techcrunch.com/
Lorenzo Franceschi-Bicchierai
10:00 PM PDT · October 28, 2025
On Monday, researchers at cybersecurity giant Kaspersky published a report identifying a new spyware called Dante that they say targeted Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance tech maker that was formed in 2019 after a new owner acquired and took over early spyware maker Hacking Team.
Memento chief executive Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.
In a call, Lezzi blamed one of the company’s government customers for exposing Dante, saying the customer used an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year.
“Clearly they used an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for the spyware planted on the target’s computer.
“I thought [the government customer] didn’t even use it anymore,” said Lezzi.
Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already requested that all of its customers stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using its Windows spyware.
He said that Memento currently only develops spyware for mobile platforms. The company also develops some zero-days — meaning security flaws in software unknown to the vendor that can be used to deliver spyware — though it mostly sources its exploits from outside developers, according to Lezzi.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akkad would not say which government Kaspersky believes is behind the espionage campaign, but that it was “someone who has been able to use Dante software.”
“The group stands out for its strong command of Russian and knowledge of local nuances, traits that Kaspersky observed in other campaigns linked to this [government-backed] threat. However, occasional errors suggest that the attackers were not native speakers,” Al Akkad told TechCrunch.
In its new report, Kaspersky said it found a hacking group using the Dante spyware that it refers to as “ForumTroll,” describing the targeting of people with invites to Russian politics and economics forum Primakov Readings. Kaspersky said the hackers targeted a broad range of industries in Russia, including media outlets, universities, and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it detected a “wave” of cyberattacks with phishing links that were exploiting a zero-day in the Chrome browser. Lezzi said that the Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento “kept improving” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lezzi conceded that it is possible that some “aspects” or “behaviors” of Memento’s Windows spyware were left over from spyware developed by Hacking Team.
A telltale sign that the spyware caught by Kaspersky belonged to Memento was that the developers allegedly left the word “DANTEMARKER” in the spyware’s code, a clear reference to the name Dante, which Memento had previously and publicly disclosed at a surveillance tech conference, per Kaspersky.
Much like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures, such as Leonardo da Vinci and Galileo Galilei.
A history of hacks
In 2019, Lezzi purchased Hacking Team and rebranded it to Memento Labs. According to Lezzi, he paid only one euro for the company and the plan was to start over.
“We want to change absolutely everything,” the Memento owner told Motherboard after the acquisition in 2019. “We’re starting from scratch.”
A year later, Hacking Team’s CEO and founder David Vincenzetti announced that Hacking Team was “dead.”
When he acquired Hacking Team, Lezzi told TechCrunch that the company only had three government customers remaining, a far cry from the more than 40 government customers that Hacking Team had in 2015. That same year, a hacktivist called Phineas Fisher broke into the startup’s servers and siphoned off some 400 gigabytes of internal emails, contracts, documents, and the source code for its spyware.
Before the hack, Hacking Team’s customers in Ethiopia, Morocco, and the United Arab Emirates were caught targeting journalists, critics, and dissidents using the company’s spyware. Once Phineas Fisher published the company’s internal data online, journalists revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians and that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has but implied it was fewer than 100 customers. He also said that there are only two current Memento employees left from Hacking Team’s former staff.
The discovery of Memento’s spyware shows that this type of surveillance technology keeps proliferating, according to John Scott-Railton, a senior researcher who has investigated spyware abuses for a decade at the University of Toronto’s Citizen Lab.
It also shows that a controversial company can die because of a spectacular hack and several scandals, and yet a new company with brand-new spyware can still come out of its ashes.
“It tells us that we need to keep up the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that echoes of the most radioactive, embarrassed and hacked brand are still around.”
Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.
iverify.io
By Matthias Frielingsdorf, VP of Research
Oct 21, 2025
iOS 26 changes how shutdown logs are handled, erasing key evidence of Pegasus and Predator spyware, creating new challenges for forensic investigators
As iOS 26 is being rolled out, our team noticed a particular change in how the operating system handles the shutdown.log file: it effectively erases crucial evidence of Pegasus and Predator spyware infections. This development poses a serious challenge for forensic investigators and individuals seeking to determine if their devices have been compromised at a time when spyware attacks are becoming more common.
The Power of the shutdown.log
For years, the shutdown.log file has been an invaluable, yet often overlooked, artifact in the detection of iOS malware. Located within the Sysdiagnoses in the Unified Logs section (specifically, Sysdiagnose Folder -> system_logs.logarchive -> Extra -> shutdown.log), it has served as a silent witness to the activities occurring on an iOS device, even during its shutdown sequence.
In 2021, the publicly known version of Pegasus spyware was found to leave discernible traces within this shutdown.log. These traces provided a critical indicator of compromise, allowing security researchers to identify infected devices. However, the developers behind Pegasus, NSO Group, are constantly refining their techniques, and by 2022 Pegasus had evolved.
