A newly disclosed zero-click vulnerability in Appleโs iMessage platform was exploited to spy on journalists in Europe using high-end spyware built by the Israeli company Paragon Solutions.
Two Journalists Targeted
Citizen Lab, a digital rights watchdog at the University of Toronto, confirmed forensic evidence that at least two journalistsโCiro Pellegrino of the Italian publication Fanpage.it, and an anonymous โprominent European journalistโโhad their iPhones running iOS 18.2.1 infected with Paragonโs Graphite spyware in early 2025.
โOur forensic analysis concluded that one of the journalistโs devices was compromised with Paragonโs Graphite spyware in January and early February 2025 while runningย iOS 18.2.1,โ reads theย reportย published by Citizen Labs on Thursday.
โWe attribute the compromise to Graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same time period, matched ourย publishedย Fingerprint P1.โ
The same iMessage account identified in earlier attacks was found in Pellegrinoโs device logs, โwhich we associate with a Graphite zero-click infection attempt.โ
Since mercenary spyware vendors typically assign dedicated infrastructure to each client, the account โwould be used exclusively by a single Graphite customer/operator, and we conclude that this customer targeted both individuals,โ the report added.
Apple notified both the victims on April 29, 2025, along with selected iOS users, warning them that their devices had been targeted by โadvanced spyware.โ The now-patched zero-day iMessage vulnerabilityโCVE-2025-43200โ allowed the spyware to infect iPhones without any user interaction.
What Is Graphite?
Graphite is an advanced surveillance tool built by Paragon Solutions, an Israeli cyber-intelligence firm with ties to former Israeli Prime Minister Ehud Barak. The tool enables government clients to remotely access a target’s device remotely, retrieving data such as messages, emails, photos, location data, and even real-time access to the microphone or camera.
How The Attack Workedย
The attacker used a generic iMessage account, labeled โATTACKER1โ in research documents, to deliver specially crafted messages exploiting a logic flaw in how iOS processed maliciously crafted photos or videos shared via an iCloud Link. The exploit affected devices running iOS 18.2.1 and earlier.
The attack was whatโs known as a zero-click exploitโrequired no action from the victimโno clicks, no downloadsโ leaving virtually no visible trace on the phone. Once the spyware was activated, it connected to a command-and-control server at https://46.183.184[.]91, a VPS linked to Paragon’s infrastructure, and secretly accessed messages, emails, photos, location, microphone, camera, and more.
Apple quietly addressed the issue on February 10, 2025, as part ofย iOS 18.3.1, iPadOS 18.3.1,ย iPadOS 17.7.5,ย macOS Sequoia 15.3.1,ย macOS Sonoma 14.7.4,ย macOS Ventura 13.7.4,ย watchOS 11.3.1, andย visionOS 2.3.1. However, the use of this zero-day exploit was only revealed publicly in June after Citizen Labโs investigation.
In its now-updated advisory, the iPhone maker describes the flaw as โa logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,โ noting that the vulnerability was resolved through enhanced input validation.
The company also acknowledged reports that it’s aware the vulnerability “may have been exploited in an extremely sophisticated attack against specifically targeted individuals.”
European Journalists In Danger Due To Spyware Crisis
At the time Citizen Lab published their report, three European journalists had been confirmed as targets of Paragonโs Graphite spywareโtwo through forensic evidence and one via Metaโs notification. One case is tied to the Italian outlet Fanpage.it, raising urgent questions about who is behind the attacks and whether any legal justification exists.
โThe lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat, and underlines the dangers of spyware proliferation and abuse,โ the report concluded.
