Cybersecurity researchers have confirmed that two prominent journalists were successfully targeted with Paragon’s Graphite mercenary spyware through a sophisticated zero-click attack exploiting an Apple iOS vulnerability.
The attacks, discovered in April 2025, represent the latest escalation in the ongoing European spyware crisis affecting media professionals and highlight the persistent threat of state-grade surveillance tools being used against journalists.
On April 29, 2025, Apple notified a select group of iOS users that they had been targeted with advanced spyware, prompting forensic analysis that revealed the exploitation of a previously unknown vulnerability.
Security researchers from the Citizen Lab confirmed that attackers used Paragon’s Graphite spyware to compromise devices through a zero-click iMessage attack, requiring no user interaction to succeed.
Apple has since patched the vulnerability, assigning it CVE-2025-43200, and confirmed that the attack was mitigated as of iOS 18.3.1.
The technical analysis revealed that compromised devices communicated with a Paragon server at IP address 46.183.184.91, which remained active and matched known Graphite fingerprints until at least April 12, 2025.
The server was hosted by VPS provider EDIS Global, demonstrating the sophisticated infrastructure supporting these mercenary spyware operations.
iOS Zero-Click Vulnerability
The investigation identified Italian journalist Ciro Pellegrino, head of the Naples newsroom at Fanpage.it, and an unnamed prominent European journalist as confirmed victims of the Graphite spyware campaign.
Forensic analysis revealed that both journalists’ devices contained artifacts linking them to the same attacker, identified through a common iMessage account designated as “ATTACKER1”.
This represents the second journalist from Fanpage.it to be targeted with Paragon spyware, following Francesco Cancellato, who received a WhatsApp notification in January 2025 about being targeted with Graphite.
The pattern suggests a coordinated effort to surveil the Italian news organization, with researchers noting that mercenary spyware companies typically provide each customer with dedicated infrastructure, indicating a single operator was responsible for targeting both journalists.
The anonymous European journalist’s device showed evidence of active compromise during January and early February 2025 while running iOS 18.2.1, with logs indicating persistent communication with the Paragon-controlled server.
Ongoing Spyware Crisis
The Italian government’s parliamentary intelligence oversight committee (COPASIR) published a report on June 5, 2025, acknowledging the use of Paragon’s Graphite spyware against other targets but stated they could not determine who targeted the Fanpage.it journalists.
Security experts recommend that journalists and civil society members who receive spyware warnings from Apple, Meta, or other platforms seek immediate expert assistance through organizations like Access Now’s Digital Security Helpline.
Paragon offered to assist the investigation but was rejected by Italian security services citing national security concerns about exposing their activities to the spyware vendor.
The confirmed targeting of three European journalists with Paragon’s Graphite spyware underscores the continuing digital threat facing media professionals across Europe.
Researchers emphasize that the lack of accountability for these attacks highlights the urgent need to address spyware proliferation and abuse, particularly when targeting individuals engaged in legitimate journalistic activities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=1200&resize=1200,0&ssl=1&description=Cybersecurity researchers have confirmed that two prominent journalists were successfully targeted with Paragon's Graphite mercenary spyware.){kind=link}