Pegasus's Evolving Evasion Tactics
While still leaving evidence in the shutdown.log, their methods became more sophisticated. Instead of leaving obvious entries, they began to completely wipe the shutdown.log file. Yet, even with this attempted erasure, their own processes still left behind subtle traces. This meant that even a seemingly clean shutdown.log that began with evidence of a Pegasus sample was, in itself, an indicator of compromise. Multiple cases of this behavior were observed until the end of 2022, highlighting the continuous adaptation of these malicious actors.
Following this period, it is believed that Pegasus developers implemented even more robust wiping mechanisms, likely monitoring device shutdown to ensure a thorough eradication of their presence from the shutdown.log. Researchers have noted instances where devices known to be active had their shutdown.log cleared, alongside other IOCs for Pegasus infections. This led to the conclusion that a cleared shutdown.log could serve as a good heuristic for identifying suspicious devices.
Predator's Similar Footprint
The sophisticated Predator spyware, observed in 2023, also appears to have learned from the past. Given that Predator was actively monitoring the shutdown.log, and considering the similar behavior seen in earlier Pegasus samples, it is highly probable that Predator, too, left traces within this critical log file.
iOS 26: An Unintended Cleanse
With iOS 26 Apple introduced a change—either an intentional design decision or an unforeseen bug—that causes the shutdown.log to be overwritten on every device reboot instead of appended with a new entry every time, preserving each as its own snapshot. This means that any user who updates to iOS 26 and subsequently restarts their device will inadvertently erase all evidence of older Pegasus and Predator detections that might have been present in their shutdown.log.
This automatic overwriting, while potentially intended for system hygiene or performance, effectively sanitizes the very forensic artifact that has been instrumental in identifying these sophisticated threats. It could hardly come at a worse time - spyware attacks have been a constant in the news and recent headlines show that high-power executives and celebrities, not just civil society, are being targeted.
Identifying Pegasus 2022: A Specific IOC
For those still on iOS versions prior to 26, a specific IOC for Pegasus 2022 infections involved the presence of a /private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.WebKit.Networking entry within the shutdown.log. This particular IOC also revealed a significant shift in NSO Group's tactics: they began using normal system process names instead of easily identifiable, similarly named processes, making detection more challenging.
An image of a shutdown.log file
Correlating Logs for Deeper Insight (< iOS 18)
For devices running iOS 18 or earlier, a more comprehensive approach to detection involved correlating containermanagerd log entries with shutdown.log events. Containermanagerd logs contain boot events and can retain data for several weeks. By comparing these boot events with shutdown.log entries, investigators could identify discrepancies. For example, if numerous boot events were observed before shutdown.log entries, it suggested that something was amiss and potentially being hidden.
Before You Update
Given the implications of iOS 26's shutdown.log handling, it is crucial for users to take proactive steps:
Before updating to iOS 26, immediately take and save a sysdiagnose of your device. This will preserve your current shutdown.log and any potential evidence it may contain.
Consider holding off on updating to iOS 26 until Apple addresses this issue, ideally by releasing a bug fix that prevents the overwriting of the shutdown.log on boot.
techcrunch.com
Lorenzo Franceschi-Bicchierai
7:45 AM PDT · October 21, 2025
A developer at Trenchant, a leading Western spyware and zero-day maker, was suspected of leaking company tools and was fired. Weeks later, Apple notified him that his personal iPhone was targeted with spyware.
Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.”
“I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
“What the hell is going on? I really didn’t know what to think of it,” said Gibson, adding that he turned off his phone and put it away on that day, March 5. “I went immediately to buy a new phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on developing iOS zero-days, meaning finding vulnerabilities and developing tools capable of exploiting them that are not known to the vendor who makes the affected hardware or software, such as Apple.
“I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he told TechCrunch.
But the ex-Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources who have direct knowledge of these cases, there have been other spyware and exploit developers in the last few months who have received notifications from Apple alerting them that they were targeted with spyware.
Apple did not respond to a request for comment from TechCrunch.
The targeting of Gibson’s iPhone shows that the proliferation of zero-days and spyware is starting to ensnare more types of victims.
Spyware and zero-day makers have historically claimed their tools are only deployed by vetted government customers against criminals and terrorists. But for the past decade, researchers at the University of Toronto’s digital rights group Citizen Lab, Amnesty International, and other organizations have found dozens of cases where governments used these tools to target dissidents, journalists, human rights defenders, and political rivals all over the world.
The closest public cases of security researchers being targeted by hackers happened in 2021 and 2023, when North Korean government hackers were caught targeting security researchers working in vulnerability research and development.
Suspect in leak investigation
Two days after receiving the Apple threat notification, Gibson contacted a forensic expert who has extensive experience investigating spyware attacks. After performing an initial analysis of Gibson’s phone, the expert did not find any signs of infection, but still recommended a deeper forensic analysis of the exploit developer’s phone.
