A newly disclosed zero-click vulnerability in Apple’s iMessage platform was exploited to spy on journalists in Europe using high-end spyware built by the Israeli company Paragon Solutions.

Two Journalists Targeted

Citizen Lab, a digital rights watchdog at the University of Toronto, confirmed forensic evidence that at least two journalists—Ciro Pellegrino of the Italian publication Fanpage.it, and an anonymous “prominent European journalist”—had their iPhones running iOS 18.2.1 infected with Paragon’s Graphite spyware in early 2025.

“Our forensic analysis concluded that one of the journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1,” reads the report published by Citizen Labs on Thursday.

“We attribute the compromise to Graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same time period, matched our published Fingerprint P1.”

The same iMessage account identified in earlier attacks was found in Pellegrino’s device logs, “which we associate with a Graphite zero-click infection attempt.”

Since mercenary spyware vendors typically assign dedicated infrastructure to each client, the account “would be used exclusively by a single Graphite customer/operator, and we conclude that this customer targeted both individuals,” the report added.

Apple notified both the victims on April 29, 2025, along with selected iOS users, warning them that their devices had been targeted by “advanced spyware.” The now-patched zero-day iMessage vulnerability—CVE-2025-43200— allowed the spyware to infect iPhones without any user interaction.

What Is Graphite?

Graphite is an advanced surveillance tool built by Paragon Solutions, an Israeli cyber-intelligence firm with ties to former Israeli Prime Minister Ehud Barak. The tool enables government clients to remotely access a target’s device remotely, retrieving data such as messages, emails, photos, location data, and even real-time access to the microphone or camera.

How The Attack Worked 

The attacker used a generic iMessage account, labeled ‘ATTACKER1’ in research documents, to deliver specially crafted messages exploiting a logic flaw in how iOS processed maliciously crafted photos or videos shared via an iCloud Link. The exploit affected devices running iOS 18.2.1 and earlier.

The attack was what’s known as a zero-click exploit—required no action from the victim—no clicks, no downloads— leaving virtually no visible trace on the phone. Once the spyware was activated, it connected to a command-and-control server at https://46.183.184[.]91, a VPS linked to Paragon’s infrastructure, and secretly accessed messages, emails, photos, location, microphone, camera, and more.

Apple quietly addressed the issue on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1iPadOS 17.7.5macOS Sequoia 15.3.1macOS Sonoma 14.7.4macOS Ventura 13.7.4watchOS 11.3.1, and visionOS 2.3.1. However, the use of this zero-day exploit was only revealed publicly in June after Citizen Lab’s investigation.

In its now-updated advisory, the iPhone maker describes the flaw as “a logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” noting that the vulnerability was resolved through enhanced input validation.

The company also acknowledged reports that it’s aware the vulnerability “may have been exploited in an extremely sophisticated attack against specifically targeted individuals.”

European Journalists In Danger Due To Spyware Crisis

At the time Citizen Lab published their report, three European journalists had been confirmed as targets of Paragon’s Graphite spyware—two through forensic evidence and one via Meta’s notification. One case is tied to the Italian outlet Fanpage.it, raising urgent questions about who is behind the attacks and whether any legal justification exists.

“The lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat, and underlines the dangers of spyware proliferation and abuse,” the report concluded.