The new generation of “invisible” spyware

admin Lascia un commento

INTRODUCTION | The new generation of “invisible” spyware

In recent years, after the Pegasus scandal (NSO Group), the Israeli cyber-intelligence ecosystem has not stopped. On the contrary: it has produced even more sophisticated, targeted and hard-to-detect surveillance tools. Among these, Graphite — the spyware developed by Paragon Solutions Ltd. — represents the new frontier.

Graphite is a “lightweight” spyware only in appearance. Its primary purpose is to intercept encrypted communications (WhatsApp, Signal, Telegram, iMessage) and extract sensitive data without the user doing anything. It exploits so-called “zero-click” vulnerabilities, in particular in the iMessage chain on iPhone: this means the infection can occur without clicking any link or opening anything.

Once inside, Graphite grants virtually total access to the device: files, chats, contacts, GPS location, microphone and camera recordings. Like Pegasus, Predator and other “military” spyware, it operates under full remote control. But it stands out on two points:

• It is designed to target specific areas of the phone (encrypted messaging apps), reducing the forensic “noise” compared to a total, permanent compromise of the entire operating system.
• It leaves very few technical traces. This makes it hard not only for victims to realize they were infected, but also for other intelligence services to determine who is using the tool at a given time.

According to technical analyses attributed to Citizen Lab and Amnesty Tech between 2024 and 2025, Graphite was used against European journalists and activists, including Italian citizens. It is therefore a tool already in circulation, not a prototype.

In other words: if Pegasus was the scandal that made the problem public, Graphite is proof that the technology not only survives but evolves toward more discreet, modular, and politically “clean” models.

  1. Paragon Solutions: from Israeli start-up to U.S. flag
    Paragon Solutions was founded in 2019 in Israel. Among the founders are former officers of Unit 8200 (Israeli electronic intelligence) and former Prime Minister Ehud Barak, a key figure in the Israeli military-technology ecosystem. From the start Paragon presents itself as the “ethical” alternative to NSO Group: it promises to sell its intrusion capabilities only to “democratic and responsible” governments, for purposes such as counterterrorism and fighting serious crime.

The flagship product is Graphite. In its marketing materials Paragon emphasizes three elements:

• the ability to infect even up-to-date devices (recent iPhone and Android models);
• access to encrypted conversations in real time;
• exploitation of zero-click exploits, i.e., without victim interaction.

This is the same technological segment as Pegasus (NSO), Predator (Intellexa/Cytrox), Candiru and similar: “military-grade” spyware sold on the government market and capable of turning any smartphone into a complete digital bug.

Paragon, however, has built a different narrative. The company claims to sell only to “Western or Western-aligned” governments, unlike other Israeli vendors accused of working with authoritarian regimes. In theory, no dictators. In practice, documented use in Italy, Denmark and Singapore between 2024 and 2025 shows that the definition of “trustworthy government” is elastic and that the line between national security and political surveillance remains ambiguous.

The crucial shift comes at the end of 2024. Paragon Solutions is acquired by the U.S. private equity firm AE Industrial Partners (AEI). The operation is structured as follows:

• AEI creates Paragon Parent Inc., registered in the State of Delaware;
• Paragon Parent Inc. is integrated with REDLattice, an AEI subsidiary specialized in offensive cyber and support for U.S. government customers;
• Paragon Solutions Ltd. (Israel) is effectively placed under a U.S. corporate umbrella while retaining Israeli technical know-how.

Thus a hybrid entity is born: formally American (useful for political and contractual relations with U.S. and European agencies), but with Israeli technological DNA. The objective is twofold:

• Make a sensitive product “sellable” again. Branding it as U.S. technology mitigates the reputational impact of “Made in Israel” after the Pegasus scandal and dossiers on the Intellexa ecosystem.
• Gain direct access to the U.S. market (federal security and intelligence agencies), traditionally closed to foreign vendors.

From a geopolitical point of view, the operation is a controlled relocation. Israel does not relinquish the know-how, but transfers the corporate façade and political responsibility. Washington gains influence over a strategic technological capability. European allies can continue to buy without appearing — formally, at least — to be linked to an Israeli spyware under global scrutiny.

