Paragon's Graphite Spyware targets European journalists through iPhone flaws
Take action: You may not be a prominent journalist, but this flaw is already six months old, and even ordinary criminals will find a way to exploit it. Patch your iPhone and iPad to latest version ASAP!
Learn More
Forensic investigation has confirmed that Paragon's Graphite spyware platform is using zero-click attacks targeting Apple iOS devices of at least two journalists in Europe.
Researchers at Citizen Lab found forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity) and Italian journalist Ciro Pellegrino were targeted with Paragon's Graphite spyware.
The attacks occurred in early 2025, and Apple sent notifications to the victims on April 29, 2025, informing them that they had been targeted with "advanced spyware." The threat actor used Paragon's Graphite spyware platform to target the victims' iPhone devices running iOS 18.2.1 and exploit a critical vulnerability that was a zero-day at the time.
The attack has exploited CVE-2025-43200 (CVSS score 9.8) - a logic issue that existed when processing a maliciously crafted photo or video shared via an iCloud Link
Apple has patched the vulnerability in iOS 18.3.1 released on February 10, 2025, but the CVE identifier was only publicly disclosed on June 12, 2025, after Citizen Lab shared their findings. Apple acknowledged that it was "aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."
According to Citizen Lab's analysis, Graphite's delivery vector was iMessage. The attacker used an account, generically labeled 'ATTACKER1' in the research, to send specially crafted messages that exploited CVE-2025-43200 for remote code execution. This achieved the delivery of the spyware without any interaction from the targe and without producing any visible signs to alert the victim.
Once active, the spyware contacted a command-and-control (C2) server to receive further instructions. In the confirmed cases, the infected phones connected to https://46.183.184[.]91, a server linked to Paragon's infrastructure. This IP address was hosted on EDIS Global and was active at least until April 12, 2025.
Citizen Lab was able to recover some logs that contained enough evidence to attribute the attacks to Paragon's Graphite spyware with high confidence. The researchers identified an indicator linking both cases to the same Paragon operator.
The number of affected individuals is at least two journalists, with additional targets identified through related investigations:
- A prominent European journalist (identity withheld for security reasons)
- Ciro Pellegrino, a journalist at Italian publication Fanpage.it
- Francesco Cancellato, also from Fanpage.it, who was notified by WhatsApp in January 2025 that he was targeted with Paragon spyware, though forensic confirmation of successful infection has not been established
- Luca Casarini and Beppe Caccia, who both work for the Italian nonprofit Mediterranea Saving Humans, which rescues immigrants at sea.
For now, Citizen Lab has not attributed Pellegrino's and the other unnamed European journalist's attacks to any government.
