Post

Paragon Graphite Spyware Exploits Zero-Day Vulnerability to Hack Journalists' iPhones

Posted
By Vitus White
3 min read
Paragon Graphite Spyware Exploits Zero-Day Vulnerability to Hack Journalists' iPhones

TL;DR

Security researchers at Citizen Lab discovered that Paragon’s Graphite spyware has been used to hack fully updated iPhones via zero-click attacks, targeting at least two journalists in Europe.

Main Content

Paragon Spyware Unveiled: Zero-Click Attacks on Journalists’ iPhones

Security researchers at Citizen Lab have revealed that Paragon’s Graphite spyware can hack fully updated iPhones through zero-click attacks. This sophisticated spyware targeted at least two journalists in Europe, using a zero-day exploit to compromise their devices.

Confirmed Cases of Spyware Infection

Citizen Lab confirmed that Paragon’s Graphite spyware was used to hack the iPhones of two European journalists. Forensic evidence showed that the compromised phones had communicated with the same spyware server. Apple discreetly notified the victims earlier this year, marking the first confirmed instance of Paragon’s tools being deployed in real-world attacks.

Timeline of Events

  • April 29, 2025: Apple alerted select iOS users about spyware targeting.
  • January–February 2025: Forensic analysis confirmed that two journalists, including Ciro Pellegrino, were infected with Paragon’s Graphite spyware. Both cases were linked to the same attacker.
  • April 2025: An anonymous European journalist received an Apple alert and requested technical help. Analysis revealed the journalist’s device was compromised via a zero-click iMessage attack while running iOS 18.2.1.

Technical Details and Patch Information

“Our forensic analysis concluded that one of the journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1.” 1

The researchers found logs indicating connections to a known Paragon server, matched by fingerprint. Apple has since patched the exploited vulnerability (CVE-2025-43200) in iOS 18.3.1.

Graphite spyware

Coordinated Spyware Attacks

Italian journalist Ciro Pellegrino was notified by Apple on April 29, 2025, of a spyware attack. Forensic analysis confirmed that his iPhone was also targeted with Paragon’s Graphite spyware. Logs showed the same ATTACKER1 iMessage account used in a previous case, linking both attacks to a single Graphite operator. The findings suggest a coordinated effort by one spyware customer.

Spyware Attack

Ciro Pellegrino and his colleague Francesco Cancellato, both from the Italian newsroom Fanpage.it, were targeted. While no forensic proof of infection was found on Mr. Cancellato’s Android device, the limited logging capabilities of Android mean a hack cannot be ruled out.

Government Involvement and Paragon’s Response

On June 5, 2025, Italy’s intelligence oversight committee (COPASIR) confirmed the government’s use of Paragon’s Graphite spyware to spy on Luca Casarini and Dr. Beppe Caccia. However, they could not determine who targeted journalist Mr. Cancellato. Paragon claimed it offered assistance in investigating, which Italy rejected over national security concerns.

“In response later that day, the Italian Department of Security Intelligence (DIS: Dipartimento delle Informazioni per la Sicurezza), which coordinates Italy’s intelligence services, stated that it had rejected Paragon’s offer because of national security concerns with exposing their activities to Paragon. They stated that providing Paragon such access would impact the reputation of Italy’s security services among peer services around the world. They denied that the contract termination was unilateral.” 2

Early this week, Paragon accused the Italian government of refusing its offer to help investigate the spyware use against a journalist, leading to its decision to end contracts in Italy.

“The company offered both the Italian government and parliament a way to determine whether its system had been used against the journalist in violation of Italian law and the contractual terms,” 3

Conclusion

The revelations about Paragon’s Graphite spyware highlight the increasing sophistication of cyber threats targeting journalists and the critical importance of patching zero-day vulnerabilities promptly. As investigations continue, the cybersecurity community must remain vigilant against such advanced threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Paragon)

For more details, visit the full article: source

References

  1. Citizen Lab (2025). “First forensic confirmation of Paragon’s iOS mercenary spyware finds journalists targeted”. Citizen Lab. Retrieved 2025-06-12. ↩︎

  2. Citizen Lab (2025). “A first look at Paragon’s proliferating spyware operations”. Citizen Lab. Retrieved 2025-06-12. ↩︎

  3. TechCrunch (2025). “Paragon says it cancelled contracts with Italy over government’s refusal to investigate spyware attack on journalist”. TechCrunch. Retrieved 2025-06-12. ↩︎

Cybersecurity & Data Protection, Malware
graphite spyware paragon spyware zero-day exploit
This post is licensed under CC BY 4.0 by the author.