In this scheme, Graphite becomes a product with a U.S. stamp, and thus easier to defend diplomatically than Pegasus.

  1. What Graphite actually does
    Summary of key technical and commercial elements:

Total device access
Graphite, once installed, provides near-complete control over the victim’s phone: chats, files, GPS location, passwords, contacts, the ability to activate microphone and camera. Operationally it belongs to the same category as Pegasus and Predator.

Zero-click and high stealth
The infection can exploit zero-click vulnerabilities, particularly on the iMessage surface of iOS. This means: no suspicious links, no visible phishing SMS, no apps manually installed by the target. The user does not know they have been targeted.
Moreover, the architecture is designed to leave minimal traces. Citizen Lab and Amnesty Tech describe Graphite as extremely difficult to attribute to a specific operator: even other intelligence services (not just the victim) struggle to identify who launched the operation.

Targets: encrypted apps and private messaging
Graphite is intended to extract plaintext conversations and attachments from end-to-end encrypted apps such as WhatsApp, Signal, Telegram, iMessage. Instead of intercepting the line, it enters the phone and reads what has already been decrypted there.

Declared customer segment
Paragon claims Graphite is sold only to democratic governments, for counterterrorism and serious crime. This is the official line with which the company sought licenses and lobbied internationally.

In practice: Paragon is the provider; Graphite is the operational tool. It is effectively a new-generation military spyware with a “cleaned” public image.

  1. The geopolitical reasons for the transfer
    The sale of Paragon to the United States is a move of geopolitical repositioning.

For Washington:
• direct control over a top-tier intrusion technology;
• the ability to decide who can use Graphite and under what conditions;
• a public narrative: a tool for “security and counterterrorism” under Western democratic values.

For Tel Aviv:
• reduced political exposure after the Pegasus and Intellexa scandals;
• continuity of technical know-how;
• apparent depoliticization: the spyware is no longer (only) an Israeli product but an “allied” technology under the U.S. flag.

It is, in effect, a transatlantic normalization: the capability remains Israeli in substance, but is Americanized to make it acceptable within Western security relationships.

  1. Italy: the grey area of domestic use
    Analyses by Citizen Lab and Amnesty International in 2025 identified operational infrastructure linked to Graphite active in Italy. Several Italian activists and journalists — including Luca Casarini, Giuseppe Caccia and a reporter from Fanpage.it — received compromise notifications: technical warnings from Apple and Meta explicitly referring to a “state-sponsored” attack.

This is politically explosive. Because it contradicts Paragon’s reassuring narrative (“we sell only to reliable governments to fight serious crime”): the people affected were not terrorists but civilians engaged on issues such as Mediterranean migration, NGOs, and financial corruption investigations.

In June 2025 COPASIR (the Italian parliamentary committee for the security of the Republic) acknowledged the existence of contracts between Italian services (AISE and AISI) and Paragon. Official justification: combating migrant trafficking, counterterrorism, and protecting national security.

But inconsistencies emerge:
• the timeline of the attacks does not always coincide with counterterrorism operations;
• some command-and-control infrastructures linked to Graphite were located abroad;
• COPASIR lacks its own forensic analysis powers: it must rely on what the services report, which can be formally correct but partial.

The Rome public prosecutor’s office opened an exploratory file. Apple and Meta notified victims that the attack was “state-sponsored.” Three operational hypotheses remain:
• excessive or out-of-scope use by Italian services;
• abuse by private contractors;
• operational delegations to foreign agencies with converging interests (for example, on migration flows).

This happens in a country — Italy — that is already a historical node of the commercial surveillance industry: Tykelab and RCS Lab are based in Italy; Hacking Team (today Memento Labs) is Italian. Hacking Team provided the RCS / “Galileo” system able to take control of devices to governments including authoritarian regimes; this led to export controls with “catch-all” clauses for human rights risks. The company then tried to regain political room by leveraging relations with Italian security apparatuses.

Officially, there is “no record” of a full purchase of latest-generation spyware by the Italian State. But:
• there are possible Italian victims already notified as targets;
• COPASIR has admitted relations with Paragon;
• the prosecutors are investigating.

In short: the Italian exception is no longer so clean.

