Graphite Spyware Uses iOS Zero-Click Flaw to Target Journalists

Security researchers at Citizen Lab have uncovered the first forensic evidence linking Paragon’s Graphite mercenary spyware to zero-click attacks on journalists’ iPhones.

The campaigns exploited a now-patched iMessage vulnerability (CVE-2025-43200) to compromise devices running iOS 18.2.1, highlighting the persistent threat of state-aligned surveillance against civil society

Technical Overview of the Attack Chain

According to the report, the attacks leveraged a zero-click iMessage exploit requiring no user interaction.

Key technical elements include:

• Vulnerability: CVE-2025-43200, a logic flaw in processing malicious iCloud Links containing images/videos, patched in iOS 18.3.1 (February 2025).
• Delivery Mechanism: An iMessage account (ATTACKER1) sent weaponized media files via iCloud, triggering remote code execution.
• Command-and-Control (C2) Infrastructure: Infected devices communicated with 46.183.184[.]91, a server hosted by EDIS Global and linked to Paragon’s Graphite spyware through Fingerprint P1.

Forensic logs confirmed the spyware operated stealthily ...