A forensic analysis would have entailed sending the expert a complete backup of the device, something Gibson said he was not comfortable with.
“Recent cases are getting tougher forensically, and some we find nothing on. It may also be that the attack was not actually fully sent after the initial stages, we don’t know,” the expert told TechCrunch.
Without a full forensic analysis of Gibson’s phone, ideally one where investigators found traces of the spyware and who made it, it’s impossible to know why he was targeted or who targeted him.
But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims the company designated him as a scapegoat for a damaging leak of internal tools.
Apple sends out threat notifications specifically for when it has evidence that a person was targeted by a mercenary spyware attack. This kind of surveillance technology is often invisibly and remotely planted on someone’s phone without their knowledge by exploiting vulnerabilities in the phone’s software, exploits that can be worth millions of dollars and can take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the spyware makers themselves.
Sara Banda, a spokesperson for Trenchant’s parent company L3Harris, declined to comment for this story when reached by TechCrunch before publication.
A month before he received Apple’s threat notification, when Gibson was still working at Trenchant, he said he was invited to go to the company’s London office for a team-building event.
When Gibson arrived on February 3, he was immediately summoned into a meeting room to speak via video call with Peter Williams, Trenchant’s then-general manager who was known inside the company as “Doogie.” (In 2018, defense contractor L3Harris acquired zero-day makers Azimuth and Linchpin Labs, two sister startups that merged to become Trenchant.)
Williams told Gibson the company suspected he was double employed and was thus suspending him. All of Gibson’s work devices would be confiscated and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.
“I was in shock. I didn’t really know how to react because I couldn’t really believe what I was hearing,” said Gibson, who explained that a Trenchant IT employee then went to his apartment to pick up his company-issued equipment.
Around two weeks later, Gibson said Williams called and told him that following the investigation, the company was firing him and offering him a settlement agreement and payment. Gibson said Williams declined to explain what the forensic analysis of his devices had found, and essentially told him he had no choice but to sign the agreement and depart the company.
Feeling like he had no alternative, Gibson said he went along with the offer and signed.
Gibson told TechCrunch he later heard from former colleagues that Trenchant suspected he had leaked some unknown vulnerabilities in Google’s Chrome browser, tools that Trenchant had developed. Gibson, and three former colleagues of his, however, told TechCrunch he did not have access to Trenchant’s Chrome zero-days, given that he was part of the team exclusively developing iOS zero-days and spyware. Trenchant teams only have strictly compartmentalized access to tools related to the platforms they are working on, the people said.
“I know I was a scapegoat. I wasn’t guilty. It’s very simple,” said Gibson. “I didn’t do absolutely anything other than working my ass off for them.”
The story of the accusations against Gibson and his subsequent suspension and firing was independently corroborated by three former Trenchant employees with knowledge.
Two of the other former Trenchant employees said they knew details of Gibson’s London trip and were aware of suspected leaks of sensitive company tools.
All of them asked not to be named but believe Trenchant got it wrong.
09 Ottobre 2025
Il telefono del finanziere romano tra i protagonisti del riassetto del sistema bancario sarebbe stato attaccato con lo spyware che ha colpito anche giornalisti e personalità
opo attivisti e giornalisti, anche il mondo della finanza. È l’ultimo tassello della saga di Graphite, il software-spia sviluppato dall’azienda israeliana Paragon Solutions e utilizzato da governi e forze di polizia di diversi Paesi, tra i quali l’Italia. Secondo quanto appreso da IrpiMedia e La Stampa, un nuovo nome si aggiunge alla lista delle persone che, lo scorso gennaio, hanno ricevuto un messaggio da Whatsapp che li informava di essere stati bersaglio dello spyware. È Francesco Gaetano Caltagirone, imprenditore, editore, e tra gli uomini più ricchi d’Italia. Non è dato sapere chi abbia provato a spiarlo, ma la notifica comparsa sul suo telefono insieme ad almeno altre sette persone nel Paese è inequivocabile.
Lo stesso giorno Whatsapp ha mandato notifiche anche a Francesco Cancellato, direttore di Fanpage, e ai due fondatori della ong Mediterranea, Luca Casarini e Giuseppe “Beppe” Caccia. Nei mesi successivi sono emersi anche altri nomi. Da don Mattia Ferrari, cappellano di bordo di Mediterranea, fino a Ciro Pellegrino, caporedattore di Fanpage, fino a Roberto D’Agostino, fondatore ed editore del sito Dagospia. Tuttavia, questo è il primo caso in cui tra le persone attenzionate figura un uomo d’affari, lontano dal mondo dell’informazione o dell’attivismo.