  1. The spyware ecosystem in Europe
    The Graphite case is the latest chapter of a story the European Parliament (PEGA committee) has already described.

Main spyware in use or offered to EU governments:

• Pegasus (NSO Group, Israel): used in Poland, Hungary, Spain; contacts/attempts in Greece. It is the most notorious “smoking gun.”
• Predator (Intellexa / Cytrox, Greek-Israeli-Macedonian axis): used in Greece against politicians and journalists; associated with surveillance campaigns targeting opposition and media.
• Cytrox: develops exploits, infection infrastructures and C2 servers for Predator; dozens of trap domains linked to Cytrox have been identified in Greece.
• Candiru / Saito Tech: Israeli Windows spyware used in Europe against dissidents and journalists; appears alongside Pegasus in the Catalan case (“Catalangate”).
• RCS / Remote Control System (“Galileo”): historic product from Hacking Team / RCS Lab (Italy). Marketed as a remote intrusion platform and promoted at trade shows like ISS World, the so-called “Wiretappers’ Ball,” where European security apparatuses shop.
• Intellexa Alliance: not only software, but a turnkey package. It sells Predator as well as the command-and-control infrastructure, training, operational support, and contractual cover.

Other related actors (surveillance + dirty operations):
• Black Cube: a private Israeli company staffed by ex-8200/Mossad; active in Hungary. Linked to campaigns against NGOs, journalists, political opponents and figures associated with George Soros. Not only digital surveillance but also pressure, delegitimization, and blackmail.
• Krikel / Ketyak (Greece): companies/brokers that allegedly supplied surveillance apparatus and infrastructure to the Greek intelligence service (EYP), potentially serving as a channel for Predator. The Greek government denies direct purchases, but corporate traces link them.

Key note: states often do not formally purchase spyware. They use intermediaries, contracts labeled “technical support,” “investigative services,” “cyber threat intelligence.” This avoids parliamentary transparency and offloads political responsibility.

  1. Who was spied on and why | Country case notes
    Below: cases where spyware was used for internal political objectives, journalists, opponents — not just counterterrorism.

POLAND
Tool: Pegasus (NSO Group).
Main targets:
• Krzysztof Brejza — senator and strategist for the opposition “Civic Coalition” campaign. Phone repeatedly compromised in 2019 during the campaign; stolen content was later broadcast by pro-government media.
• Roman Giertych — lawyer for opponents of the ruling PiS party; surveillance 2019–2020.
• Ewa Wrzosek — independent prosecutor; phone infected multiple times in summer 2020 after she opened an investigation into postal voting during the COVID pandemic.
• Other activists, political consultants and officials, including former PiS members who became inconvenient.
PEGA assessment: Pegasus was used as a domestic political weapon with almost no judicial oversight.

HUNGARY
Tool: Pegasus purchased by the Ministry of the Interior, with authorizations from the Ministry of Justice, justified as “national security.”
Main targets:
• Szabolcs Panyi — investigative journalist, Direkt36, surveilled in 2019.
• András Szabó — colleague journalist, Direkt36, 2019.
• Zoltán Varga — media entrepreneur (24.hu), critical of Orbán, 2019.
• László Pann — lawyer, president of the Bar Association, 2019.
• Adrien Beauduin — Canadian PhD student and activist, 2019.
• Opposition mayors, civic activists, and even insiders becoming “problematic.”
PEGA assessment: Hungary is one of the worst EU cases. Spyware is a tool of political and media control; oversight authorities answer to the same government.

GREECE
Tools: Predator (Intellexa/Cytrox) via malicious SMS links; official EYP interceptions masked as “national security.”
Main/attempted targets:
• Nikos Androulakis — MEP and leader of PASOK-KINAL. In 2021 he was targeted with Predator while running for party leadership; simultaneously, the EYP was formally intercepting him.
• Thanasis Koukakis — economic journalist; Predator infection 2020–2021 while investigating financial scandals.
• Christos Spirtzis — SYRIZA MP and former minister; Predator attempt in 2021.
• Stavros Malichoudis — migration and border journalist; surveilled by EYP under the pretext of “national security.”
PEGA assessment: “Predatorgate” shows parallel use of illegal commercial spyware and institutional interception for internal political purposes.

