Forensic Evidence Confirms Use of Graphite Spyware in iOS Zero-Click Attacks
A forensic investigation by Citizen Lab has confirmed the use of Graphite spyware, a mercenary surveillance tool developed by Israeli firm Paragon, in targeted zero-click attacks against two journalists in Europe.
The attacks exploited a zero-day vulnerability in Apple’s iOS operating system, allowing remote code execution through iMessage without requiring the victim to click or interact with the message.
Journalists Targeted Using iOS Vulnerability
The victims include an unnamed prominent European journalist and Ciro Pellegrino, a journalist for the Italian news outlet Fanpage.it. Apple notified both individuals on April 29, 2025, alerting them that they were targeted by advanced spyware.
“Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware,” — Citizen Lab report
The attacks occurred in early 2025 and targeted iPhones running iOS 18.2.1 by exploiting CVE-2025-43200, a vulnerability that was unknown to Apple at the time.
Details of the CVE-2025-43200 Exploit
The CVE, now publicly listed, was a logic flaw in how iOS processed maliciously crafted media shared via iCloud Link. Apple patched the vulnerability in iOS 18.3.1 on February 10, adding stronger validation checks. However, the CVE identifier was only added to Apple’s official security bulletin on June 12.
Citizen Lab’s forensic data shows that iMessage was used as the delivery vector. An attacker labeled “ATTACKER1” sent a specially crafted message that triggered the exploit without user interaction—a classic zero-click attack.
Post-Exploitation Activity and C2 Infrastructure
Once the Graphite spyware was successfully delivered, it immediately connected to a command-and-control (C2) server for further instructions. The infected device reached out to:
https://46.183.184[.]91
This IP address was hosted by EDIS Global and was active until at least April 12, 2025. It has been linked directly to Paragon’s infrastructure.
Background on Graphite Spyware
Graphite is a mercenary spyware platform designed to enable covert surveillance. It has capabilities similar to other well-known tools like NSO Group’s Pegasus. This incident marks another high-profile use of commercial spyware against journalists and civil society actors.
The method of attack and the infrastructure used highlight the continued evolution of zero-click surveillance and the growing role of commercial spyware vendors in targeted operations.