Caltagirone è anche uno dei protagonisti della serie di operazioni che stanno ridisegnando l’assetto finanziario del Paese, azionista di Generali, Mps e Mediobanca, quest’ultima acquisita proprio da Mps (dove tra i soci c’è anche lo Stato). A questo punto solo le autorità potranno accertare se sia stato un governo straniero a prendere di mira lo smartphone di Caltagirone, ipotesi già ventilata nei riguardi di Cancellato, o se dietro l’operazione ci sia una mano italiana. Ma andiamo con ordine.
l gruppo di Whatsapp
Secondo quanto ricostruito, a dicembre del 2024 l’utenza telefonica in uso a Caltagirone sarebbe stata inserita in una chat Whatsapp, popolata da contatti a lui noti e al cui interno era stato condiviso un file Pdf. Poco dopo la chat sparisce, il Pdf con essa.
Il mese dopo, Whatsapp informa gli utenti coinvolti di aver individuato e corretto una vulnerabilità che avrebbe permesso a un attaccante di inserire uno spyware sul dispositivo del bersaglio a sua insaputa e senza che fosse necessario cliccare su alcun link o allegato. In gergo si chiamano “attacchi zero-click”, che sfruttano un errore nel sistema del dispositivo o di un’app – Whatsapp in questo caso – per inoculare un qualunque software senza lasciare traccia e soprattutto senza che il bersaglio debba interagire come nei più comuni attacchi e frodi. E lo smartphone di Caltagirone è tra i destinatari di tale notifica.
Secondo la ricostruzione di altre vittime e della stessa Citizen Lab, è proprio questo il metodo con il quale Graphite è stato propagato tra i suoi bersagli. Il sistema non colpisce a caso, ma è programmato per installarsi esclusivamente sul telefono del bersaglio, lasciando indenni le altre persone nel gruppo.
Alla luce dell’allerta diramata dall’app di messaggistica, lo smartphone viene riportato alle impostazioni di fabbrica, eliminando il problema ma anche rimuovendo ogni elemento che avrebbe permesso di trovare tracce dello spyware. Contattato, l’ufficio stampa del gruppo Caltagirone non ha risposto a una richiesta di commento.
Una pioggia di notifiche
Della vicenda si è occupata una indagine del Copasir – Comitato parlamentare per la sicurezza della Repubblica, ovvero l’organo del parlamento che esercita il controllo sull'operato dei servizi segreti italiani – che si è svolta la scorsa primavera e ha riguardato i casi al tempo noti. Secondo quanto ricostruito nel rapporto del comitato (reso pubblico) è stato possibile accertare che Caccia e Casarini sono stati effettivamente oggetto di attività di sorveglianza dei servizi, «finalizzata a prevenire la minaccia alla sicurezza nazionale da parte di individui sospettati di svolgere attività di favoreggiamento dell’ingresso di soggetti stranieri nel territorio nazionale». Cosa sia successo invece nel telefono di Cancellato non si è mai saputo e il governo ha sempre respinto ogni addebito a riguardo, come detto, arrivando a ipotizzare la pista di un servizio segreto estero.
Le cose si sono complicate in aprile, quando un’altra notifica – questa volta inviata da Apple – ha informato una seconda infornata di bersagli della potenziale compromissione dei propri dispositivi. Tra questi Ciro Pellegrino, caporedattore di Fanpage. Sebbene sul dispositivo di Cancellato non sia stato trovato nulla, non può essere un caso che nella medesima testata si sia registrata una seconda infezione di Paragon. Fanpage è nota per indagini sotto copertura, tra le quali Gioventù meloniana che, grazie al lavoro di una giornalista infiltrata in Gioventù Nazionale, mette a nudo l’imprinting di estrema destra e le nostalgie fasciste del ramo giovanile del partito della presidente del Consiglio, Giorgia Meloni. Successive analisi sul telefono di Pellegrino, svolte nei laboratori di Citizen Lab a Toronto, hanno permesso di confermare la presenza di Paragon sul suo dispositivo.
Solo a giugno le procure di Roma e Napoli hanno disposto accertamenti sui dispositivi delle persone sottoposte a sorveglianza, disponendo analisi irripetibili sugli smartphone. In seguito a questa notizia ulteriori nomi di vittime di Paragon sono stati resi pubblici: uno è Roberto D’Agostino, il fondatore di Dagospia. L’altra è Eva Vlaardingerbroek, influencer olandese di estrema destra e residente a Roma.
«I governi dispongono di così tanti strumenti diversi per mettere sotto controllo un bersaglio che è semplicemente impensabile che tutti siano simili o facilmente identificabili» spiega a IrpiMedia una fonte che ha analizzato alcuni dei dispositivi. «Non solo esistono molti più spyware di quelli prodotti da Paragon o Nso, ma c’è un’intera rete di scambi di favori anche tra Paesi: se io non posso svolgere un’intercettazione su uno specifico cittadino, lo chiedo al Paese affianco», spiega l’esperto senza poter entrare nel merito di casi comprovanti tali affermazioni per ragioni di riservatezza. Contattata da IrpiMedia e La Stampa, Paragon non ha risposto a una richiesta di commento.