SPAIN
Tools: Pegasus (NSO) and Candiru (Windows spyware).
Main targets:
• Pere Aragonès — then Catalan vice-president (later president). Target 2019–2020: surveillance of the Catalan independence movement.
• Staff of Carles Puigdemont — exiled Catalan president. Targeting often extended to staff and lawyers.
• Gonzalo Boye — Puigdemont’s lawyer; surveilled in 2020, an attack on attorney-client privilege.
• Dozens of Catalan independence figures: politicians, activists, civil society, MEPs.
• Pedro Sánchez — Spanish Prime Minister. In 2021 his phone was infected with Pegasus in an operation attributed to a foreign actor (often indicated as Morocco). The Defence Minister Margarita Robles was also hit.
PEGA assessment: a double level — internal repression against Catalan independence (justified as “national security”) and external attack against the central government.

FRANCE
Tool: Pegasus.
Main targets:
• Emmanuel Macron — President of the Republic. His number appears on lists of potential targets 2019–2020, attributed to Moroccan services.
• Jean-Yves Le Drian, Édouard Philippe and other ministers — also appearing on targeting lists.
• High-profile French journalists and investigative editors.
PEGA assessment: this reveals an external interference dimension. It is not (only) France spying on dissidents: a third country (Morocco) targeted top French officials.

GERMANY
Tool: a “limited” version of Pegasus purchased by the Bundeskriminalamt (BKA) for counterterrorism and serious crime.
Official stance: Berlin claims it disabled the most intrusive functions and uses the tool only with judicial authorizations.
Open problems:
• even a “limited” Pegasus allows retroactive access to past messages, passwords, address books and archives;
• technically it is possible to impersonate the victim using their credentials, risking tampering with digital evidence;
• regarding fundamental rights under the ECHR, huge doubts remain: strict limits, real proportionality and ex-post notification requirements are hard to uphold when tools grant retroactive access to all data.

PEGA assessment: Germany reports “judicial and targeted” use, but legally guarantees struggle against tools that inherently empty the phone of privacy.

  1. Quick summary of the investigation
    • Germany → declared use “only judicial/antiterrorism” but with major legal doubts because Pegasus remains intrusive and allows retroactive total access.
    • Paragon / Graphite → new Israeli “premium” player: zero-click infections like Pegasus, declared sales only to “friendly Western” governments. After corporate restructuring under AE Industrial Partners/USA, Graphite becomes politically more defensible for allies.
    • Main systems in the EU market → Pegasus (NSO), Predator (Intellexa/Cytrox), Cytrox itself, Candiru, RCS/Galileo, and collateral structures like Black Cube / Krikel that act as contractors and operational cover.
    • Who spies whom (domestic political use, not counterterrorism):
    – Poland → opposition, lawyers, independent prosecutors.
    – Hungary → independent journalists, critical media entrepreneurs, opposition, students and inconvenient insiders.
    – Greece → opposition leaders, journalists on migration and finance; Predator and EYP interceptions masked as national security.
    – Spain → Catalan independence movement (Pegasus/Candiru) + Pegasus hack against the Prime Minister and ministers attributed to a foreign actor.
    – France → top state figures and ministers targeted by a third country (Morocco).

This summary shows spyware is no longer just a counterterrorism tool: it has become a political weapon, a means of internal control and interstate pressure.

  1. Concluding analysis
    The Graphite case shows how, after Pegasus, digital espionage is moving from Israel toward new forms of transatlantic partnership.

The supply chain works like this:
• the U.S. brand politically shields democratic states that use it, offering an “ethical cover”;
• Israel retains technological leadership behind the scenes, keeping the know-how, exploit pipeline and operational capability;
• Europe becomes a testing ground — politically, legally and in the press — where spyware is used not only against terrorists and criminal networks but also against journalists, opponents, lawyers and social movements.

In Italy, official statements look more like image management than real transparency, confirming the difficulty of balancing security and liberty. The official line invokes national security, migration and terrorism. But the targets include civil and political actors. This discrepancy lies at the heart of the matter: it shows how fragile the balance between security and freedom is today.

