{"id":"4a59d00523a4e2e600aa60cbcf6921060619b7ecd7bf5e3073e9d34f54c225e9","pubkey":"609f186ca023d658c0fe019570472f59565c8be1dc163b1541fac9d90aa4e8af","created_at":1749746599,"kind":1,"tags":[["t","Paragon"],["t","Italy's"],["t","Apple"],["t","Paragon's"],["t","Paragon"],["t","Paragon's"],["t","WhatsApp"],["t","Paragon"],["t","Italy"],["t","CVE-2025-43200"]],"content":"🚨NEW INVESTIGATION: We just forensically unmasked #Paragon 's Apple spyware.\n\nZero-click targets: Journalists. In 🇪🇺Europe.\n\nLike 🇮🇹Italian reporter Ciro Pellegrino\n\nReopen's #Italy's spyware scandal.\n\nFollows our earlier Citizenlab investigation of Paragon Android spyware. \n https://blossom.primal.net/f84b4ed767f2fc69a0dee3d6fe417f69a7e55e6676620c938ff1645aa5d57a5c.png \n\nBACKGROUND\n\nBack in April, #Apple sent out a threat notification to a select group of users. Some got in touch with us to get analyzed.\n\nWHAT WE FOUND\n\nThey'd been targeted with a sophisticated zero-click attack (think: no click, no attachment to open, no mistake needed...).\n\nhttps://blossom.primal.net/cf1eac34dc665075a1e3761992a6d2d38a155d99e05058401bd685b8843f1a0a.png \n\nWhile my brilliant colleague Bill Marczak was working on the phone of a prominent European journalist, he made a smoking gun discovery:\n\nRequests to server matching our P1 fingerprint for #Paragon's graphite.\n\n https://blossom.primal.net/68f475e66eb02beadaaed4feb7cb853b26112289a1861b45cbad18fcdb9ad09f.png \n\nParagon's 'undetectable' Apple spyware had just been found... Just as we'd found their Android spyware some months ago.\n\n https://blossom.primal.net/9d4412f41a7fa7dc618fa7109eb6c40e865f45ca008e017371761c77a194879b.png \n\nThe prominent European journalist had another spicy indicator on their iPhone logs:\n\nAn iMessage account belonging to a particular #Paragon customer...used to deploy this zero-click attack.\n\nWe call this account ATTACKER1. We'd find them again in short order...\n https://blossom.primal.net/1921d65e5d4f9734a5f70c4e5007045ab456ff14d473f1ac58264726b2782dd8.png \n\nEarlier this year we uncovered #Paragon's Android spyware after #WhatsApp notified a group of users they'd been targeted with Paragon.\n\nOne of the notification recipients? Journalist Francesco Cancellato \n\nHis outlet http://fanpage.it had done bombshell reporting that displeased the Italian government.\n https://blossom.primal.net/2d34f3ca05c248773b9f7230c9885afc8cc729a38915af01e3300ae38961b470.png \n\n Then, in April, his colleague Ciro Pellegrino also gets a notification. \n\nHis is from Apple (Cannot overstate how helpful these notifications are)\n\nWe analyze Ciro's iPhone & forensically confirm he's a Paragon target. \n\nAnd we find the ATTACKER1 iMessage account again!\n\nhttps://blossom.primal.net/3afa6d81512eacede96d0fa843d1d3e8cdfdccdbbf19dfe5f8abf6bcca9d809e.png \n\nITALIAN DRAMA\n This week #Paragon and #Italy have been locking horns over the case of Francesco Cancellato. Paragon doesn't want to be stuck w/unexplained abuses against journalists. \n\nhttps://blossom.primal.net/7251a0f76e67272876ddc6fff8a48ac50a31e13b1f69a959e9ad6883d995567c.png\n\nI think Paragon likely want to be able put to it on a customer & wash hands...\n\nBut when your customer is a government... they clap back. So Italy has been threatening to declassify things like Paragon's testimony to their intelligence oversight committee. Spicy.\n\nBIG QUESTION\n\n We're left with a big question: who's hacking European journalists with Paragon? \n\nWho targeted Francesco & Ciro?\n\nRight now they have no answers. \n\nBad look for Paragon. Bad look for Italy.\n\nCurious what Paragon knows about that server...\n\nBIG PICTURE \nParagon's marketing was the 'clean' & stealthy opposite of NSO Group.\n\nYet Paragon's Apple and Android tech got caught.\n\nAnd they can't shake a spyware abuse scandal.\n\nConclusion: the problem isn't just a few bad apples, abuse is axiomatic. \n\nAnd discovery is a matter of time.\n\nAPPLE USERS:\nOne bit of good news, Apple tells us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1.\n\nThat's #CVE-2025-43200 for the curious.\n https://blossom.primal.net/6f7137d1c02dc47599fcdbe95d1baa9ec3b90a434d02a42331d25a63179d2d4c.png \n\nMake sure to keep your iPhones up to date. And get in touch if you get one of these advanced threat notifications.\n\n\nOUR FULL REPORT: https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/","sig":"941567b2869acfac45ff5d6daaccf420b1006338d5a96c4e044003635d548aa4615c9a70cabf30a64e01581027a1ff636eae7bb2f38f36c9d2c86281b35ff67f"}