Chi sono i clienti di Paragon
Tra gli addetti ai lavori Graphite è uno spyware ben noto. Paragon Solutions è un’azienda nata in Israele che produce, sviluppa e ricerca tecnologie della sorveglianza ai massimi livelli. Il suo prodotto principale è attualmente tra i più quotati, soprattutto da quando un’azienda concorrente, Nso, ha dovuto ridurre drasticamente la propria attività in seguito a diversi scandali legati a un uso non consono della propria tecnologia da parte di numerosi governi, come raccontato anche da IrpiMedia con storie che vanno dal Marocco al Messico.
Ma il valore di un prodotto, nel mercato della sorveglianza, non è dato solo dalla bontà del software in sé, bensì dalla capacità dell’azienda che lo produce di aggirare i sistemi di sicurezza di smartphone, computer, dispositivi Android o Apple, in modo che possa funzionare su qualunque bersaglio e qualunque tecnologia. Esattamente il tipo di servizio che offre Paragon, che nel tempo ha raccolto anche investimenti dell’Unione Europea.
A dicembre del 2024, circa un mese prima dell’invio delle notifiche che hanno svelato uno dei trucchi di Paragon per infettare i dispositivi, il fondo d’investimento statunitense AE Industrial Partners, focalizzato sui settori aerospaziale, difesa, cyber sorveglianza, ha acquistato la società per 900 milioni di dollari, secondo quanto riportato da testate di settore. Fonti pubbliche indicano come attualmente Graphite continui a chiudere contratti con le agenzie statunitensi. Ultima in ordine di tempo è l’Ice, agenzia federale per il controllo delle frontiere e dell’immigrazione, con un contratto da due milioni di dollari. Fonti di IrpiMedia a conoscenza del contratto tra Paragon e l’Italia sostengono che questo sarebbe «nell’ordine delle decine di milioni di euro, intorno ai trenta».
Dalla sua, negli anni, Paragon è stata capace di accreditarsi come alternativa “etica” alla concorrente Nso. Niente scandali, solo clienti legittimi e statali e solo «Paesi democratici che hanno superato con successo il suo rigoroso processo di due diligence e verifica», ha spiegato la stessa azienda in una nota lo scorso giugno. Sebbene i contratti stipulati dall’azienda non siano pubblici, la stessa ha dichiarato che prevedono il divieto di utilizzare Graphite contro giornalisti e attivisti.
Ufficialmente è questa la ragione per cui già a inizio febbraio, appena dopo l’arrivo delle notifiche, Paragon aveva annunciato che avrebbe rescisso unilateralmente il contratto con l’Italia. Una versione più tiepida del rapporto tra il governo e l’azienda israeliana approderà nella relazione del Copasir, in cui si parlerà di “rescissione concordata” tra le parti. In ogni caso è difficile comprenderne il senso nel caso in cui anche Paragon dovesse credere che non è stato il governo italiano a spiare quantomeno i giornalisti, bensì un altro loro cliente.
Dopo aver inizialmente negato ogni addebito, il governo italiano ha dovuto ammettere di aver utilizzato Graphite nei confronti di Luca Casarini e Beppe Caccia non in qualità di attivisti per i diritti umani, ma «in riferimento alle loro attività potenzialmente relative all’immigrazione irregolare». Tolto Yambio che come detto non è stato attaccato tramite Graphite, rimane la notifica ricevuta da Cancellato.
Un mondo torbido
Nel mercato della cyber sorveglianza c’è un mondo di ricercatori impegnati a scoprire le vulnerabilità di ogni sistema, in modo che possano essere utilizzate per spiare bersagli. Una è la vulnerabilità di Whatsapp, analizzata grazie a Citizen Lab, che permetteva di installare da remoto Graphite senza che fosse richiesta un’interazione da parte del bersaglio. L’altra è quella di Apple, che ha portato alla notifica di Ciro Pellegrino e ad altri giornalisti.
In tutti i casi, i reporter si sono rivolti a Citizen Lab per avere i propri dispositivi analizzati. Come confermato dalla stessa organizzazione nei propri report, ciascuna analisi ha fatto emergere elementi di compromissione compatibili proprio con lo spyware israeliano.
Secondo quanto ricostruito dai tecnici e confermato da fonti indipendenti, la vulnerabilità trovata sugli iPhone colpiti è legata ad iMessage, l’app di messaggistica istantanea di Cupertino che smista sia i messaggi scambiati tra iPhone sia gli sms. Anche in questo caso si tratta di zero-click: Paragon ha trovato un modo per rompere i meccanismi di sicurezza dell’iPhone inviando un messaggio contenente un file immagine.
