Apple has initiated a new, widespread notification campaign, alerting users across 100 countries that their devices may have been individually targeted by sophisticated mercenary spyware attacks1. This action, confirmed by the French national Computer Emergency Response Team (CERT-FR), represents a continuation of Apple’s program to warn users of highly advanced threats that are vastly more complex and costly than standard cybercriminal activity. These attacks are typically associated with state actors and private companies, focusing on a very small number of specific individuals such as journalists, activists, politicians, and diplomats. The notifications, sent via iMessage, email, and a banner on the Apple ID website, advise recipients to seek expert assistance, specifically directing them to the Digital Security Helpline operated by Access Now.
Understanding Apple’s Threat Notification System
Apple’s Threat Notification system is a high-confidence, though not absolute, mechanism designed to alert users who may have been individually targeted by mercenary spyware1. The company does not disclose the specific attribution or detection methods to prevent attackers from adapting and evading future detection. Since 2021, Apple has sent these notifications multiple times a year to users in over 150 countries, underscoring the persistent and global nature of this threat. The alerts are a critical component of a broader defense strategy that also includes general user guidance on updating devices, using strong passwords and two-factor authentication, and installing apps only from the App Store. For individuals who believe they are at heightened risk, Apple recommends enabling Lockdown Mode, which provides extreme, optional protection for the very few users who face grave, targeted threats to their digital security.
Recent Campaigns and Global Impact
The latest wave of notifications, sent in late April 2025, reached users in 100 countries, with public confirmations from figures such as Italian journalist Ciro Pellegrino and Dutch right-wing activist Eva Vlaardingerbroek2. This event follows a similar pattern from July 2024, when Apple warned users in 98 countries of potential mercenary spyware attacks, often linked to tools like Pegasus3. The French government, through its national cybersecurity agency ANSSI, has treated these alerts with high priority, noting past targeting of high-level figures including President Macron4. The consistent global scope of these campaigns, from Iran to Italy, highlights the extensive operations of the commercial spyware industry and its focus on individuals of interest to certain state and non-state actors.
The Mercenary Spyware Market and Technical Sophistication
The threat landscape described by these notifications is characterized by tools from a well-known ecosystem of vendors, including NSO Group (Pegasus), Intellexa (Predator), Paragon Solutions, and Candiru4. The technical sophistication of these attacks is a primary differentiator from common malware; they frequently employ “zero-click” exploits that require no interaction from the victim, often delivered through channels like iMessage. Research organizations like Citizen Lab and Google’s Threat Analysis Group have extensively documented these capabilities. The attacks are not broad-spectrum but are instead surgically precise, aiming to compromise a specific device to gain complete access to its microphone, camera, and data, making them a potent tool for surveillance.
Security Enhancements and Expert Commentary
In response to this evolving threat, Apple continues to develop and deploy countermeasures. Cybersecurity expert David Bombal noted in a recent commentary that “Apple just made spyware attacks WAY harder,” linking this development to security announcements likely made during Apple’s September 2025 event5. This expert perspective suggests that Apple’s latest iOS security enhancements are a direct and significant response to the techniques used by mercenary spyware. A key protective feature is Lockdown Mode, which hardens device defenses by strictly limiting functionality; PCMag provides a visual guide on how to enable this critical setting on an iPhone6. These ongoing improvements reflect a continuous cycle of adaptation between offensive tool developers and defensive security teams.
Response and Remediation for Targeted Individuals
For recipients of an Apple threat notification, the recommended course of action is specific and should be followed carefully. Apple strongly advises enlisting expert help from organizations like the Digital Security Helpline by Access Now or Amnesty International’s Security Lab1. The French CERT provides detailed advice: verify the alert by signing into account.apple.com, update all operating systems, enable Lockdown Mode, and rotate passwords4. Crucially, individuals should avoid factory resetting their device, as this action could destroy valuable forensic evidence needed to confirm and analyze the compromise. This process is not for general users but is a targeted incident response plan for those under direct threat.
The persistent issuance of Apple’s threat notifications solidifies the company’s role in a broader collaborative effort to combat mercenary spyware. These alerts serve as a rare public glimpse into the covert battles fought over digital surveillance, highlighting the ongoing risk to high-value targets worldwide. While Apple’s security improvements aim to raise the cost and complexity for attackers, the profit-driven mercenary spyware market ensures that this threat will continue to evolve. The situation demands continued vigilance, advanced defensive research, and international cooperation to curb the proliferation and use of these powerful surveillance tools.
