On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of their cases. In this report, we discuss key findings from our forensic analyses of their devices.
Researchers revealed on Thursday that two European journalists had their iPhones hacked with spyware made by Paragon. Apple says it has fixed the bug that was used to hack their phones.
The Citizen Lab wrote in its report, shared with TechCrunch ahead of its publication, that Apple had told its researchers that the flaw exploited in the attacks had been “mitigated in iOS 18.3.1,” a software update for iPhones released on February 10.
Until this week, the advisory of that security update mentioned only one unrelated flaw, which allowed attackers to disable an iPhone security mechanism that makes it harder to unlock phones.
On Thursday, however, Apple updated its February 10 advisory to include details about a new flaw, which was also fixed at the time but not publicized.
“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” reads the now-updated advisory.
In the final version of its report published Thursday, The Citizen Lab confirmed this is the flaw used against Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist
It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.
The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users, including journalists and human rights activists, that they had been targeted with spyware made by Paragon, dubbed Graphite.
Then, at the end of April, several iPhone users received a notification from Apple alerting them that they had been the targets of mercenary spyware. The alert did not mention the spyware company behind the hacking campaign.
On Thursday, The Citizen Lab published its findings confirming that two journalists who had received that Apple notification were hacked with Paragon’s spyware.
It’s unclear if all the Apple users who received the notification were also targeted with Graphite. The Apple alert said that “today’s notification is being sent to affected users in 100 countries.”
Coup de tonnerre, en ce mardi 10 juin 2025. Le groupe malveillant Stormous revendique une cyberattaque contre les systèmes de l’Éducation nationale.
Il assure être en possession de données relatives à plus de 40 000 personnes et fournit, pour étayer ses allégations, un échantillon d’un peu moins de 1 400 lignes, soit autant de combinaison login/mot de passe, ou adresse mail/mot de passe. Et tout cela pour une poignée de services en ligne liés à l’Éducation nationale.
Mais cet échantillon suggère surtout que les allégations de Stormous sont fausses.
Nous l’avons confronté aux données de la plateforme Cavalier d’HudsonRock.
La conclusion s’impose rapidement : Stormous a commencé la divulgation d’une combolist vraisemblablement constituée en tout ou partie depuis d’innombrables logs de cleptogiciels (ou infostealers) partagés quotidiennement, gratuitement, et à tous les vents sur de multiples chaînes Telegram plus ou moins spécialisées. De quoi rappeler l’impressionnante liste ALIEN TXTBASE de la fin février.
L’Association suisse des banquiers (ASB) et le "Swiss Financial Sector Cyber Security Centre" (Swiss FS-CSC) sont favorables à la recommandation du comité allemand du secteur bancaire (GBIC) visant à modifier la norme FIDO2 – un changement jugé important, y compris du point de vue suisse, afin de rendre cette norme utilisable pour sécuriser les confirmations de transactions, et pas seulement pour permettre l’authentification lors des connexions.
Le GBIC préconise une extension de la norme FIDO2 afin de permettre l’affichage sécurisé des données de transaction par l’authentificateur. Actuellement, la norme est essentiellement axée sur la connexion à des plateformes et à des systèmes ainsi que sur l’utilisation du navigateur à des fins d’affichage. Le GBIC demande toutefois l’extension de la norme afin qu’elle puisse être utilisée pour un spectre plus large de transactions et d’activités. Dans le secteur bancaire, cela concerne principalement les services bancaires en ligne et les paiements par carte.
Nous sommes favorables à la proposition du GBIC visant à modifier la norme FIDO2. Nous sommes convaincus que cette modification serait également bénéfique pour le secteur bancaire suisse, car elle permettrait une utilisation plus large de FIDO2, au-delà de l’authentification lors des connexions. L’ASB et le Swiss FS-CSC soutiennent donc la proposition du GBIC visant à:
Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".
The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.
This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.
To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.
Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.
This campaign used the URL https[:]//deepseek-platform[.]com.
The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".
An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations.
The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables.
Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one.
This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive.
The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.
