Bill Marczak
@billmarczak.org
senior researcher at @citizenlab.ca
The attack in question was reportedly in 2022, and while we can imagine there's a plausible way they might have figured this out (via analysis of published Operation Triangulation infrastructure from Kaspersky), there are (seemingly) unfortunately no IOCs available at this time
October 20, 2025 at 1:33 AM
The attack in question was reportedly in 2022, and while we can imagine there's a plausible way they might have figured this out (via analysis of published Operation Triangulation infrastructure from Kaspersky), there are (seemingly) unfortunately no IOCs available at this time
We were also able to identify a second (unpublished) iOS threat actor (not NSO) who likely used the same persistence exploit *code* (shared strings), and a third (unpublished) iOS threat actor who likely used the same telemetry-disablement *code* as both.
October 16, 2025 at 5:17 PM
We were also able to identify a second (unpublished) iOS threat actor (not NSO) who likely used the same persistence exploit *code* (shared strings), and a third (unpublished) iOS threat actor who likely used the same telemetry-disablement *code* as both.
Not to spoil too much, but the underlying issue was a type confusion vulnerability in Foundation during NSKA deserialization of "StrideCalibrationDataBins" in locationd's "user.plist" file that it loads on start. Silently patched in 10.3.3.
October 16, 2025 at 5:17 PM
Not to spoil too much, but the underlying issue was a type confusion vulnerability in Foundation during NSKA deserialization of "StrideCalibrationDataBins" in locationd's "user.plist" file that it loads on start. Silently patched in 10.3.3.
Watch the video to learn about @droethlisberger.bsky.social's hard-core reverse engineering: he essentially wrote an emulator for a significant chunk of iOS 10 internals to reveal the exploit's secrets!
October 16, 2025 at 5:16 PM
Watch the video to learn about @droethlisberger.bsky.social's hard-core reverse engineering: he essentially wrote an emulator for a significant chunk of iOS 10 internals to reveal the exploit's secrets!
Of course, there's ~no capital-P persistence on iOS (i.e., you can't "just launch" your malicious binary on reboot), so the game is reinfect-on-reboot, either by pushing a remote exploit, or by causing the phone to pull/process an exploit on reboot.
October 16, 2025 at 5:16 PM
Of course, there's ~no capital-P persistence on iOS (i.e., you can't "just launch" your malicious binary on reboot), so the game is reinfect-on-reboot, either by pushing a remote exploit, or by causing the phone to pull/process an exploit on reboot.
Was a big mystery as to how/why CVE-2025-43300 came to be the only part of the chain that was patched on iOS. Now we know: it was actually a WhatsApp attack!
August 29, 2025 at 4:17 PM
Was a big mystery as to how/why CVE-2025-43300 came to be the only part of the chain that was patched on iOS. Now we know: it was actually a WhatsApp attack!
This means if we see two devices targeted by the same Paragon attacker account (e.g., ATTACKER1), we can surmise that both targets were targeted by the _same_ Paragon customer/operator, as in this case.
June 13, 2025 at 5:05 PM
This means if we see two devices targeted by the same Paragon attacker account (e.g., ATTACKER1), we can surmise that both targets were targeted by the _same_ Paragon customer/operator, as in this case.
Based on our understanding of typical mercenary spyware operations, a spyware company (e.g., Paragon) will register the attack accounts (e.g., ATTACKER1) and distribute credentials for a given account only to infrastructure exclusive to a single customer/operator.
June 13, 2025 at 5:04 PM
Based on our understanding of typical mercenary spyware operations, a spyware company (e.g., Paragon) will register the attack accounts (e.g., ATTACKER1) and distribute credentials for a given account only to infrastructure exclusive to a single customer/operator.
We found the ATTACKER1 account present on the second journalist’s phone, i.e., the phone of Fanpage.it journalist Ciro Pellegrino. The steps of our attribution argument are outlined in our diagram:
June 13, 2025 at 5:03 PM
We found the ATTACKER1 account present on the second journalist’s phone, i.e., the phone of Fanpage.it journalist Ciro Pellegrino. The steps of our attribution argument are outlined in our diagram:
Anyhoo, around the same time this same phone was making these requests, it was silently communicating with an iMessage account (which we redact as "ATTACKER1"). We conclude that ATTACKER1 deployed a sophisticated zero-click attack against the device. Apple (silently) mitigated it in iOS 18.3.1:
June 13, 2025 at 5:02 PM
Anyhoo, around the same time this same phone was making these requests, it was silently communicating with an iMessage account (which we redact as "ATTACKER1"). We conclude that ATTACKER1 deployed a sophisticated zero-click attack against the device. Apple (silently) mitigated it in iOS 18.3.1:
And there’s a clear chain of shared behavior leading from Fingerprint P1 back to other IPs that previously returned pages entitled "Paragon" and a TLS certificate with the terms "Graphite" and "installerserver".
June 13, 2025 at 4:59 PM
And there’s a clear chain of shared behavior leading from Fingerprint P1 back to other IPs that previously returned pages entitled "Paragon" and a TLS certificate with the terms "Graphite" and "installerserver".
Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We were able to make this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax)
June 13, 2025 at 4:58 PM
Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We were able to make this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax)