p>\n
The Department of Security Intelligence (DIS) stated that providing Paragon such access would damage Italy\u2019s reputation among international security services.<\/p>\n
This latest spyware campaign highlights the growing \u201cspyware crisis\u201d affecting journalists worldwide.\u00a0<\/p>\n
Researchers said that the lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat.<\/p>\n
It is recommended that individuals who receive spyware warnings from Apple, Meta, WhatsApp, or Google take them seriously and seek expert assistance from organizations like Access Now\u2019s Digital Security Helpline or Amnesty International\u2019s Security Lab.<\/p>\n
Automate threat response with ANY.RUN\u2019s TI Feeds\u2014Enrich alerts and block malicious IPs across all endpoints<\/strong>\u00a0->\u00a0Request full access<\/strong><\/a><\/strong><\/p>\nThe post Graphite Spyware Exploits Apple iOS Zero-Click Vulnerability to Attack Journalists<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
The targeting of multiple journalists from the same news organization suggests a deliberate effort to compromise Fanpage.it\u2019s operations.\u00a0<\/p>\n
<\/figure>\n<\/div>\nCitizen Lab researchers noted<\/a>, \u201cThe identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization.\u201d<\/p>\n The spyware could potentially access messages, location data, photos, and activate microphones and cameras without the victim\u2019s knowledge, posing severe privacy and security risks to the journalists\u2019 sources and work.<\/p>\n The Italian government\u2019s parliamentary committee overseeing intelligence services (COPASIR) published a report on June 5, 2025, acknowledging the use of Paragon\u2019s Graphite spyware against certain individuals, but denied knowledge of who targeted Cancellato.\u00a0<\/p>\n This has raised serious questions about oversight and accountability in the use of mercenary spyware.<\/p>\n Paragon Solutions reportedly offered to assist in investigating the Cancellato case, an offer rejected by Italian authorities citing national security concerns.\u00a0<\/p>\n The Department of Security Intelligence (DIS) stated that providing Paragon such access would damage Italy\u2019s reputation among international security services.<\/p>\n This latest spyware campaign highlights the growing \u201cspyware crisis\u201d affecting journalists worldwide.\u00a0<\/p>\n Researchers said that the lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat.<\/p>\n It is recommended that individuals who receive spyware warnings from Apple, Meta, WhatsApp, or Google take them seriously and seek expert assistance from organizations like Access Now\u2019s Digital Security Helpline or Amnesty International\u2019s Security Lab.<\/p>\n Automate threat response with ANY.RUN\u2019s TI Feeds\u2014Enrich alerts and block malicious IPs across all endpoints<\/strong>\u00a0->\u00a0Request full access<\/strong><\/a><\/strong><\/p>\n The post Graphite Spyware Exploits Apple iOS Zero-Click Vulnerability to Attack Journalists<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n