Next-generation spyware is not merely an investigative tool. It is a tool for governing dissent.

  1. Main sources
    Citizen Lab, “Virtue or Vice? A First Look at Paragon’s Spyware Operations”, 2025
    Citizen Lab, “Graphite Caught: First Forensic Confirmation”, 2025
    COPASIR Report, Italian Parliament, June 2025
    Reuters, “AE Industrial Partners acquires Paragon Solutions”, 2024
    Forbes, “Israel’s Paragon Builds a New Kind of Spyware”, 2021
    Wired / The Guardian / AP, investigations 2024–2025
    European Parliament PEGA committee, Report A9-2023-0189 and subsequent hearings
    Amnesty International Security Lab technical documentation, 2024–2025
  2. APPENDIX A – U.S. supply chain
    Verifiable summary:
    Paragon Parent Inc. appears registered in Delaware in autumn 2024; in December 2024 AE Industrial Partners announced the acquisition of Paragon and integration with REDLattice. AEI already held a significant stake in REDLattice since 2023. The companies are private: there are no public SEC 8-K filings.

The control chain therefore becomes:
Paragon Solutions Ltd. (Israel) → Paragon Parent Inc. (USA/Delaware) → AE Industrial Partners (control) with operational integration of REDLattice.

REDLattice:
REDLattice is a provider focused on full-spectrum cyber capabilities and technological solutions for U.S. national security, defense and commercial customers. REDLattice helps clients achieve mission success by rapidly designing, developing and deploying advanced engineering applications and solutions for complex challenges. Its experts in vulnerability research (VR), reverse engineering (RE), tool development, malware analysis and advanced operational capabilities help develop the next generation of tools for the battlefield.

The main objective of the switch to a “U.S. flag” is to restore commercial and political credibility to the product (Graphite) after scandals in the Israeli sector: the U.S. brand facilitates contracts with federal agencies and allied states, reducing reputational costs for democratic governments that use it.

Confirmed key elements:
• Registration of Paragon Parent Inc. in Delaware (Q4 2024).
• Acquisition announcement by AE Industrial Partners (December 2024).
• Planned integration with REDLattice (AEI already an investor since 2023).
• No public SEC documentation (companies are private).
• Narrative of “re-accreditation” under U.S. governance.

Who founded/heads REDLattice:
• John Ayers — Founder & CEO. Listed as founder/CEO in multiple sources (AEI press releases, executive profiles, industry press).
• Kevin Rummel — President & COO. Long-standing manager remaining after AEI involvement.
• Brian Knobbs — CTO. Listed among key executives.
Other technical executives (VP/EVP) appear in industry directories. All linked to a contractor perimeter serving national security customers.

Political outcome: Graphite becomes a “U.S.” product, thus easier to defend among allies and to purchase by European governments without formally admitting association with an Israeli spyware under investigation.

The U.S. government bought these services. U.S. Immigration and Customs Enforcement (ICE) signed a contract of about $2 million with Paragon in autumn 2024 to obtain access to the spyware and training. This contract was initially placed on pause (stop work order) to verify compliance with a U.S. executive order limiting the use of commercial spyware, but the pause was later lifted and ICE can now use the spyware again.

  1. APPENDIX B – EU & cross-border cooperation
    European framework: in 2025 the EU Commission pushes for “legal and effective” access to data (e-evidence) via cooperation with providers and with Eurojust/Europol. No public evidence emerges of direct procurement of Graphite by EU agencies (Europol, Frontex). The focus is on judicial cooperation and data preservation, not on purchasing mercenary spyware.

Italy: in 2025 press sources reported suspension/closure of relations with Paragon, with government positions not always aligned over time. NGOs (Amnesty, Access Now) denounce the normalization of spyware against journalists and civil society; Italian services justify use in migration, combating criminal networks and security.

Suggested verification avenues (EU/Italy):
• EU procurement databases (TED/eTendering) for entries on “lawful intercept”, “remote device access”, “surveillance platform”.
• EU Transparency Register for meetings/consultancies with entities linked to Paragon/AEI/REDLattice.
• Parliamentary questions and committee records (LIBE, ITRE) on mercenary spyware 2024–2025.