«Sono attacchi costosissimi, tecnicamente complessi, e che hanno un proprio mercato che vale miliardi» spiega una fonte del settore sotto richiesta di anonimato. Secondo quattro esperti consultati per la realizzazione di questo articolo, gli attacchi rivolti verso i dispositivi Android o Apple valgono «intorno al mezzo milione di euro per bersaglio, in quanto più vengono usati più è possibile che siano scoperti dal produttore del pezzo di tecnologia vulnerabile», spiega una fonte.
techcrunch.com
Lorenzo Franceschi-Bicchierai
9:11 AM PDT · September 2, 2025
The Israeli spyware maker now faces the dilemma of whether to continue its relationship with U.S. Immigration and Customs Enforcement and help fuel its mass deportations program.
U.S. Immigration and Customs Enforcement (ICE) signed a contract last year with Israeli spyware maker Paragon worth $2 million.
Shortly after, the Biden administration put the contract under review, issuing a “stop work order,” to determine whether the contract complied with an executive order on commercial spyware, which restricts U.S. government agencies from using spyware that could violate human rights or target Americans abroad.
Almost a year later, when it looked like the contract would just run out and never become active, ICE lifted the stop work order, according to public records.
“This contract is for a fully configured proprietary solution including license, hardware, warranty, maintenance, and training. This modification is to lift the stop work order,” read an update dated August 30 on the U.S. government’s Federal Procurement Data System, a database of government contracts.
Independent journalist Jack Poulson was the first to report the news in his newsletter.
Paragon has for years cultivated the image of being an “ethical” and responsible spyware maker, in contrast with controversial spyware purveyors such as Hacking Team, Intellexa, and NSO Group. On its official website, Paragon claims to provide its customers with “ethically based tools, teams, and insights.”
The spyware maker faces an ethical dilemma. Now that the contract with ICE’s Information Technology Division is active, it’s up to Paragon to decide whether it wants to continue its relationship with ICE, an agency that has dramatically ramped up mass deportations and expanded its surveillance powers since Donald Trump took over the White House.
Emily Horne, a spokesperson for Paragon, as well as executive chairman John Fleming, did not respond to a request for comment.
In an attempt to show its good faith, in February of this year, Fleming told TechCrunch that the company only sells to the U.S. government and other unspecified allied countries.
Paragon has already had to face a thorny ethical dilemma. In January, WhatsApp revealed that around 90 of its users, including journalists and human rights workers, had been targeted with Paragon’s spyware, called Graphite. In the following days and weeks, Italian journalist Francesco Cancellato and several local pro-immigration activists came forward saying they were among the victims.
In response to this scandal, Paragon cut ties with the Italian government, which had in the meantime launched an inquiry to determine what happened. Then, in June, digital rights research group Citizen Lab confirmed that two other journalists, an unnamed European and a colleague of Cancellato, had been hacked with Paragon’s spyware.
An Italian parliament committee concluded that the spying of the pro-immigration activists was legal, but it also claimed that there was no evidence that Italy’s intelligence agencies, former Paragon customers, had targeted Cancellato.
John Scott-Railton, a senior researcher at Citizen Lab, who has investigated cases of spyware abuse for more than a decade, told TechCrunch that “these tools were designed for dictatorships, not democracies built on liberty and protection of individual rights.”
The researcher said that even spyware is “corrupting,” which is why “there’s a growing pile of spyware scandals in democracies, including with Paragon’s Graphite. Worse, Paragon is still shielding spyware abusers. Just look at the still-unexplained hacks of Italian journalists.”
techcrunch.com Zack Whittaker
11:15 AM PDT · August 29, 2025
A spyware vendor was behind a recent campaign that abused a vulnerability in WhatsApp to deliver an exploit capable of hacking into iPhones and Macs.
WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of “specific targeted users.”
The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.
Apple said at the time that the flaw was used in an “extremely sophisticated attack against specific targeted individuals.” Now we know that dozens of WhatsApp users were targeted with this pair of flaws.
Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, described the attack in a post on X as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May. Ó Cearbhaill described the pair of bugs as a “zero-click” attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.
The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that’s capable of stealing data from the user’s Apple device.
Per Ó Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to “compromise your device and the data it contains, including messages.”
It’s not immediately clear who, or which spyware vendor, is behind the attacks.
When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw “a few weeks ago” and that the company sent “less than 200” notifications to affected WhatsApp users.
The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
This is not the first time that WhatsApp users have been targeted by government spyware, a kind of malware capable of breaking into fully patched devices with vulnerabilities not known to the vendor, known as zero-day flaws.
In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that broke into the devices of more than 1,400 WhatsApp users with an exploit capable of planting NSO’s Pegasus spyware. WhatsApp brought the legal case against NSO, citing a breach of federal and state hacking laws, as well as its own terms of service.
