Two European journalists were targeted in sophisticated spyware attacks exploiting previously undisclosed vulnerabilities on Apple’s iPhones, according to new investigative findings released on Thursday. Researchers from Citizen Lab confirmed the incidents involved spyware developed by Paragon, a controversial technology firm known to sell surveillance tools.
Citizen Lab’s report disclosed that Apple informed researchers that it had addressed the vulnerability exploited in these attacks through an update earlier this year. The vulnerability was reportedly fixed in iOS 18.3.1, an update from February 10, but Apple’s initial security advisory notice at the time made no mention of the newly discovered flaw. Instead, it described a separate vulnerability that allowed a device’s security mechanisms to be circumvented.
Apple quietly updated its security advisory on Thursday, four months after the initial release, acknowledging the previously undisclosed flaw. The revised advisory explained that a logic error enabled attackers to execute code through a maliciously crafted photo or video shared via iCloud links. Apple noted that it was aware this vulnerability had already been used in highly targeted, sophisticated attacks.
Victims identified by Citizen Lab include Italian journalist Ciro Pellegrino and another prominent European journalist, whose identity was not publicly revealed. Both received notifications in late April directly from Apple warning them of attempted incursions using advanced spyware, though the notices did not specifically identify Paragon as the author of these spyware attacks.
This revelation is part of a broader espionage scandal involving Paragon. Earlier this year, WhatsApp revealed that approximately 90 users, including journalists and human rights advocates, were targeted by Paragon’s spyware, known as Graphite. Subsequently, Apple sent out warnings to victims across a hundred countries indicating that their devices had come under attack by mercenary spyware, without explicitly naming Paragon in its alerts.
It remains unclear why Apple chose not to communicate the existence of this second vulnerability immediately upon its resolution, or why it waited until now to reveal it. Apple representatives have not commented on this decision.
This latest discovery underscores ongoing scrutiny around private spyware firms, whose technologies have continually raised alarm for compromising the privacy and safety of journalists, activists, and political dissidents worldwide.
