Listen to this Post
Introduction
In early 2025, a disturbing wave of cyber espionage struck at the heart of journalistic integrity and privacy. At least two European journalists fell victim to a highly sophisticated zero-click spyware attack that compromised their Apple iPhones without any interaction on their part. This attack exploited a critical vulnerability in iOS, revealing how advanced mercenary spyware like Paragon’s Graphite platform is becoming a preferred tool for covert surveillance against high-profile targets. The confirmation of this breach comes from forensic researchers at Citizen Lab, who shed light on the technical details behind these stealthy intrusions and highlight the risks facing journalists in the digital age.
Overview of the Incident
Citizen Lab’s investigation confirmed that Paragon’s Graphite spyware was used in zero-click attacks against two journalists: one anonymous prominent European journalist and Ciro Pellegrino from the Italian news outlet Fanpage.it. These attacks took place early in 2025 and were only revealed when Apple notified the victims on April 29 that their devices had been targeted by advanced spyware. The hackers exploited a zero-day vulnerability (CVE-2025-43200) in iOS 18.2.1 through maliciously crafted photos or videos shared via iCloud Link, taking advantage of a logic flaw in the operating system. Apple patched this vulnerability with the release of iOS 18.3.1 on February 10, but the full details and timeline remain murky.
The spyware was delivered through iMessage without requiring any action by the victims—a method known as a zero-click attack, which is especially dangerous because it leaves no visible clues of compromise. Once installed, the spyware contacted a command-and-control server hosted on a VPS linked to Paragon’s infrastructure, allowing attackers to remotely control the device. Although the malware left very few traces, Citizen Lab successfully gathered forensic evidence linking the attack to the Graphite spyware with high confidence.
This spyware family has also been linked to similar attacks earlier in 2025, including zero-click exploits in WhatsApp targeting other Italian individuals. Meanwhile, Italian authorities reported multiple espionage incidents involving journalists and activists, underscoring a broader pattern of targeted surveillance campaigns against civil society figures in Europe.
What Undercode Say:
The use of zero-click spyware like Paragon’s Graphite highlights a worrying evolution in cyber surveillance tactics. Unlike traditional phishing or social engineering, zero-click exploits require no user interaction, making them nearly impossible for victims to detect or avoid. This sophistication not only elevates the threat level for journalists and activists but also exposes systemic vulnerabilities in widely used platforms such as iOS and WhatsApp.
Apple’s swift patching of the CVE-2025-43200 vulnerability demonstrates the company’s commitment to security, but it also underscores a reactive posture in the face of mercenary spyware operators who can exploit undisclosed flaws before patches are available. The delay between the attack, notification, and public disclosure raises questions about transparency and the protection of vulnerable targets. Given that zero-click attacks can be deployed silently, the real scope of such compromises might be far larger than what is currently known.
Furthermore, the choice of high-profile journalists as targets reflects an alarming trend in digital repression and state or private surveillance aimed at silencing or monitoring critical voices. The infrastructure used—such as rented VPS servers for command-and-control—points to a highly professional and resourceful threat actor. Paragon’s Graphite spyware being linked to multiple zero-day exploits in different messaging platforms suggests that these mercenary spyware companies invest heavily in discovering and weaponizing unknown vulnerabilities, often without regard for the collateral damage caused.
From a technical standpoint, the attack via iCloud Link highlights that even trusted ecosystem features can be manipulated to deliver malware, emphasizing the need for constant vigilance and stronger security architectures within mobile operating systems. For journalists and human rights defenders, this incident serves as a wake-up call to enhance digital hygiene, utilize encrypted communications, and demand greater accountability from tech companies.
This case also exposes the challenges faced by investigators and cybersecurity experts trying to attribute these sophisticated attacks. While Citizen Lab’s forensic analysis provides strong evidence, many spyware campaigns remain under the radar due to their stealth and the reluctance of victims to come forward publicly.
In a broader geopolitical context, mercenary spyware like Graphite fuels an arms race in digital surveillance, where state and non-state actors compete for control over information and privacy. This increases the urgency for international norms and regulations governing spyware sales and use, especially when innocent civilians and journalists are caught in the crossfire.
The incident reflects the urgent need for better collaboration between tech companies, governments, and civil society to preemptively identify and mitigate spyware threats. It also calls for improved legal frameworks to regulate the spyware industry and punish misuse.
Ultimately, Paragon’s Graphite attacks on European journalists exemplify how technology designed to connect the world can also be turned into a weapon for invasion of privacy and suppression of free speech. As these threats evolve, the digital safety of those who hold power to account must be prioritized globally.
Fact Checker Results
✔️ Citizen Lab confirmed the use of Paragon’s Graphite spyware in zero-click attacks.
✔️ Apple notified victims of the exploitation of CVE-2025-43200 in iOS 18.2.1.
✔️ The spyware operated silently, exploiting iMessage and contacting Paragon’s C2 servers.
Prediction
With mercenary spyware companies like Paragon continuing to invest in zero-click exploits, future attacks will likely increase in both sophistication and frequency. Journalists, activists, and vulnerable individuals will remain prime targets. Tech companies will need to accelerate security updates and improve detection mechanisms, while international efforts may push for stricter controls on spyware sales and deployment. The digital battlefield is expanding, and privacy defenders must adapt swiftly to protect themselves in this rapidly changing landscape.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
