In June 2025, security researchers at Citizen Lab confirmed the first forensic evidence that Paragon’s ‘Graphite’ spyware was used in highly sophisticated zero-click attacks targeting up-to-date iPhones, specifically those running iOS 18.2.1. These attacks required no user interaction and left almost no visible traces, making detection and attribution particularly challenging.
How the Attack Worked
• Delivery Vector: The Graphite spyware exploited a previously unknown (“zero-day”) vulnerability in iOS, tracked as CVE-2025-43200. This flaw was present in the way iOS processed maliciously crafted photos or videos shared via iCloud Link through iMessage.
• Zero-Click Exploit: Attackers used a specially crafted iMessage sent from an account dubbed “ATTACKER1” to silently compromise the target’s device. No action was required from the victim; simply receiving the message was enough for infection.
• Command and Control: Once installed, the spyware connected to a command-and-control (C2) server at 46.183.184.91, which was linked to Paragon’s infrastructure and remained active until at least April 2025.
Victims and Targeting
• Journalists Targeted: The confirmed victims include a prominent European journalist (who remains anonymous) and Ciro Pellegrino, a journalist at Italian investigative outlet Fanpage.it. Both received Apple notifications on April 29, 2025, alerting them to the attack.
• Repeated Targeting: Pellegrino’s colleague, Francesco Cancellato, was also targeted earlier in 2025 via a WhatsApp zero-click exploit attributed to Paragon’s Graphite spyware, suggesting a focused campaign against Italian media.
• Broader Campaign: Apple’s notification campaign indicated that affected users were present in over 100 countries, though it is unclear if all were targeted by Graphite specifically.
Forensic Confirmation
• Evidence: Device logs showed both journalists’ iPhones communicating with the same Paragon server and the same attacker-controlled iMessage account, linking the attacks to a single Paragon customer/operator.
• Attribution: The forensic “fingerprint” (P1) matched known Graphite infrastructure, and Citizen Lab attributed the compromise to Paragon with high confidence.
Apple’s Response
• Patch Released: Apple patched the exploited vulnerability in iOS 18.3.1, released in February 2025, but only publicly disclosed the CVE (CVE-2025-43200) and its active exploitation in June 2025 after Citizen Lab’s report.
• Mitigation: Users running iOS 18.3.1 or later are protected from this specific exploit, but the case highlights the ongoing risk posed by mercenary spyware and the challenges in timely disclosure.