Earlier this year, WhatsApp disrupted a spyware campaign that targeted around 90 users, including journalists and members of civil society across Italy. The Italian government denied its involvement in the spying campaign. Paragon, whose spyware was used in the campaign, later cut off Italy from its hacking tools for failing to investigate the abuse.
therecord.media -Germany’s highest court on Thursday ruled that law enforcement cannot use spyware to monitor personal devices in cases that carry less than a three year maximum sentence.
The court was responding to a lawsuit brought by the German digital freedoms organization Digitalcourage.
The plaintiffs argued that a 2017 rules change enabling law enforcement to use spyware to eavesdrop on encrypted chats and messaging platforms could unfairly expose communications belonging to people who are not criminal suspects.
The 2017 change to the German criminal procedure code was not precise enough about when spyware can be used, the court ruled, saying that snooping software is only appropriate in investigations of serious cases.
Such surveillance causes a “very severe interference” with fundamental rights, the court said in a press release.
Law enforcement use of spyware “enables the interception and analysis of all raw data exchanged and thus has an exceptional reach, particularly given the realities of modern information technology and its significance for communication relations,” the press release said.
computerweekly.com - The Austrian government is likely to face legal challenges after it succeeded on its fifth attempt to pass a law this month giving the country’s intelligence service legal powers to deploy spyware on phones and computers. Civil society groups are holding discussions with MPs on far-right Freedom Party (FPO) and the Greens, both of which voted against the new surveillance measures, regarding a legal challenge to Austria’s constitutional court.
Austria’s lower house passed the law on 9 July 2025, giving the Austrian intelligence service – the Directorate of State Protection and Intelligence (DSN) – the capability to deploy spyware, known as “a state trojan”, to monitor encrypted communications on services such as WhatsApp and Signal.
The three coalition governing parties, ÖVP, SPÖ and NEOS, agreed to changes to the State Protection and Intelligence Service Act (SNG), the Telecommunications Act 2021, the Security Police Act (SPG) and other laws to allow the state to spy on encrypted messages and gather other data stored on electronic devices.
The coalition government, headed by chancellor Christian Stocker, argued that Austria should have a legal framework to enable it to monitor encrypted messaging services in line with countries such as the UK and the US.
Austrian politicians pressed the case after a tip-off from the US Central Intelligence Agency (CIA) warning of an impending attack at a Taylor Swift concert, part of the Eras Tour, in August 2024 led to the cancellation of three concerts in the country. US intelligence reportedly identified that one of the suspects pledged to ISIS-K on the Telegram messaging app.
Former chancellor Karl Nehammer also cited Austria’s biggest spying scandal, the Egisto Ott affair, as a reason for the DSN to be given more tools to act against foreign intelligence services, including the ability to intercept encrypted messaging services.
The new law has been criticised by civil society groups and some technology companies, which argue that the introduction of a “state trojan” will undermine internet security for Austrian citizens.
In July, 50 civil society groups from 16 countries wrote an open letter to MPs and the Austrian National Council, warning that the move to increase state surveillance would be a historic step backwards for IT security.
The civil society groups said the draft law was based on a “legal fiction” that would mean that, rather than protecting the population from cyber security risks, the state would instead promote and maintain security vulnerabilities, which will inevitably be discovered and exploited by hackers and hostile nation-states.
They point to the WannaCry ransomware attacks, which exploited a security vulnerability developed by the US National Security Agency (NSA) to infiltrate computer systems, causing severe disruption of hospitals, trains and mobile phone networks in 2017.
Thomas Lohninger, executive director of digital rights organisation Epicenter.Works, told Computer Weekly, that his organisation will “try everything” to challenge the new law in Austria’s constitutional court. This includes bringing a constitutional challenge from the opposition Green Party and far right FPÖ MPs before the law is enacted – a move that requires support from a third of MPs.
techcrunch.com - Google has suspended the account of phone surveillance operator Catwatchful, which was using the tech giant’s servers to host and operate the monitoring software.
Google’s move to shut down the spyware operation comes a month after TechCrunch alerted the technology giant the operator was hosting the operation on Firebase, one of Google’s developer platforms. Catwatchful relied on Firebase to host and store vast amounts of data stolen from thousands of phones compromised by its spyware.
“We’ve investigated these reported Firebase operations and suspended them for violating our terms of service,” Google spokesperson Ed Fernandez told TechCrunch in an email this week.
When asked by TechCrunch, Google would not say why it took a month to investigate and suspend the operation’s Firebase account. The company’s own terms of use broadly prohibit its customers from hosting malicious software or spyware operations on its platforms. As a for-profit company, Google has a commercial interest in retaining customers who pay for its services.
As of Friday, Catwatchful is no longer functioning nor does it appear to transmit or receive data, according to a network traffic analysis of the spyware carried out by TechCrunch.
Catwatchful was an Android-specific spyware that presented itself as a child-monitoring app “undetectable” to the user. Much like other phone spyware apps, Catwatchful required its customers to physically install it on a person’s phone, which usually requires prior knowledge of their passcode. These monitoring apps are often called “stalkerware” (or spouseware) for their propensity to be used for non-consensual surveillance of spouses and romantic partners, which is illegal.
