Forensic investigations have confirmed the use of Paragon’s Graphite spyware in zero-click attacks against Apple iOS devices belonging to journalists in Europe. The attacks, which bypassed end-to-end encryption, exploited undisclosed vulnerabilities in iMessage and WhatsApp, raising concerns about state-sponsored surveillance1. This article examines the technical mechanisms, geopolitical context, and defensive measures relevant to security professionals.
Technical Analysis of Graphite Spyware
Graphite leverages two primary attack vectors: a patched iOS zero-click iMessage exploit (CVE-2025-43200) and a WhatsApp zero-day involving malicious PDFs2. The spyware operates by:
- Intercepting pre-encryption keystrokes and screen activity
- Embedding within WhatsApp’s process memory on Android
- Persisting via memory-resident payloads that evade traditional MDM solutions3
Citizen Lab’s forensic analysis revealed the spyware loaded into WhatsApp and other applications on compromised devices, with infection chains matching previous Paragon operations4. The iOS variant specifically abused iMessage’s image rendering subsystem before Apple patched the vulnerability in iOS 18.3.1.
Operational Context and Targets
The attacks focused on two Italian journalists from Fanpage.it and activists monitoring migration policies. Technical evidence links the campaigns to:
| Target | Infection Vector | Forensic Indicators |
|---|---|---|
| Ciro Pellegrino (Journalist) | iMessage zero-click | Memory artifacts matching Graphite C2 patterns |
| Luca Casarini (Activist) | WhatsApp PDF exploit | Modified WhatsApp process memory regions |
Italian officials admitted using Graphite against migration activists but denied targeting journalists5. Paragon terminated its Italian government contract after officials refused to investigate the journalist infections6.
Defensive Recommendations
For organizations protecting high-risk individuals:
- Implement daily device reboots to clear memory-resident payloads7
- Deploy Mobile Detection and Response (MDR) solutions with kernel-level monitoring
- Enforce strict network filtering for C2 domains linked to Graphite infrastructure
Apple has since patched the iMessage vulnerability, but the WhatsApp exploit required server-side mitigations by Meta8. Organizations should prioritize devices running iOS 18.3.1 or later and WhatsApp version 2.25.85+.
Conclusion
The Graphite operations demonstrate evolving mercenary spyware capabilities against hardened iOS environments. The technical overlap with previous Paragon campaigns suggests reuse of exploit frameworks across government clients. Ongoing forensic analysis may reveal additional targets and infection vectors.
References
- “First forensic confirmation of Paragon’s iOS mercenary spyware finds journalists targeted,” Citizen Lab, 2025.
- “Paragon Spyware Attacks Exploited WhatsApp Zero-Day,” SecurityWeek, 2025.
- “Mobile Under Fire: Spyware Exploits Zero-Click Attacks,” SolCyber, 2025.
- “Paragon Graphite spyware used against journalists’ Apple devices,” The Record, 2025.
- “Italian lawmakers say Italy used spyware against activists,” TechCrunch, 2025.
- “Paragon questions journalist hack probe after contract nixed,” Haaretz, 2025.
- “Daily reboots as defense against zero-click attacks,” ZDNet, 2025.
- “WhatsApp zero-click spyware attack details,” Bitdefender, 2025.