There is abundant evidence that spyware has been used in several Member States for purely political objectives, targeting critics and opponents. Investigations link Pegasus and other surveillance spyware to various human rights violations by governments, including monitoring, blackmail, smear campaigns, intimidation and harassment.

Unlike conventional wiretaps, which allow only real-time monitoring of communications, spyware can provide full and retroactive access to past files and messages, passwords and communication metadata. Consequently, a court decision setting an operation’s start date and duration provides ineffective safeguards when spyware grants retroactive total access to data. It is also technically possible to impersonate the targeted person by obtaining access to their credentials and digital identity. It is extremely difficult for a target to detect an intrusion by spyware. Spyware leaves few or no traces on the target device and, even if detected, it is very difficult to prove who was responsible for the attack.

From information provided by NSO Group, Pegasus was sold to at least 14 EU countries until contracts were terminated with two countries. It is not known which countries these are, but it is presumed to be Poland and Hungary. However, until NSO Group or the Israeli government release an official statement regarding contract terminations, this cannot be verified.

Italy – official position and industrial reality
So far there have been no reports of a possible purchase of spyware by Italian authorities. No high-level espionage cases have been reported, although the phone number of former Prime Minister and President of the Commission Romano Prodi was found in the list published by the Pegasus Project. As a former UN special envoy for the Sahel, he could have been an interesting target for Morocco, given possible high-level contacts in Western Sahara and Algeria.

Spyware companies Tykelab and RCS Lab have chosen Italy as their business base. Another company offering offensive intrusion software from Italy since at least 2012 was Hacking Team, now Memento Labs. The company gained notoriety after a hack revealed sales to authoritarian countries that used RCS to attack political dissidents, journalists and human rights defenders. An investigation launched by NGOs and UN investigators into RCS exports to Sudan led Italian authorities to impose a “catch-all” clause on export licenses for human rights risk, forcing the company to request individual authorizations for each sale. Hacking Team later lobbied the Ministry of Economic Development to recover a global license, leveraging relations with senior government, intelligence and law enforcement officials to present itself as a “national security resource.”

Concrete final verification leads (Italy):
• Italian prosecutors (Rome / Palermo): verify files on misuse, any rogatory requests and forensic reports.
• Collect testimonies: Italian journalists/activists notified by Apple/Meta in 2024–2025.

Final operational conclusion
Graphite is not an isolated incident but the new standard.

It is the evolution of the Pegasus model: the same logic of total intrusion, but with a politically and industrially “cleaned” transatlantic supply chain. The U.S. brand acts as a reputational shield. Israel remains the technological hub. Europe — Italy included — is the ground where this infrastructure gets tested, normalized and increasingly used to control political and civic dissent.

Poland – Hungary – Greece – Spain – France – Germany

(Then follows the detailed tabular listings and the non-expert guide to how Graphite works, infection chains, forensic traces, attribution challenges and operational mechanics, as described above.)

How a reasoned list works for non-experts:

  1. Objective of Graphite
    Graphite is a government spyware designed to:
    • enter a target’s phone (iPhone or Android);
    • read and copy data from apps like WhatsApp, Signal, Telegram, iMessage;
    • monitor the user in real time (location, microphone, camera, etc.).
    This is the strategic difference compared to the old Pegasus model: Pegasus took full control of the device and therefore left many forensic traces. Graphite is marketed as “more targeted”: it focuses on messaging apps and communication content, making it harder to detect and politically easier to justify (“used only against serious crime and terrorism”). Citizen Lab stresses, however, that in practice Graphite’s access is still deep and highly invasive, not a “surgical” tool.
  2. How it enters the phone (infection chain)
    Graphite uses high-end infection techniques comparable to those of national intelligence services.

