ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware: citizenlab.ca/2025/06/first-… Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We made this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax)

NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees. securelist.com/operation-tria… The way Kaspersky wrote this, it's an interesting case study of defenders working out how to capture a zero-click exploit. I especially like that Kaspersky said what they tried that *didn’t work*, in addition to what did ultimately work. Let’s dive in with a thread!

One neat technical detail we found while analyzing QuaDream's spyware (

https://twitter.com/billmarczak/status/1645843272286470146

) was the mechanism by which it subverts iCloud's two-factor authentication, presumably as part of a scheme to exfiltrate the user's data directly from iCloud. iCloud's two-factor authentication appears to use a TOTP (time-based one-time-password) scheme, in which two-factor authentication codes valid for any time are entirely determined by applying a function to (1) the time and, (2) some private information present on the phone.

Check out our NEW @citizenlab report "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers", in which we uncover traces of a new iOS 14 zero-click deployed against civil society from (at least) Jan through Nov 2021 citizenlab.ca/2023/04/spywar… The zero-click exploit, which we call ENDOFDAYS, appears to have made use of invisible malformed "Meeting" invitations processed by the iPhone's calendar app. ENDOFDAYS looks to have been deployed as a zero-day against iOS versions 14.4 and 14.4.2, and maybe other versions.

NEW REPORT today from @Reuters @JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets reuters.com/investigates/s… You probably first read reporting about the Iranian and Chinese compromise of the CIA's covert communications network in @JennaMC_Laugh and @zachsdorfman's excellent 2018 Yahoo News story: news.yahoo.com/cias-communica…

New @citizenlab report, #ProjectTorogoz, documenting the use of NSO's Pegasus spyware in El Salvador, in collab w/ @AccessNow, w/ assistance from @FrontLineHRD @MohdMaskati, @socialtic, and @fundacionacceso, and w/ peer review from @AmnestyTech citizenlab.ca/2022/01/projec… We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.

New @citizenlab report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him citizenlab.ca/2021/10/breaki… We attribute the spyware to NSO Group with high confidence. NSO Group says that it couldn't have been them for "technical and contractual reasons," but it's quite likely they're wrong. We conclude it was their spyware with high confidence, as we show in our report.

Stop and UPDATE your iPhones to iOS 14.8 NOW!!! We @citizenlab recovered NSO Group's FORCEDENTRY zero-click exploit (CVE-2021-30860) from the phone of a Saudi activist, and shared w/ Apple, who released iOS 14.8 today with a fix. citizenlab.ca/2021/09/forced… We found the exploit and shared w/ Apple last Tuesday (Sep 7), and they released a fix today (six days later), underscoring the urgency of the update.

THREAD with a couple of interesting bits from @AmnestyTech's new report on what they learned from looking for NSO Group's spyware on phones amnesty.org/en/latest/rese… @AmnestyTech (1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.

BREAKING: Major new investigation from @FbdnStories into a leaked list of 50,000+ phone numbers that are said to have been looked up by NSO Group's customers, perhaps as a prelude to the customers hacking into the phones washingtonpost.com/investigations… The leaked number lists show data going back to 2016, and are believed to come from a subset of NSO clients in 10 countries (Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE).

NEW @citizenlab joint-report with @MsftSecIntel: "Hooking Candiru," in which we provide an interesting look into the global proliferation of spyware from Candiru: another big player that sells hacking tools to govts, including known surveillance abusers citizenlab.ca/2021/07/hookin… Our analysis is based on a "patient zero", a Western European politically active individual. We extracted a copy of Candiru's spyware from their computer, after identifying that their computer was communicating with Candiru spyware servers. So how did we find our "patient zero"?

🚨BIG @citizenlab report on an NSO Group hacking bonanza. In late 2019 and in July 2020, NSO Group clients appear to have used an invisible 0-click exploit in iMessage to break into the latest, up-to-date iPhones. Some of the first target were journalists citizenlab.ca/2020/12/the-gr… At least 36 personal phones belonging to journalists, producers, executives, and presenters at Al Jazeera, and one journalist at Al Araby, were hacked in July by four operators, two of which we attribute to the UAE and Saudi. One journalist hacked was @AJArabic's @TamerMisshal.

We've got a neat new @citizenlab report out, looking at NSO Group affiliate company Circles, the we-spy-without-hacking-your-phone guys, who reportedly exploit flaws in mobile phone networks themselves. We ID'd a bunch of likely customers! citizenlab.ca/2020/12/runnin… The essence of the report is simple. The firewalls of Circles systems are configured using a management server with the domain name "tracksystem[.]info." Thanks to some leaked documents filed in a lawsuit in Israel, we can see that this domain name is used by Circles for email

Uh oh. It looks like the US state of Nevada has partnered with a UAE intelligence-linked company (Group 42) on COVID19 testing. It seems that Group 42 will get access to test data from US Citizens, which they will use for an "innovative genomic study." nvc19.org/united-arab-em… A little background on Group 42: they were the ones behind the ToTok chat app. ToTok was banned from both the Apple Store and the Google Play Store after US intelligence sources told the New York Times that ToTok was a front for UAE intelligence. nytimes.com/2019/12/22/us/…