No Click, No Warning: Paragon Spyware Hijacks Apple Devices in Covert Attack

Introduction

In a chilling development for digital freedom, Apple has confirmed that a zero-click vulnerability in its Messages app was actively exploited in targeted spyware attacks. The flaw, tracked as CVE-2025-43200, was used to silently infect devices belonging to journalists using Paragon's Graphite spyware — a highly advanced surveillance tool sold to government clients.

This disclosure comes amid increasing global concern over the abuse of commercial spyware targeting civil society, journalists, and dissidents.

Attack Details: How the Exploit Worked

Apple patched CVE-2025-43200 on February 10, 2025, in iOS 18.3.1 and other system updates. The flaw was due to a logic issue in handling media shared via iCloud Links in the Messages app. Attackers used maliciously crafted photos or videos to trigger the exploit without any user interaction—making it a true zero-click vulnerability.

According to forensic analysis by Citizen Lab, the exploit was used to deliver Paragon’s Graphite spyware to two journalists via iMessage:

Ciro Pellegrino, an Italian journalist
An unnamed European journalist

Citizen Lab found that both journalists received iMessages from the same attacker-controlled Apple ID (ATTACKER1), which sent the Graphite payload to their devices.

**Figure 1: Paragon Infection Attribution Diagram**

A visual breakdown of the attacker infrastructure shows that ATTACKER1 sent spyware-laced messages to both journalists. Network forensics link the attack traffic to IP address 46.183.184.91, which aligns with a known Paragon Solutions fingerprint. This supports attribution of the operation to a specific Paragon customer.

MITRE ATT&CK Mapping

The following tactics and techniques describe the nature of the attack:

T1608.001 – Stage Capabilities: Upload MalwareAttackers uploaded spyware-laden media to be delivered via iCloud Links.
T1406 – Exploit for Privilege Escalation (Mobile)CVE-2025-43200 enabled the Graphite spyware to gain high-level access silently.
T1620 – Reflective Code LoadingThe spyware executed in-memory for stealth and persistence.
T1412 – Input Capture (Mobile)Graphite gained access to mic, camera, messages, emails, and GPS data.

Impact and Victim Profile

Both targets were running iOS 18.2.1 at the time of compromise and were notified by Apple on April 29, 2025, through its threat notification system. The spyware, developed by Paragon, operates without any visible trace and is used for:

Audio/video surveillance
Email/message extraction
Location monitoring
Device control

Although the Italian government denied direct involvement, a parliamentary report by COPASIR confirmed that Paragon's spyware was used legally in limited investigations. Still, journalists remain vulnerable as collateral victims in surveillance operations with limited oversight.

The Return of Predator

The Graphite case coincides with renewed activity surrounding another spyware: Predator, developed by Intellexa/Cytrox. Researchers from Recorded Future’s Insikt Group observed fresh infrastructure deployments and new victims, especially in Africa, Eastern Europe, and Southeast Asia.

**Figure 2: Predator Infrastructure Tiers Diagram**

This diagram outlines Predator’s infrastructure. Victim-facing servers (Tier 1) relay traffic through anonymized VPS hops (Tiers 2–3) before reaching static IPs (Tier 4) controlled by customers. Tier 5 links Predator to entities like FoxITech, previously tied to spyware vendors. The layered design enhances obfuscation and attribution resistance.

Recommendations

🔐 For Individuals (especially high-risk targets):

Update immediately to the latest iOS/macOS/watchOS versions.
Enable Lockdown Mode on iPhones for stronger protection.
Use secure communication tools (e.g., Signal) and avoid opening unknown links—even from familiar contacts.

🛡️ For Organizations:

Deploy Mobile Threat Defense (MTD) solutions to monitor device behavior.
Conduct regular threat awareness training for executives and journalists.
Implement network-level threat detection to catch command-and-control (C2) patterns.

🌍 Policy-Level Action:

Push for transparency from commercial spyware vendors.
Strengthen export controls and surveillance oversight laws.
Support independent investigations like Citizen Lab and EU cybersecurity task forces.

Conclusion

This attack on journalists is yet another example of the silent arms race unfolding in cyberspace. Even the most locked-down devices can be compromised via zero-click exploits, especially when paired with elite spyware. As surveillance tools become more accessible to governments and corporations alike, the need for legal safeguards, technical defenses, and investigative journalism has never been greater.