Two main documented modes:
a) Zero-click via iMessage (iPhone)
The attacker sends the victim a malicious payload (for example, a specially crafted iMessage) that exploits an unknown (“zero-day”) vulnerability in iOS. The victim need do nothing: no link to click, no attachment to open. Simply receiving the message is enough. The vulnerability is exploited to execute code on the phone and install the spyware. Citizen Lab confirmed that in 2025 two European journalists (one Italian, Ciro Pellegrino of Fanpage.it, and one anonymous) were infected in this way. The attacks occurred on updated iPhones in early 2025, and Apple later patched the flaw in iOS 18.3.1, assigning it CVE-2025-43200. This follows the same technical philosophy as Pegasus (e.g., FORCEDENTRY on iMessage in 2021), i.e., using Apple’s messaging to execute remote code without user interaction.

b) Zero-click / low-click on WhatsApp
In other cases (including Italy), WhatsApp notified activists and journalists they had been hit by a technique exploiting group management. The mechanism described: you were added to a chat/group and a manipulated file (e.g., a “trojaned” PDF) was posted in the group. The user did not have to click anything because the platform’s automatic parsing of the content was enough to trigger the exploit. Meta/WhatsApp said it fixed the flaw and notified more than 90 people, including Italian civil society actors connected to migrant NGOs and investigative journalists. This politically important detail means Paragon can breach both iOS and mainstream messaging platforms, doing so invisibly to the victim.

  1. What it does once inside
    After infection, Graphite behaves like a “complete digital bug”:
    • extracts messages and attachments from end-to-end encrypted apps (WhatsApp, Signal, iMessage, Telegram, etc.). Note: it does not “intercept the line” externally; it reads them after the phone has already decrypted them, so it sees them in plaintext.
    • accesses contacts, call logs, saved files, notes, GPS location.
    • can turn on microphone and camera to convert the smartphone into an ambient listening and visual surveillance device. (This type of capability is standard for government spyware in the Pegasus class and Citizen Lab considers it plausible for Graphite, which is described as “mercenary spyware” with full-device capabilities despite cleaner marketing.)
    • exfiltrates data to operator-controlled command-and-control servers.
    In practice: the operator (the Paragon client government) obtains access to private conversations in real time and to the historical archive. This enables continuous and retroactive monitoring (who you spoke to, when, and with what attachments).
  2. How it communicates with its controller
    Citizen Lab mapped the infrastructure used by Graphite and its operators:
    • command-and-control (C2) servers on commercial cloud;
    • servers hosted within structures attributable to client governments;
    • “per-country” infrastructures, i.e., technical clusters that appear to correspond to individual national customers.

Network logs on victims’ phones pointed to the same C2 servers, allowing researchers to say: “These two journalists were attacked by the same Graphite operator.” Therefore: same infrastructure → same client. This is critical in court or in parliament because it demonstrates a coherent operational chain traceable to a state or para-state structure.

  1. Why it is hard to attribute (and why governments like it)
    Graphite is designed to be:
    • hard to see (zero-click, no pop-ups, no classic phishing messag es);
    • hard to analyze afterward (very few residual files, aggressive wiping of traces, activity hidden in existing system processes);
    • hard to attribute publicly because Paragon sells the tool while the client government executes the operation. Thus a government can claim “it wasn’t us” or “it was legal, against organized crime,” even if victims are journalists and NGOs. Citizen Lab states clearly: the industry (including Paragon) claims “we sell only to responsible governments for legitimate uses,” but in practice spyware appeared on phones of: journalists (Fanpage.it), activists involved in Mediterranean rescue operations, human rights defenders, and economic reporters investigating corruption. The real use is political/societal, not just counterterrorism.

Summary of the Graphite “mechanics” as described by Citizen Lab:
• Preparation: the client (police, intelligence, etc.) identifies a target and configures a C2 server via Paragon’s infrastructure.
• Infection: the target receives a zero-click payload via iMessage (iOS) or an analogous vector such as a WhatsApp group exploit. No action required by the victim.
• Stabilization: the spyware executes code on the device, bypasses OS protections and implants itself. Persistence depends on the exploit chain and subsequent patches.
• Collection: it extracts chats, attachments, contacts, location and private content from encrypted apps. It can enable microphone and camera.
• Exfiltration: sends everything to operator-controlled servers using encrypted channels, often routed through masked cloud infrastructure.
• Cleanup / forensic difficulty: leaves very few traces; without Apple or Meta notifications it would be almost impossible to know one had been targeted.

Other spyware operate largely the same way.

Lascia una risposta

L'indirizzo email non verrà pubblicato.I campi obbligatori sono contrassegnati *