Once installed, the app was designed to stay hidden from the victim’s home screen, and upload the victim’s private messages, photos, location data, and more to a web dashboard viewable by the person who planted the app.
TechCrunch first learned of Catwatchful in mid-June after security researcher Eric Daigle identified a security bug that was exposing the spyware operation’s back-end database.
The bug allowed unauthenticated access to the database, meaning no passwords or credentials were needed to see the data inside. The database contained more than 62,000 Catwatchful customer email addresses and plaintext passwords, as well as records on 26,000 victim devices compromised by the spyware.
The data also exposed the administrator behind the operation, a Uruguay-based developer called Omar Soca Charcov. TechCrunch contacted Charcov to ask if he was aware of the security lapse, or if he planned to notify affected individuals about the breach. Charcov did not respond.
With no clear indication that Charcov would disclose the breach, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
Catwatchful is the latest in a long list of surveillance operations that have experienced a data breach in recent years, in large part due to shoddy coding and poor cybersecurity practices. Catwatchful is by TechCrunch’s count the fifth spyware operation this year to have spilled users’ data, and the most recent entry in a list of more than two-dozen known spyware operations since 2017 that have exposed their banks of data.
As we noted in our previous story: Android users can identify if the Catwatchful spyware is installed, even if the app is hidden, by dialing 543210 into your Android phone app’s keypad and pressing the call button.
The spyware operation's exposed customer email addresses and passwords were shared with data breach notification service Have I Been Pwned.
A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator.
The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims.
Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.
Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.
Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches.
According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices.
Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows.
The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers.
Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a Czech entity previously associated with the Intellexa Consortium.
On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of their cases. In this report, we discuss key findings from our forensic analyses of their devices.
Researchers revealed on Thursday that two European journalists had their iPhones hacked with spyware made by Paragon. Apple says it has fixed the bug that was used to hack their phones.
The Citizen Lab wrote in its report, shared with TechCrunch ahead of its publication, that Apple had told its researchers that the flaw exploited in the attacks had been “mitigated in iOS 18.3.1,” a software update for iPhones released on February 10.
Until this week, the advisory of that security update mentioned only one unrelated flaw, which allowed attackers to disable an iPhone security mechanism that makes it harder to unlock phones.
On Thursday, however, Apple updated its February 10 advisory to include details about a new flaw, which was also fixed at the time but not publicized.
“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” reads the now-updated advisory.
In the final version of its report published Thursday, The Citizen Lab confirmed this is the flaw used against Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist
It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.
The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users, including journalists and human rights activists, that they had been targeted with spyware made by Paragon, dubbed Graphite.
Then, at the end of April, several iPhone users received a notification from Apple alerting them that they had been the targets of mercenary spyware. The alert did not mention the spyware company behind the hacking campaign.
On Thursday, The Citizen Lab published its findings confirming that two journalists who had received that Apple notification were hacked with Paragon’s spyware.
It’s unclear if all the Apple users who received the notification were also targeted with Graphite. The Apple alert said that “today’s notification is being sent to affected users in 100 countries.”
Throughout late 2024 and early 2025, iVerify detected anomalous activity on iPhones belonging to individuals affiliated with political campaigns, media organizations, A.I. companies and governments operating in the United States and European Union.
Specifically, we detected exceedingly rare crashes typically associated with sophisticated zero-click attacks via iMessage – an exploitation technique previously unobserved in any systematic way in the United States. Subsequent forensic examination of several of these devices ultimately revealed a previously unknown vulnerability in the “imagent” process which, owing to its relative position in the operating system and functionality, would provide attackers a primitive for further exploitation. This vulnerability was patched by Apple in iOS 18.3. We’ve dubbed this vulnerability NICKNAME.
In the course of our investigation, we discovered evidence suggesting – but not definitively proving – this vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent Threat Notifications to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes. Likewise, one device demonstrated behavior frequently associated with successful exploitation, specifically the creation and deletion of iMessage attachments in bulk within a matter of seconds on several occasions after an anomalous crash. We only observed these crashes on devices belonging to extremely high value targets. And these crashes constituted only .0001% of the crash log telemetry taken from a sample of 50,000 iPhones.
Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.
This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.
WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”
Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO Group’s spokesperson Gil Lainer left the door open for an appeal.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement.
In March 2025, our team found a suspicious mach-O file named wsus. Read the full analysis on its likely origins, target users, and observed functionality.
Two spyware variants – Moonshine and BadBazaar – are being used to target the mobile devices of persons of interest to Chinese intelligence, including individuals in the Taiwanese, Tibetan and Uyghur communities.
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.
Cybersecurity firm Lookout found several samples of a North Korean spyware it calls KoSpy.
