Analysis Summary

A highly advanced spyware known as Graphite, developed by the Israeli firm Paragon, has been deployed against journalists through a zero-click vulnerability in Apple’s iOS. The specific flaw, identified as CVE-2025-43200, allowed attackers to silently infiltrate iPhones via iMessage without any interaction from the victim. This exploit enabled complete device compromise, allowing access to sensitive information such as messages, photos, location data, and even the activation of cameras and microphones. Apple patched the vulnerability in iOS 18.3.1, but users on earlier versions remained vulnerable well into early 2025.

Forensic investigations revealed that an iMessage account labeled "ATTACKER1" was used to deploy the zero-click exploit. The infected devices are connected to a server at IP address 46.183.184[.]91, hosted by EDIS Global, which matched the spyware infrastructure fingerprint identified by Researcher, until at least April 12, 2025. This stealthy campaign left no visible signs on the targeted devices, making detection by victims virtually impossible. The spyware’s infrastructure and behavior strongly tied it to Graphite operations, further implicating Paragon in its deployment.

The spyware campaign specifically targeted journalists, notably at the Italian news outlet Fanpage[.]it. Confirmed victims include Ciro Pellegrino, head of the Naples newsroom, and Francesco Cancellato, both of whom received spyware warnings from Apple and WhatsApp, respectively. Forensic analyses confirmed spyware artifacts on their devices. The targeting of multiple individuals within the same media outlet indicates a strategic and deliberate effort to compromise the organization's operations and potentially expose sensitive journalistic sources.

The incident has prompted concerns over government surveillance practices and lack of oversight. Italy’s parliamentary intelligence committee (COPASIR) acknowledged the use of Graphite but denied knowledge of who targeted Cancellato. Although Paragon Solutions offered to assist with the investigation, Italian authorities declined, citing national security risks. The case exemplifies the broader spyware crisis impacting journalists globally, where invasive surveillance tools are used with little transparency or accountability. Victims are urged to take spyware alerts from platforms like Apple, Meta, or WhatsApp seriously and consult digital rights organizations such as Access Now or Amnesty International’s Security Lab for assistance.

Impact

• Sensitive Data Theft
• Gain Access

Indicators of Compromise

Remediation

• Update to iOS 18.3.1 or later immediately to patch the zero-click vulnerability.
• Enable automatic updates on iOS devices to ensure future security patches are applied promptly.
• Take threat notifications seriously from Apple, WhatsApp, Meta, or Google — they often indicate nation-state-grade spyware threats.
• Contact digital security experts (e.g., Access Now’s Digital Security Helpline or Amnesty International’s Security Lab) if you receive a warning.
• Avoid clicking unknown or suspicious links, even if sent via trusted platforms like iMessage or WhatsApp.
• Regularly review device permissions for apps (camera, microphone, location) and revoke unnecessary access.
• Use device management tools to monitor suspicious behavior or unauthorized access.
• Consider using separate devices for sensitive communication and general use to compartmentalize risk.
• Keep backups encrypted and offline to protect data in the event of compromise.
• Advocate for stronger legal oversight and transparency in the use of spyware technologies by governments and private actors.